Merge "Add hwcryptohal permissions" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 99dde56..a69d649 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -71,6 +71,7 @@
"android.hardware.gnss.IGnss/default": EXCEPTION_NO_FUZZER,
"android.hardware.graphics.allocator.IAllocator/default": EXCEPTION_NO_FUZZER,
"android.hardware.graphics.composer3.IComposer/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.mediaquality.IPictureProfileChangedListener/default": EXCEPTION_NO_FUZZER,
"android.hardware.health.storage.IStorage/default": EXCEPTION_NO_FUZZER,
"android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
"android.hardware.identity.IIdentityCredentialStore/default": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index fd25d0a..bff3c87 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -808,6 +808,9 @@
/system/system_ext/lib64 system_lib_file
/system/system_ext/lib64/does_not_exist system_lib_file
+/system_ext/bin/hw/android.hardware.drm-service.widevine.system hal_widevine_system_exec
+/system/system_ext/bin/hw/android.hardware.drm-service.widevine.system hal_widevine_system_exec
+
/vendor_dlkm vendor_file
/vendor_dlkm/does_not_exist vendor_file
/vendor/vendor_dlkm vendor_file
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 61c89a1..aab6d98 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -21,6 +21,9 @@
# encryptedstore is forked from microdroid_manager
allow encryptedstore microdroid_manager:fd use;
+# encryptedstore runs e2fsck and resize2fs to expand encrypted storage device
+allow encryptedstore fsck_exec:file { rx_file_perms };
+
# For formatting encrypted storage device
allow encryptedstore e2fs_exec:file { rx_file_perms };
allowxperm encryptedstore dm_device:blk_file ioctl {
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 82a5564..0d2e3e6 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -13,7 +13,8 @@
allow system_data_file tmpfs:filesystem associate;
type authfs_fuse, fs_type, contextmount_type;
-
+# /system/bin/e2fsck, /system/bin/resize2fs - used to expand encryptedstore block device
+type fsck_exec, system_file_type, exec_type, file_type;
# /system/bin/mke2fs - used to format encryptedstore block device
type e2fs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 8416087..3962c7c 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -105,7 +105,9 @@
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
-/system/bin/mke2fs u:object_r:e2fs_exec:s0
+/system/bin/e2fsck u:object_r:fsck_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
+/system/bin/resize2fs u:object_r:fsck_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/atrace u:object_r:atrace_exec:s0
diff --git a/prebuilts/api/202504/202504_general_sepolicy.conf b/prebuilts/api/202504/202504_general_sepolicy.conf
index d48f653..33ca1ac 100644
--- a/prebuilts/api/202504/202504_general_sepolicy.conf
+++ b/prebuilts/api/202504/202504_general_sepolicy.conf
@@ -17076,6 +17076,11 @@
type hal_graphics_mapper_service, hal_service_type, service_manager_type;
type hal_health_service, protected_service, hal_service_type, service_manager_type;
type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
+
+#line 329
+ type hal_hwcrypto_service, protected_service, hal_service_type, service_manager_type;
+#line 331
+
type hal_identity_service, protected_service, hal_service_type, service_manager_type;
type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
type hal_ir_service, protected_service, hal_service_type, service_manager_type;
@@ -17084,9 +17089,9 @@
type hal_light_service, protected_service, hal_service_type, service_manager_type;
type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
-#line 336
+#line 339
type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
-#line 338
+#line 341
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
@@ -17125,9 +17130,9 @@
type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
-#line 375
+#line 378
type hal_vm_capabilities_service, protected_service, hal_service_type, service_manager_type;
-#line 377
+#line 380
# system/sepolicy/public is for vendor-facing type and attribute definitions.
@@ -67900,38 +67905,39 @@
#line 39
+#line 42
-#line 43
+#line 45
type tracingproxy_service, system_server_service, service_manager_type;
type tradeinmode_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
-#line 48
- type vfio_handler_service, service_manager_type;
#line 50
+ type vfio_handler_service, service_manager_type;
+#line 52
-#line 51
- type virtualization_maintenance_service, service_manager_type;
#line 53
+ type virtualization_maintenance_service, service_manager_type;
+#line 55
-#line 54
+#line 56
type vm_tethering_service, system_server_service, service_manager_type;
-#line 54
+#line 56
type vmnic_service, service_manager_type;
-#line 57
+#line 59
-#line 58
- type microfuchsia_service, service_manager_type;
#line 60
+ type microfuchsia_service, service_manager_type;
+#line 62
type uce_service, service_manager_type;
-#line 65
+#line 67
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
@@ -67939,12 +67945,12 @@
type advanced_protection_service, app_api_service, system_server_service, service_manager_type;
-#line 71
- type ranging_service, app_api_service, system_server_service, service_manager_type;
#line 73
+ type ranging_service, app_api_service, system_server_service, service_manager_type;
+#line 75
-#line 77
+#line 79
###
diff --git a/prebuilts/api/202504/202504_mapping.cil b/prebuilts/api/202504/202504_mapping.cil
index 120fca0..2763fd1 100644
--- a/prebuilts/api/202504/202504_mapping.cil
+++ b/prebuilts/api/202504/202504_mapping.cil
@@ -4240,6 +4240,9 @@
(typeattributeset hal_power_stats_service_202504 (hal_power_stats_service))
(expandtypeattribute (hal_power_stats_service_202504) true)
(typeattribute hal_power_stats_service_202504)
+(typeattributeset hal_hwcrypto_service_202504 (hal_hwcrypto_service))
+(expandtypeattribute (hal_hwcrypto_service_202504) true)
+(typeattribute hal_hwcrypto_service_202504)
(typeattributeset sysfs_ion_202504 (sysfs_ion))
(expandtypeattribute (sysfs_ion_202504) true)
(typeattribute sysfs_ion_202504)
diff --git a/prebuilts/api/202504/202504_plat_sepolicy.cil b/prebuilts/api/202504/202504_plat_sepolicy.cil
index 68424a5..79f9a23 100644
--- a/prebuilts/api/202504/202504_plat_sepolicy.cil
+++ b/prebuilts/api/202504/202504_plat_sepolicy.cil
@@ -783,9 +783,9 @@
(typeattribute system_api_service)
(typeattributeset system_api_service (device_config_updatable_service ondevicepersonalization_system_service adb_service adservices_manager_service app_hibernation_service app_integrity_service cacheinfo_service cpuinfo_service credential_service dbinfo_service device_state_service diskstats_service color_display_service gfxinfo_service intrusion_detection_service lock_settings_service meminfo_service network_score_service oem_lock_service overlay_service persistent_data_block_service resources_manager_service serial_service system_config_service system_server_dumper_service updatelock_service window_service inputflinger_service authentication_policy_service bg_install_control_service dynamic_system_service incidentcompanion_service protolog_configuration_service safety_center_service statsmanager_service ))
(typeattribute protected_service)
-(typeattributeset protected_service (hal_audio_service hal_authgraph_service hal_authsecret_service hal_bluetooth_service hal_bootctl_service hal_broadcastradio_service hal_camera_service hal_can_controller_service hal_confirmationui_service hal_contexthub_service hal_dumpstate_service hal_evs_service hal_face_service hal_fastboot_service hal_fingerprint_service hal_gnss_service hal_graphics_composer_service hal_health_service hal_health_storage_service hal_identity_service hal_input_processor_service hal_ir_service hal_ivn_service hal_keymint_service hal_light_service hal_macsec_service hal_mediaquality_service hal_memtrack_service hal_nfc_service hal_oemlock_service hal_power_service hal_power_stats_service hal_radio_service hal_rebootescrow_service hal_remoteaccess_service hal_remotelyprovisionedcomponent_avf_service hal_remotelyprovisionedcomponent_service hal_sensors_service hal_secretkeeper_service hal_secureclock_service hal_secure_element_service hal_sharedsecret_service hal_system_suspend_service hal_tetheroffload_service hal_thermal_service hal_tv_hdmi_cec_service hal_tv_hdmi_connection_service hal_tv_hdmi_earc_service hal_tv_input_service hal_threadnetwork_service hal_tv_tuner_service hal_usb_service hal_usb_gadget_service hal_uwb_service hal_vehicle_service hal_vibrator_service hal_weaver_service hal_nlinterceptor_service hal_wifi_service hal_wifi_hostapd_service hal_wifi_supplicant_service hal_gatekeeper_service hal_vm_capabilities_service ))
+(typeattributeset protected_service (hal_audio_service hal_authgraph_service hal_authsecret_service hal_bluetooth_service hal_bootctl_service hal_broadcastradio_service hal_camera_service hal_can_controller_service hal_confirmationui_service hal_contexthub_service hal_dumpstate_service hal_evs_service hal_face_service hal_fastboot_service hal_fingerprint_service hal_gnss_service hal_graphics_composer_service hal_health_service hal_health_storage_service hal_hwcrypto_service hal_identity_service hal_input_processor_service hal_ir_service hal_ivn_service hal_keymint_service hal_light_service hal_macsec_service hal_mediaquality_service hal_memtrack_service hal_nfc_service hal_oemlock_service hal_power_service hal_power_stats_service hal_radio_service hal_rebootescrow_service hal_remoteaccess_service hal_remotelyprovisionedcomponent_avf_service hal_remotelyprovisionedcomponent_service hal_sensors_service hal_secretkeeper_service hal_secureclock_service hal_secure_element_service hal_sharedsecret_service hal_system_suspend_service hal_tetheroffload_service hal_thermal_service hal_tv_hdmi_cec_service hal_tv_hdmi_connection_service hal_tv_hdmi_earc_service hal_tv_input_service hal_threadnetwork_service hal_tv_tuner_service hal_usb_service hal_usb_gadget_service hal_uwb_service hal_vehicle_service hal_vibrator_service hal_weaver_service hal_nlinterceptor_service hal_wifi_service hal_wifi_hostapd_service hal_wifi_supplicant_service hal_gatekeeper_service hal_vm_capabilities_service ))
(typeattribute service_manager_type)
-(typeattributeset service_manager_type (aidl_lazy_test_service apc_service apex_service artd_service artd_pre_reboot_service audioserver_service authorization_service batteryproperties_service bluetooth_service cameraserver_service fwk_camera_service default_android_service device_config_updatable_service dexopt_chroot_setup_service dnsresolver_service drmserver_service dumpstate_service evsmanagerd_service fingerprintd_service fwk_automotive_display_service fwk_vold_service gatekeeper_service gpu_service idmap_service incident_service installd_service credstore_service keystore_compat_hal_service keystore_maintenance_service keystore_metrics_service keystore_service legacykeystore_service lpdump_service mdns_service mediaserver_service mediametrics_service mediaextractor_service mediadrmserver_service mediatranscoding_service netd_service nfc_service ondevicepersonalization_system_service ot_daemon_service profiling_service radio_service secure_element_service service_manager_service storaged_service surfaceflinger_service system_app_service system_net_netd_service system_suspend_control_internal_service system_suspend_control_service update_engine_service update_engine_stable_service virtualization_service virtual_camera_service virtual_touchpad_service vold_service vr_hwc_service vrflinger_vsync_service accessibility_service account_service activity_service activity_task_service adb_service adservices_manager_service alarm_service app_binding_service app_function_service app_hibernation_service app_integrity_service app_prediction_service app_search_service appops_service appwidget_service archive_service assetatlas_service attestation_verification_service audio_service auth_service autofill_service backup_service batterystats_service battery_service binder_calls_stats_service blob_store_service bluetooth_manager_service broadcastradio_service cacheinfo_service cameraproxy_service clipboard_service cloudsearch_service contexthub_service contextual_search_service crossprofileapps_service IProxyService_service companion_device_service connectivity_native_service connectivity_service connmetrics_service consumer_ir_service content_capture_service content_suggestions_service content_service country_detector_service coverage_service cpuinfo_service cpu_monitor_service credential_service dataloader_manager_service dbinfo_service device_config_service device_policy_service device_state_service deviceidle_service device_identifiers_service devicestoragemonitor_service diskstats_service display_service domain_verification_service color_display_service ecm_enhanced_confirmation_service external_vibrator_service file_integrity_service font_service netd_listener_service network_watchlist_service devicelock_service DockObserver_service dreams_service dropbox_service ethernet_service biometric_service bugreport_service platform_compat_service face_service fingerprint_service fwk_altitude_service fwk_stats_service fwk_sensor_service fwk_vibrator_control_service game_service gfxinfo_service gnss_time_update_service grammatical_inflection_service graphicsstats_service hardware_service hardware_properties_service hdmi_control_service healthconnect_service hint_service imms_service incremental_service input_method_service input_service intrusion_detection_service ipsec_service iris_service jobscheduler_service launcherapps_service legacy_permission_service light_service locale_service location_service location_time_zone_manager_service lock_settings_service looper_stats_service media_communication_service media_metrics_service media_projection_service media_quality_service media_router_service media_session_service meminfo_service memtrackproxy_service midi_service mount_service music_recognition_service nearby_service netpolicy_service netstats_service network_management_service network_score_service network_stack_service network_time_update_service notification_service oem_lock_service otadexopt_service overlay_service pac_proxy_service package_service package_native_service people_service permission_service permissionmgr_service permission_checker_service persistent_data_block_service pinner_service powerstats_service power_service print_service processinfo_service procstats_service reboot_readiness_service recovery_service registry_service remote_auth_service remote_provisioning_service resources_manager_service restrictions_service role_service rollback_service runtime_service rttmanager_service samplingprofiler_service scheduling_policy_service search_service search_ui_service sec_key_att_app_id_provider_service security_state_service selection_toolbar_service sensitive_content_protection_service sensorservice_service sensor_privacy_service serial_service servicediscovery_service settings_service shortcut_service slice_service smartspace_service statusbar_service storagestats_service sdk_sandbox_service system_config_service system_server_dumper_service system_update_service soundtrigger_middleware_service speech_recognition_service tare_service task_service testharness_service textclassification_service textservices_service texttospeech_service telecom_service thermal_service threadnetwork_service timedetector_service timezonedetector_service translation_service trust_service tv_ad_service tv_iapp_service tv_input_service tv_tuner_resource_mgr_service uimode_service updatelock_service uri_grants_service usagestats_service usb_service user_service uwb_service vcn_management_service vibrator_service vibrator_manager_service virtual_device_service virtual_device_native_service voiceinteraction_service vpn_management_service vr_manager_service wallpaper_service wallpaper_effects_generation_service webviewupdate_service wifip2p_service wifiscanner_service wifi_service wifinl80211_service wifiaware_service wifi_usd_service window_service inputflinger_service tethering_service emergency_affordance_service hal_audio_service hal_audiocontrol_service hal_authgraph_service hal_authsecret_service hal_bluetooth_service hal_bootctl_service hal_broadcastradio_service hal_camera_service hal_can_controller_service hal_cas_service hal_codec2_service hal_confirmationui_service hal_contexthub_service hal_drm_service hal_dumpstate_service hal_evs_service hal_face_service hal_fastboot_service hal_fingerprint_service hal_gnss_service hal_graphics_allocator_service hal_graphics_composer_service hal_graphics_mapper_service hal_health_service hal_health_storage_service hal_identity_service hal_input_processor_service hal_ir_service hal_ivn_service hal_keymint_service hal_light_service hal_macsec_service hal_mediaquality_service hal_memtrack_service hal_neuralnetworks_service hal_nfc_service hal_oemlock_service hal_power_service hal_power_stats_service hal_radio_service hal_rebootescrow_service hal_remoteaccess_service hal_remotelyprovisionedcomponent_avf_service hal_remotelyprovisionedcomponent_service hal_sensors_service hal_secretkeeper_service hal_secureclock_service hal_secure_element_service hal_sharedsecret_service hal_system_suspend_service hal_tetheroffload_service hal_thermal_service hal_tv_hdmi_cec_service hal_tv_hdmi_connection_service hal_tv_hdmi_earc_service hal_tv_input_service hal_threadnetwork_service hal_tv_tuner_service hal_usb_service hal_usb_gadget_service hal_uwb_service hal_vehicle_service hal_vibrator_service hal_weaver_service hal_nlinterceptor_service hal_wifi_service hal_wifi_hostapd_service hal_wifi_supplicant_service hal_gatekeeper_service hal_vm_capabilities_service ambient_context_service authentication_policy_service attention_service bg_install_control_service compos_service communal_service dynamic_system_service feature_flags_service fwk_devicestate_service gsi_service incidentcompanion_service logcat_service logd_service mediatuner_service mmd_service on_device_intelligence_service profcollectd_service protolog_configuration_service resolver_service rkpd_registrar_service rkpd_refresh_service rkp_cert_processor_service safety_center_service stats_service statsbootstrap_service statscompanion_service statsmanager_service tracingproxy_service tradeinmode_service transparency_service vfio_handler_service virtualization_maintenance_service vm_tethering_service vmnic_service microfuchsia_service uce_service wearable_sensing_service wifi_mainline_supplicant_service dynamic_instrumentation_service advanced_protection_service ranging_service ))
+(typeattributeset service_manager_type (aidl_lazy_test_service apc_service apex_service artd_service artd_pre_reboot_service audioserver_service authorization_service batteryproperties_service bluetooth_service cameraserver_service fwk_camera_service default_android_service device_config_updatable_service dexopt_chroot_setup_service dnsresolver_service drmserver_service dumpstate_service evsmanagerd_service fingerprintd_service fwk_automotive_display_service fwk_vold_service gatekeeper_service gpu_service idmap_service incident_service installd_service credstore_service keystore_compat_hal_service keystore_maintenance_service keystore_metrics_service keystore_service legacykeystore_service lpdump_service mdns_service mediaserver_service mediametrics_service mediaextractor_service mediadrmserver_service mediatranscoding_service netd_service nfc_service ondevicepersonalization_system_service ot_daemon_service profiling_service radio_service secure_element_service service_manager_service storaged_service surfaceflinger_service system_app_service system_net_netd_service system_suspend_control_internal_service system_suspend_control_service update_engine_service update_engine_stable_service virtualization_service virtual_camera_service virtual_touchpad_service vold_service vr_hwc_service vrflinger_vsync_service accessibility_service account_service activity_service activity_task_service adb_service adservices_manager_service alarm_service app_binding_service app_function_service app_hibernation_service app_integrity_service app_prediction_service app_search_service appops_service appwidget_service archive_service assetatlas_service attestation_verification_service audio_service auth_service autofill_service backup_service batterystats_service battery_service binder_calls_stats_service blob_store_service bluetooth_manager_service broadcastradio_service cacheinfo_service cameraproxy_service clipboard_service cloudsearch_service contexthub_service contextual_search_service crossprofileapps_service IProxyService_service companion_device_service connectivity_native_service connectivity_service connmetrics_service consumer_ir_service content_capture_service content_suggestions_service content_service country_detector_service coverage_service cpuinfo_service cpu_monitor_service credential_service dataloader_manager_service dbinfo_service device_config_service device_policy_service device_state_service deviceidle_service device_identifiers_service devicestoragemonitor_service diskstats_service display_service domain_verification_service color_display_service ecm_enhanced_confirmation_service external_vibrator_service file_integrity_service font_service netd_listener_service network_watchlist_service devicelock_service DockObserver_service dreams_service dropbox_service ethernet_service biometric_service bugreport_service platform_compat_service face_service fingerprint_service fwk_altitude_service fwk_stats_service fwk_sensor_service fwk_vibrator_control_service game_service gfxinfo_service gnss_time_update_service grammatical_inflection_service graphicsstats_service hardware_service hardware_properties_service hdmi_control_service healthconnect_service hint_service imms_service incremental_service input_method_service input_service intrusion_detection_service ipsec_service iris_service jobscheduler_service launcherapps_service legacy_permission_service light_service locale_service location_service location_time_zone_manager_service lock_settings_service looper_stats_service media_communication_service media_metrics_service media_projection_service media_quality_service media_router_service media_session_service meminfo_service memtrackproxy_service midi_service mount_service music_recognition_service nearby_service netpolicy_service netstats_service network_management_service network_score_service network_stack_service network_time_update_service notification_service oem_lock_service otadexopt_service overlay_service pac_proxy_service package_service package_native_service people_service permission_service permissionmgr_service permission_checker_service persistent_data_block_service pinner_service powerstats_service power_service print_service processinfo_service procstats_service reboot_readiness_service recovery_service registry_service remote_auth_service remote_provisioning_service resources_manager_service restrictions_service role_service rollback_service runtime_service rttmanager_service samplingprofiler_service scheduling_policy_service search_service search_ui_service sec_key_att_app_id_provider_service security_state_service selection_toolbar_service sensitive_content_protection_service sensorservice_service sensor_privacy_service serial_service servicediscovery_service settings_service shortcut_service slice_service smartspace_service statusbar_service storagestats_service sdk_sandbox_service system_config_service system_server_dumper_service system_update_service soundtrigger_middleware_service speech_recognition_service tare_service task_service testharness_service textclassification_service textservices_service texttospeech_service telecom_service thermal_service threadnetwork_service timedetector_service timezonedetector_service translation_service trust_service tv_ad_service tv_iapp_service tv_input_service tv_tuner_resource_mgr_service uimode_service updatelock_service uri_grants_service usagestats_service usb_service user_service uwb_service vcn_management_service vibrator_service vibrator_manager_service virtual_device_service virtual_device_native_service voiceinteraction_service vpn_management_service vr_manager_service wallpaper_service wallpaper_effects_generation_service webviewupdate_service wifip2p_service wifiscanner_service wifi_service wifinl80211_service wifiaware_service wifi_usd_service window_service inputflinger_service tethering_service emergency_affordance_service hal_audio_service hal_audiocontrol_service hal_authgraph_service hal_authsecret_service hal_bluetooth_service hal_bootctl_service hal_broadcastradio_service hal_camera_service hal_can_controller_service hal_cas_service hal_codec2_service hal_confirmationui_service hal_contexthub_service hal_drm_service hal_dumpstate_service hal_evs_service hal_face_service hal_fastboot_service hal_fingerprint_service hal_gnss_service hal_graphics_allocator_service hal_graphics_composer_service hal_graphics_mapper_service hal_health_service hal_health_storage_service hal_hwcrypto_service hal_identity_service hal_input_processor_service hal_ir_service hal_ivn_service hal_keymint_service hal_light_service hal_macsec_service hal_mediaquality_service hal_memtrack_service hal_neuralnetworks_service hal_nfc_service hal_oemlock_service hal_power_service hal_power_stats_service hal_radio_service hal_rebootescrow_service hal_remoteaccess_service hal_remotelyprovisionedcomponent_avf_service hal_remotelyprovisionedcomponent_service hal_sensors_service hal_secretkeeper_service hal_secureclock_service hal_secure_element_service hal_sharedsecret_service hal_system_suspend_service hal_tetheroffload_service hal_thermal_service hal_tv_hdmi_cec_service hal_tv_hdmi_connection_service hal_tv_hdmi_earc_service hal_tv_input_service hal_threadnetwork_service hal_tv_tuner_service hal_usb_service hal_usb_gadget_service hal_uwb_service hal_vehicle_service hal_vibrator_service hal_weaver_service hal_nlinterceptor_service hal_wifi_service hal_wifi_hostapd_service hal_wifi_supplicant_service hal_gatekeeper_service hal_vm_capabilities_service ambient_context_service authentication_policy_service attention_service bg_install_control_service compos_service communal_service dynamic_system_service feature_flags_service fwk_devicestate_service gsi_service incidentcompanion_service logcat_service logd_service mediatuner_service mmd_service on_device_intelligence_service profcollectd_service protolog_configuration_service resolver_service rkpd_registrar_service rkpd_refresh_service rkp_cert_processor_service safety_center_service stats_service statsbootstrap_service statscompanion_service statsmanager_service tracingproxy_service tradeinmode_service transparency_service vfio_handler_service virtualization_maintenance_service vm_tethering_service vmnic_service microfuchsia_service uce_service wearable_sensing_service wifi_mainline_supplicant_service dynamic_instrumentation_service advanced_protection_service ranging_service ))
(typeattribute hwservice_manager_type)
(typeattributeset hwservice_manager_type (default_android_hwservice fwk_camera_hwservice fwk_display_hwservice fwk_scheduler_hwservice fwk_sensor_hwservice fwk_stats_hwservice fwk_automotive_display_hwservice hal_atrace_hwservice hal_audio_hwservice hal_audiocontrol_hwservice hal_authsecret_hwservice hal_bluetooth_hwservice hal_bootctl_hwservice hal_broadcastradio_hwservice hal_camera_hwservice hal_can_bus_hwservice hal_can_controller_hwservice hal_confirmationui_hwservice hal_contexthub_hwservice hal_dumpstate_hwservice hal_evs_hwservice hal_face_hwservice hal_fingerprint_hwservice hal_gatekeeper_hwservice hal_gnss_hwservice hal_graphics_composer_hwservice hal_health_hwservice hal_health_storage_hwservice hal_input_classifier_hwservice hal_ir_hwservice hal_keymaster_hwservice hal_light_hwservice hal_lowpan_hwservice hal_memtrack_hwservice hal_nfc_hwservice hal_oemlock_hwservice hal_power_hwservice hal_power_stats_hwservice hal_secure_element_hwservice hal_sensors_hwservice hal_telephony_hwservice hal_tetheroffload_hwservice hal_thermal_hwservice hal_tv_cec_hwservice hal_tv_input_hwservice hal_tv_tuner_hwservice hal_usb_gadget_hwservice hal_usb_hwservice hal_vehicle_hwservice hal_vibrator_hwservice hal_vr_hwservice hal_weaver_hwservice hal_wifi_hostapd_hwservice hal_wifi_hwservice hal_wifi_supplicant_hwservice system_net_netd_hwservice system_suspend_hwservice system_wifi_keystore_hwservice fwk_bufferhub_hwservice hal_cas_hwservice hal_codec2_hwservice hal_configstore_ISurfaceFlingerConfigs hal_drm_hwservice hal_graphics_allocator_hwservice hal_graphics_mapper_hwservice hal_neuralnetworks_hwservice hal_omx_hwservice hal_renderscript_hwservice hidl_allocator_hwservice hidl_base_hwservice hidl_manager_hwservice hidl_memory_hwservice hidl_token_hwservice hal_lazy_test_hwservice ))
(typeattribute same_process_hwservice)
@@ -797,7 +797,7 @@
(typeattribute vndservice_manager_type)
(typeattributeset vndservice_manager_type (service_manager_vndservice default_android_vndservice ))
(typeattribute hal_service_type)
-(typeattributeset hal_service_type (hal_audio_service hal_audiocontrol_service hal_authgraph_service hal_authsecret_service hal_bluetooth_service hal_bootctl_service hal_broadcastradio_service hal_camera_service hal_can_controller_service hal_cas_service hal_codec2_service hal_confirmationui_service hal_contexthub_service hal_drm_service hal_dumpstate_service hal_evs_service hal_face_service hal_fastboot_service hal_fingerprint_service hal_gnss_service hal_graphics_allocator_service hal_graphics_composer_service hal_graphics_mapper_service hal_health_service hal_health_storage_service hal_identity_service hal_input_processor_service hal_ir_service hal_ivn_service hal_keymint_service hal_light_service hal_macsec_service hal_mediaquality_service hal_memtrack_service hal_neuralnetworks_service hal_nfc_service hal_oemlock_service hal_power_service hal_power_stats_service hal_radio_service hal_rebootescrow_service hal_remoteaccess_service hal_remotelyprovisionedcomponent_avf_service hal_remotelyprovisionedcomponent_service hal_sensors_service hal_secretkeeper_service hal_secureclock_service hal_secure_element_service hal_sharedsecret_service hal_system_suspend_service hal_tetheroffload_service hal_thermal_service hal_tv_hdmi_cec_service hal_tv_hdmi_connection_service hal_tv_hdmi_earc_service hal_tv_input_service hal_threadnetwork_service hal_tv_tuner_service hal_usb_service hal_usb_gadget_service hal_uwb_service hal_vehicle_service hal_vibrator_service hal_weaver_service hal_nlinterceptor_service hal_wifi_service hal_wifi_hostapd_service hal_wifi_supplicant_service hal_gatekeeper_service hal_vm_capabilities_service ))
+(typeattributeset hal_service_type (hal_audio_service hal_audiocontrol_service hal_authgraph_service hal_authsecret_service hal_bluetooth_service hal_bootctl_service hal_broadcastradio_service hal_camera_service hal_can_controller_service hal_cas_service hal_codec2_service hal_confirmationui_service hal_contexthub_service hal_drm_service hal_dumpstate_service hal_evs_service hal_face_service hal_fastboot_service hal_fingerprint_service hal_gnss_service hal_graphics_allocator_service hal_graphics_composer_service hal_graphics_mapper_service hal_health_service hal_health_storage_service hal_hwcrypto_service hal_identity_service hal_input_processor_service hal_ir_service hal_ivn_service hal_keymint_service hal_light_service hal_macsec_service hal_mediaquality_service hal_memtrack_service hal_neuralnetworks_service hal_nfc_service hal_oemlock_service hal_power_service hal_power_stats_service hal_radio_service hal_rebootescrow_service hal_remoteaccess_service hal_remotelyprovisionedcomponent_avf_service hal_remotelyprovisionedcomponent_service hal_sensors_service hal_secretkeeper_service hal_secureclock_service hal_secure_element_service hal_sharedsecret_service hal_system_suspend_service hal_tetheroffload_service hal_thermal_service hal_tv_hdmi_cec_service hal_tv_hdmi_connection_service hal_tv_hdmi_earc_service hal_tv_input_service hal_threadnetwork_service hal_tv_tuner_service hal_usb_service hal_usb_gadget_service hal_uwb_service hal_vehicle_service hal_vibrator_service hal_weaver_service hal_nlinterceptor_service hal_wifi_service hal_wifi_hostapd_service hal_wifi_supplicant_service hal_gatekeeper_service hal_vm_capabilities_service ))
(typeattribute mlstrustedsubject)
(typeattributeset mlstrustedsubject (adbd artd bluetooth bufferhubd drmserver dumpstate pdx_display_client_endpoint_socket pdx_display_manager_endpoint_socket pdx_display_screenshot_endpoint_socket pdx_display_vsync_endpoint_socket pdx_performance_client_endpoint_socket pdx_bufferhub_client_endpoint_socket heapprofd hwservicemanager incidentd init installd kernel keystore llkd lmkd logd mdnsd mediadrmserver mediaextractor mediaserver netd network_stack nfc performanced prng_seeder radio rss_hwm_reset runas servicemanager shell simpleperf_app_runner statsd surfaceflinger system_app system_server tombstoned traced traced_perf traced_probes uncrypt vendor_init vold vold_prepare_subdirs webview_zygote zygote aconfigd aconfigd_mainline cppreopts device_as_webcam otapreopt_slot postinstall_dexopt profcollectd simpleperf_boot storaged virtualizationservice ))
(typeattribute mlstrustedobject)
@@ -4084,6 +4084,8 @@
(roletype object_r hal_health_service)
(type hal_health_storage_service)
(roletype object_r hal_health_storage_service)
+(type hal_hwcrypto_service)
+(roletype object_r hal_hwcrypto_service)
(type hal_identity_service)
(roletype object_r hal_identity_service)
(type hal_input_processor_service)
@@ -27311,7 +27313,7 @@
(neverallow base_typeattr_937 fwk_sensor_hwservice (hwservice_manager (add)))
;;* lme
-;;* lmx 86 system/sepolicy/private/service.te
+;;* lmx 88 system/sepolicy/private/service.te
(neverallow domain base_typeattr_938 (service_manager (add find)))
;;* lme
diff --git a/prebuilts/api/202504/private/hwservice_contexts b/prebuilts/api/202504/private/hwservice_contexts
index 4a44dc5..c56454f 100644
--- a/prebuilts/api/202504/private/hwservice_contexts
+++ b/prebuilts/api/202504/private/hwservice_contexts
@@ -34,6 +34,7 @@
android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.tv.mediaquality::IPictureProfileChangedListener u:object_r:hal_graphics_composer_hwservice:s0
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
diff --git a/prebuilts/api/202504/private/property_contexts b/prebuilts/api/202504/private/property_contexts
index 8d9f61d..2694d22 100644
--- a/prebuilts/api/202504/private/property_contexts
+++ b/prebuilts/api/202504/private/property_contexts
@@ -649,6 +649,8 @@
bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.wakeup_supported u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.hci.msft_vendor_opcode u:object_r:bluetooth_config_prop:s0 exact uint
+
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -721,7 +723,6 @@
bluetooth.core.le.connection_scan_window_slow u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
-bluetooth.core.le.msft_vendor_opcode u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.hfp.software_datapath.enabled u:object_r:bluetooth_config_prop:s0 exact bool
diff --git a/prebuilts/api/202504/private/service.te b/prebuilts/api/202504/private/service.te
index 3b84e93..96f208d 100644
--- a/prebuilts/api/202504/private/service.te
+++ b/prebuilts/api/202504/private/service.te
@@ -37,7 +37,9 @@
until_board_api(202504, `
type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
')
-
+until_board_api(202504, `
+ type hal_hwcrypto_service, protected_service, hal_service_type, service_manager_type;
+')
is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
')
diff --git a/prebuilts/api/202504/private/service_contexts b/prebuilts/api/202504/private/service_contexts
index dec8f6b..ad41229 100644
--- a/prebuilts/api/202504/private/service_contexts
+++ b/prebuilts/api/202504/private/service_contexts
@@ -56,6 +56,7 @@
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
+android.hardware.tv.mediaquality.IPictureProfileChangedListener/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
diff --git a/prebuilts/api/202504/public/service.te b/prebuilts/api/202504/public/service.te
index aa9d184..2d7cedf 100644
--- a/prebuilts/api/202504/public/service.te
+++ b/prebuilts/api/202504/public/service.te
@@ -326,6 +326,9 @@
type hal_graphics_mapper_service, hal_service_type, service_manager_type;
type hal_health_service, protected_service, hal_service_type, service_manager_type;
type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
+starting_at_board_api(202504, `
+ type hal_hwcrypto_service, protected_service, hal_service_type, service_manager_type;
+')
type hal_identity_service, protected_service, hal_service_type, service_manager_type;
type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
type hal_ir_service, protected_service, hal_service_type, service_manager_type;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0b001e2..d3d65bb 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -55,6 +55,7 @@
binder_cache_bluetooth_server_prop:property_service set;
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_audio_hal_prop)
+set_prop(bluetooth, bluetooth_lea_mode_prop)
set_prop(bluetooth, bluetooth_prop)
set_prop(bluetooth, exported_bluetooth_prop)
set_prop(bluetooth, pan_result_prop)
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 224c49b..69e7d5e 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -17,6 +17,7 @@
forensic_service
fstype_prop
fwk_vold_service
+ hal_hwcrypto_service
hal_mediaquality_service
hal_vm_capabilities_service
intrusion_detection_service
diff --git a/private/crosvm.te b/private/crosvm.te
index 6051992..11c70ad 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -172,6 +172,9 @@
# Early VMs may print messages to kmsg_debug_device.
allow crosvm kmsg_debug_device:chr_file w_file_perms;
+# Allow crosvm to read /data/nativetest for VTS
+r_dir_file(crosvm, nativetest_data_file)
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/domain.te b/private/domain.te
index 8db40a5..4282b4d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2146,6 +2146,7 @@
-init
-otapreopt_chroot
userdebug_or_eng(`-overlay_remounter')
+ userdebug_or_eng(`-zygote')
} {
system_file_type
vendor_file_type
@@ -2329,6 +2330,7 @@
# these are permissions that should be removed, and they are here for visibility.
-compos_fd_server # TODO: get connections from virtmanager
-hal_keymint_system # TODO: get connections from virtmanager
+ -hal_widevine_system # TODO: get connections from virtmanager
-vmlauncher_app # TODO: get connections from virtmanager
} *:vsock_socket { connect create accept bind };
')
diff --git a/private/file_contexts b/private/file_contexts
index 0b3e7f4..23a895e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -555,6 +555,7 @@
/(system_ext|system/system_ext)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_tee_service_contexts u:object_r:tee_service_contexts_file:s0
+/(system_ext|system/system_ext)/bin/hw/android\.hardware\.drm-service\.widevine\.system u:object_r:hal_widevine_system_exec:s0
#############################
# VendorDlkm files
diff --git a/private/hal_drm.te b/private/hal_drm.te
index 211fbb7..f24c326 100644
--- a/private/hal_drm.te
+++ b/private/hal_drm.te
@@ -33,7 +33,7 @@
allow hal_drm_server shell:fifo_file write;
# Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
+allow { hal_drm -hal_widevine_system } ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
# Allow access to hidl_memory allocation service
@@ -42,9 +42,9 @@
# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;
-allow hal_drm sysfs:file r_file_perms;
+allow { hal_drm -hal_widevine_system } sysfs:file r_file_perms;
-allow hal_drm tee_device:chr_file rw_file_perms;
+allow { hal_drm -hal_widevine_system } tee_device:chr_file rw_file_perms;
allow hal_drm_server { appdomain -isolated_app }:fd use;
diff --git a/private/hal_widevine_system.te b/private/hal_widevine_system.te
new file mode 100644
index 0000000..57213b3
--- /dev/null
+++ b/private/hal_widevine_system.te
@@ -0,0 +1,7 @@
+type hal_widevine_system, domain, coredomain;
+hal_server_domain(hal_widevine_system, hal_drm)
+
+type hal_widevine_system_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(hal_widevine_system)
+
+allow hal_widevine_system self:vsock_socket { create_socket_perms_no_ioctl };
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 4a44dc5..c56454f 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -34,6 +34,7 @@
android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.tv.mediaquality::IPictureProfileChangedListener u:object_r:hal_graphics_composer_hwservice:s0
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
diff --git a/private/property.te b/private/property.te
index b39c7ed..9ff56e9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
system_internal_prop(adbd_prop)
system_internal_prop(adbd_tradeinmode_prop)
system_internal_prop(apexd_payload_metadata_prop)
+system_internal_prop(bluetooth_lea_mode_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(ctl_prefetch_prop)
system_internal_prop(ctl_uprobestats_prop)
@@ -79,6 +80,7 @@
system_internal_prop(system_service_enable_prop)
system_internal_prop(ctl_artd_pre_reboot_prop)
system_internal_prop(trusty_security_vm_sys_prop)
+system_internal_prop(trusty_widevine_vm_sys_prop)
system_internal_prop(hint_manager_config_prop)
# Properties which can't be written outside system
diff --git a/private/property_contexts b/private/property_contexts
index 8d9f61d..61dcac0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -506,6 +506,8 @@
ro.camera.disableJpegR u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableVirtualCamera u:object_r:camera_config_prop:s0 exact bool
+ro.camera.disableHeicUltraHDR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableSWHEVC u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -634,6 +636,7 @@
persist.bluetooth.snooplogfilter.profiles.rfcomm.enabled u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.leaudio.allow_list u:object_r:bluetooth_prop:s0 exact string
+persist.bluetooth.leaudio_dynamic_switcher.mode u:object_r:bluetooth_lea_mode_prop:s0 exact string
bluetooth.a2dp.source.sbc_priority.config u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.a2dp.source.aac_priority.config u:object_r:bluetooth_config_prop:s0 exact int
@@ -649,6 +652,8 @@
bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.wakeup_supported u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.hci.msft_vendor_opcode u:object_r:bluetooth_config_prop:s0 exact uint
+
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -721,7 +726,6 @@
bluetooth.core.le.connection_scan_window_slow u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
-bluetooth.core.le.msft_vendor_opcode u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.hfp.software_datapath.enabled u:object_r:bluetooth_config_prop:s0 exact bool
@@ -1808,6 +1812,9 @@
# Properties related to Trusty VMs
trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
+trusty.widevine_vm.nonsecure_vm_ready u:object_r:trusty_widevine_vm_sys_prop:s0 exact bool
+trusty.widevine_vm.vm_cid u:object_r:trusty_widevine_vm_sys_prop:s0 exact int
+trusty.widevine_vm.port u:object_r:trusty_widevine_vm_sys_prop:s0 exact int
# Properties that allows vendors to enable Trusty security VM features
trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
diff --git a/private/service.te b/private/service.te
index 3b84e93..96f208d 100644
--- a/private/service.te
+++ b/private/service.te
@@ -37,7 +37,9 @@
until_board_api(202504, `
type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
')
-
+until_board_api(202504, `
+ type hal_hwcrypto_service, protected_service, hal_service_type, service_manager_type;
+')
is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
')
diff --git a/private/service_contexts b/private/service_contexts
index 678a5d8..67c84d5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -56,6 +56,7 @@
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
+android.hardware.tv.mediaquality.IPictureProfileChangedListener/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 9a70375..06d49e9 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -60,6 +60,9 @@
# Allow Settings to enable Dynamic System Update
set_prop(system_app, dynamic_system_prop)
+# Allow Settings to access le audio mode property
+set_prop(system_app, bluetooth_lea_mode_prop)
+
# ctl interface
set_prop(system_app, ctl_default_prop)
set_prop(system_app, ctl_bugreport_prop)
diff --git a/private/system_server.te b/private/system_server.te
index 4e5112e..7bdcaef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -700,6 +700,9 @@
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
+# Access to check if the mainline supplicant binary exists
+allow system_server wifi_mainline_supplicant_exec:file getattr;
+
# Receive and use open /data/media files passed over binder IPC.
# Also used for measuring disk usage.
allow system_server media_rw_data_file:file { getattr read write append };
diff --git a/private/tee_service_contexts b/private/tee_service_contexts
index 89eceae..508cc8c 100644
--- a/private/tee_service_contexts
+++ b/private/tee_service_contexts
@@ -10,4 +10,4 @@
# Example tee service that can be used for end-to-end integration of
# custom smcs filtering on devices with pkvm hypervisor.
-test_pkvm_tee_service u:object_r:test_pkvm_tee_service:s0
+vendor.test_pkvm_tee_service u:object_r:test_pkvm_tee_service:s0
diff --git a/private/tee_services.te b/private/tee_services.te
index 320f8b7..7345277 100644
--- a/private/tee_services.te
+++ b/private/tee_services.te
@@ -2,5 +2,5 @@
# Please keep the names in the alphabetical order and comment each new entry.
# An example tee_service that can be used to test end-to-end integration of custom
-# smcs filtering feature on a device with pkvm hypervisor.
+# vendor-private smcs filtering feature on a device with pkvm hypervisor.
type test_pkvm_tee_service, tee_service_type;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index d778126..6b8dd55 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -15,6 +15,10 @@
allow uprobestats sysfs_uprobe:file { open read };
allow uprobestats sysfs_uprobe:dir { search };
+allow uprobestats { apex_art_data_file apex_module_data_file }:dir r_dir_perms;
+allow uprobestats { apex_art_data_file apex_module_data_file }:file r_file_perms;
+allow uprobestats packages_list_file:file r_file_perms;
+
# Allow uprobestats to popen oatdump.
allow uprobestats system_file:file rx_file_perms;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 95bdd1c..6e973d6 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -114,6 +114,9 @@
# Allow virtualizationmanager to read microdroid related files in vendor partition
r_dir_file(virtualizationmanager, vendor_microdroid_file)
+# Allow virtualizationmanager to read /data/nativetest for VTS
+r_dir_file(virtualizationmanager, nativetest_data_file)
+
# Do not allow writing vendor_microdroid_file from any process.
neverallow {
domain
diff --git a/private/vold.te b/private/vold.te
index 8fe8518..e1753f1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -472,6 +472,7 @@
-keystore
-servicemanager
-system_server
+ -tee
userdebug_or_eng(`-su')
}:binder call;
diff --git a/private/zygote.te b/private/zygote.te
index 4815ecc..62312cc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -80,6 +80,11 @@
properties_device
}:dir { mounton search };
+# Legacy app compat
+userdebug_or_eng(`
+ allow zygote system_file:dir { mounton };
+')
+
# Traverse /data_mirror to get to the above directories while their normal paths
# are hidden, in order to bind-mount allowlisted per-app directories.
allow zygote mirror_data_file:dir search;
diff --git a/public/service.te b/public/service.te
index aa9d184..2d7cedf 100644
--- a/public/service.te
+++ b/public/service.te
@@ -326,6 +326,9 @@
type hal_graphics_mapper_service, hal_service_type, service_manager_type;
type hal_health_service, protected_service, hal_service_type, service_manager_type;
type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
+starting_at_board_api(202504, `
+ type hal_hwcrypto_service, protected_service, hal_service_type, service_manager_type;
+')
type hal_identity_service, protected_service, hal_service_type, service_manager_type;
type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
type hal_ir_service, protected_service, hal_service_type, service_manager_type;
diff --git a/tests/Android.bp b/tests/Android.bp
index 8671fae..3f36f41 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -46,11 +46,6 @@
srcs: [
"treble_sepolicy_tests.py",
],
- version: {
- py3: {
- embedded_launcher: true,
- },
- },
libs: [
"mini_cil_parser",
],
@@ -61,11 +56,6 @@
srcs: [
"sepolicy_tests.py",
],
- version: {
- py3: {
- embedded_launcher: true,
- },
- },
libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
@@ -75,11 +65,6 @@
srcs: [
"apex_sepolicy_tests.py",
],
- version: {
- py3: {
- embedded_launcher: true,
- },
- },
libs: ["pysepolwrap"],
data: [
":libsepolwrap",
@@ -105,11 +90,6 @@
test_options: {
unit_test: true,
},
- version: {
- py3: {
- embedded_launcher: true,
- },
- },
}
python_binary_host {
@@ -157,11 +137,6 @@
srcs: [
"sepolicy_freeze_test.py",
],
- version: {
- py3: {
- embedded_launcher: true,
- },
- },
libs: [
"mini_cil_parser",
],
@@ -177,11 +152,6 @@
test_options: {
unit_test: true,
},
- version: {
- py3: {
- embedded_launcher: true,
- },
- },
}
// prebuilt files to be included to CTS
diff --git a/vendor/hal_mediaquality_default.te b/vendor/hal_mediaquality_default.te
index 8f604c4..8d2bd92 100644
--- a/vendor/hal_mediaquality_default.te
+++ b/vendor/hal_mediaquality_default.te
@@ -4,4 +4,5 @@
type hal_mediaquality_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_mediaquality_default)
-')
\ No newline at end of file
+ hal_client_domain(hal_mediaquality_default, hal_graphics_composer)
+')