Merge changes from topic "ashmem-ioctl-fixes" into main
* changes:
Allow ashmem ioctl commands to be invoked on tmpfs files
sepolicy: Define ashmem_ioctls macro
Add missing ashmem ioctl command definition
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index a69d649..35b7d7f 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -524,7 +524,7 @@
"wifiaware": EXCEPTION_NO_FUZZER,
"wifi_usd": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
- "wifi_mainline_supplicant": EXCEPTION_NO_FUZZER, // defined internally
+ "wifi_mainline_supplicant": []string{"mainline_supplicant_service_fuzzer"},
"window": EXCEPTION_NO_FUZZER,
"*": EXCEPTION_NO_FUZZER,
}
diff --git a/private/app.te b/private/app.te
index b359663..a32cdb2 100644
--- a/private/app.te
+++ b/private/app.te
@@ -371,7 +371,7 @@
# Write profiles /data/misc/profiles
allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir w_dir_perms;
+allow appdomain user_profile_data_file:dir rw_dir_perms;
allow appdomain user_profile_data_file:file create_file_perms;
# Allow writing performance tracing data into the perfetto traced daemon.
diff --git a/private/domain.te b/private/domain.te
index 4282b4d..b912aae 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2318,7 +2318,7 @@
domain
# these are expected
- -early_virtmgr
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
-virtualizationmanager
-virtualizationservice
-adbd_common # maybe should move to emulator/virtual device specific policy
diff --git a/private/system_server.te b/private/system_server.te
index 7bdcaef..bdfec3b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1296,7 +1296,7 @@
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
- allow system_server user_profile_data_file:dir w_dir_perms;
+ allow system_server user_profile_data_file:dir rw_dir_perms;
allow system_server user_profile_data_file:file create_file_perms;
')
# Allow system server to load JVMTI agents under control of a property.
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index ef34c31..6c398a2 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -7,6 +7,9 @@
allow vmlauncher_app app_api_service:service_manager find;
allow vmlauncher_app system_api_service:service_manager find;
+# TODO(b/402303887): Remove this when WebView doesn't requires camera access.
+allow vmlauncher_app cameraserver_service:service_manager find;
+
allow vmlauncher_app shell_data_file:dir search;
allow vmlauncher_app shell_data_file:file { read open write };
virtualizationservice_use(vmlauncher_app)