Merge changes from topic "b163478173-I"
* changes:
Rem /vendor app neverallow to get vendor services
sepolicy: remove hal_light_severice exception
diff --git a/Android.mk b/Android.mk
index ad7d9bd..b9043d7 100644
--- a/Android.mk
+++ b/Android.mk
@@ -322,6 +322,88 @@
include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy_system_ext
+# Include precompiled policy, unless told otherwise.
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ system_ext_mapping_file
+
+system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
+
+LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
+
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
+ system_ext_file_contexts \
+ system_ext_file_contexts_test \
+ system_ext_hwservice_contexts \
+ system_ext_hwservice_contexts_test \
+ system_ext_property_contexts \
+ system_ext_property_contexts_test \
+ system_ext_seapp_contexts \
+ system_ext_service_contexts \
+ system_ext_service_contexts_test \
+ system_ext_mac_permissions.xml \
+
+endif
+
+include $(BUILD_PHONY_PACKAGE)
+
+#################################
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux_policy_product
+# Include precompiled policy, unless told otherwise.
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ product_mapping_file
+
+product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
+
+LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
+
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
+ product_file_contexts \
+ product_file_contexts_test \
+ product_hwservice_contexts \
+ product_hwservice_contexts_test \
+ product_property_contexts \
+ product_property_contexts_test \
+ product_seapp_contexts \
+ product_service_contexts \
+ product_service_contexts_test \
+ product_mac_permissions.xml \
+
+endif
+
+include $(BUILD_PHONY_PACKAGE)
+
+#################################
+
+include $(CLEAR_VARS)
+
LOCAL_MODULE := selinux_policy_nonsystem
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -329,9 +411,7 @@
precompiled_sepolicy \
precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \
- system_ext_sepolicy_and_mapping.sha256 \
precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
- product_sepolicy_and_mapping.sha256 \
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -368,63 +448,8 @@
odm_mac_permissions.xml
endif
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- system_ext_mapping_file
-
-system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
-
-LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
-
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- system_ext_file_contexts \
- system_ext_file_contexts_test \
- system_ext_hwservice_contexts \
- system_ext_hwservice_contexts_test \
- system_ext_property_contexts \
- system_ext_property_contexts_test \
- system_ext_seapp_contexts \
- system_ext_service_contexts \
- system_ext_service_contexts_test \
- system_ext_mac_permissions.xml \
-
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_sepolicy.cil
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- product_mapping_file
-
-product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
-
-LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
-
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- product_file_contexts \
- product_file_contexts_test \
- product_hwservice_contexts \
- product_hwservice_contexts_test \
- product_property_contexts \
- product_property_contexts_test \
- product_seapp_contexts \
- product_service_contexts \
- product_service_contexts_test \
- product_mac_permissions.xml \
-
-endif
+LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
+LOCAL_REQUIRED_MODULES += selinux_policy_product
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
diff --git a/prebuilts/api/30.0/public/vendor_misc_writer.te b/prebuilts/api/30.0/public/vendor_misc_writer.te
index dee9941..0f3f825 100644
--- a/prebuilts/api/30.0/public/vendor_misc_writer.te
+++ b/prebuilts/api/30.0/public/vendor_misc_writer.te
@@ -8,6 +8,7 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer gsi_metadata_file:dir search;
+dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 7db303c..56a5f34 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -30,7 +30,9 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ ramdisk_boot_file
shell_test_data_file
sysfs_devices_cs_etm
update_engine_stable_service
- userspace_reboot_metadata_file))
+ userspace_reboot_metadata_file
+ vibrator_manager_service))
diff --git a/private/domain.te b/private/domain.te
index 5cc313a..b1f968f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -437,3 +437,6 @@
-vndk_sp_file
}:file *;
')
+
+# Only first_stage_init can read files under /boot.
+neverallow domain ramdisk_boot_file:dir_file_class_set *;
diff --git a/private/file_contexts b/private/file_contexts
index 84fb2a7..e7cc906 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -762,3 +762,7 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
+
+#############################
+# Ramdisk files under /boot
+/boot(/.*)? u:object_r:ramdisk_boot_file:s0
diff --git a/private/property_contexts b/private/property_contexts
index 4f7a1dc..ae85610 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -842,6 +842,7 @@
ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.update_edid_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index a2c8455..be4aa2b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -4,7 +4,7 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
-android.hardware.powerstats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
@@ -243,6 +243,7 @@
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
vibrator u:object_r:vibrator_service:s0
+vibrator_manager u:object_r:vibrator_manager_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
diff --git a/public/file.te b/public/file.te
index 3d10999..b9b5fef3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -560,3 +560,6 @@
# Should be:
# type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;
+
+# /boot
+type ramdisk_boot_file, file_type;
diff --git a/public/init.te b/public/init.te
index f84bacb..077816f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -179,6 +179,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-system_app_data_file
-system_file_type
-vendor_file_type
@@ -193,6 +194,7 @@
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -ramdisk_boot_file
-privapp_data_file
-shell_data_file
-system_app_data_file
@@ -213,6 +215,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
@@ -232,6 +235,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -251,6 +255,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -267,6 +272,7 @@
-exec_type
-app_data_file
-privapp_data_file
+ -ramdisk_boot_file
}:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 5187162..a2e2c4e 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -707,6 +707,7 @@
define(`F2FS_IOC_MOVE_RANGE', `0xf509')
define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
diff --git a/public/service.te b/public/service.te
index b7a287b..8b95eb7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -194,6 +194,7 @@
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0bdf632..c729370 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -52,6 +52,7 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -68,6 +69,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -85,6 +87,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -101,6 +104,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -117,6 +121,7 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-system_file_type
-vendor_file_type
-vold_metadata_file
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index dee9941..0f3f825 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,6 +8,7 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer gsi_metadata_file:dir search;
+dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/public/vold.te b/public/vold.te
index c1e8e07..33fc620 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -66,9 +66,11 @@
-vold
} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
-# Find the location on the raw block device where the
-# crypto key is stored so it can be destroyed
+# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
+# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
+# location of the file's blocks on the raw block device to erase.
allowxperm vold vold_data_file:file ioctl {
+ F2FS_IOC_SEC_TRIM_FILE
FS_IOC_FIEMAP
};
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 3668b12..88e8d39 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -58,7 +58,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.example u:object_r:hal_power_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.powerstats-service\.example u:object_r:hal_power_stats_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power.stats-service\.example u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0