Merge "Allow test apps to use the virtualizationservice"
diff --git a/Android.bp b/Android.bp
index 1c272f8..e517356 100644
--- a/Android.bp
+++ b/Android.bp
@@ -790,6 +790,9 @@
src: ":userdebug_plat_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
debug_ramdisk: true,
+ dist: {
+ targets: ["droidcore"],
+ },
}
// A copy of the userdebug_plat_policy in GSI.
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index ffc2b3b..cf516dd 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
-attribute bdev_type;
-
# All types used for processes.
attribute domain;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 898224c..c03fb4d 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,7 +1,7 @@
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
@@ -34,7 +34,7 @@
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 22f6cd8..f80312a 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -32,4 +32,5 @@
sysfs_vendor_sched
vendor_vm_file
vendor_vm_data_file
+ virtual_device_service
))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 664a3b3..8f82b5d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -119,7 +119,6 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
diff --git a/private/service_contexts b/private/service_contexts
index 1b28ca9..335004e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -303,6 +303,7 @@
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtualdevice u:object_r:virtual_device_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
diff --git a/private/zygote.te b/private/zygote.te
index f2af506..8e2b15a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -230,6 +230,11 @@
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
+# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
+# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
+allow zygote vendor_apex_file:dir { getattr search };
+allow zygote vendor_apex_file:file { getattr };
+
###
### neverallow rules
###
diff --git a/public/attributes b/public/attributes
index 32fe98c..35a3800 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
-attribute bdev_type;
-
# All types used for processes.
attribute domain;
@@ -68,9 +65,6 @@
# All types used for sysfs files.
attribute sysfs_type;
-# Attribute for /sys/class/block files.
-attribute sysfs_block_type;
-
# All types use for debugfs files.
attribute debugfs_type;
diff --git a/public/device.te b/public/device.te
index 1a71a40..686f955 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,18 +6,18 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type camera_device, dev_type;
-type dm_device, dev_type, bdev_type;
-type dm_user_device, dev_type, bdev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type, bdev_type;
+type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type, bdev_type;
+type ram_device, dev_type;
type rtc_device, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type, bdev_type;
+type root_block_device, dev_type;
# factory reset protection block device
-type frp_block_device, dev_type, bdev_type;
+type frp_block_device, dev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type, bdev_type;
+type system_block_device, dev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type, bdev_type;
+type recovery_block_device, dev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type, bdev_type;
+type boot_block_device, dev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type, bdev_type;
+type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type, bdev_type;
+type cache_block_device, dev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type, bdev_type;
+type swap_block_device, dev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type, bdev_type;
+type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type, bdev_type;
+type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type, bdev_type;
+type super_block_device, super_block_device_type, dev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type, bdev_type;
+type sdcard_block_device, dev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/public/file.te b/public/file.te
index 0b94e2e..ffcfd2b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,11 +88,10 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
+type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
diff --git a/public/service.te b/public/service.te
index d333175..ef24657 100644
--- a/public/service.te
+++ b/public/service.te
@@ -231,6 +231,7 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type virtual_device_service, system_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 70a7fb4..29c07a4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -158,9 +158,6 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
-# allow shell to list /sys/class/block/ to get storage type for CTS
-allow shell sysfs_block:dir r_dir_perms;
-
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;