Merge "sepolicy: fix missing label on vendor_service_contexts"
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 6259c9a..03f8f19 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -74,7 +74,7 @@
fileContextsProperties fileContextsProperties
build func(ctx android.ModuleContext, inputs android.Paths)
outputPath android.ModuleGenPath
- installPath android.OutputPath
+ installPath android.InstallPath
}
var (
@@ -106,11 +106,14 @@
return m.inRecovery()
}
+func (m *selinuxContextsModule) InstallInRoot() bool {
+ return m.inRecovery()
+}
+
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.InstallInRecovery() {
- // Workaround for installing context files at the root of the recovery partition
- m.installPath = android.PathForOutput(ctx,
- "target", "product", ctx.Config().DeviceName(), "recovery", "root")
+ if m.inRecovery() {
+ // Installing context files at the root of the recovery partition
+ m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
@@ -213,7 +216,7 @@
}
fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", "$(OUT_DIR)/"+m.installPath.RelPathString())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
},
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
index 3b3dae1..60f42b9 100644
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
@@ -336,6 +336,7 @@
(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
(typeattributeset mdns_socket_26_0 (mdns_socket))
(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
+(typeattributeset hal_omx_server (mediacodec_26_0))
(typeattributeset mediacodec_26_0 (mediacodec))
(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
(typeattributeset mediacodec_service_26_0 (mediacodec_service))
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
index 365d791..8c8f82f 100644
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
@@ -1047,6 +1047,7 @@
(typeattributeset mdnsd_27_0 (mdnsd))
(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
(typeattributeset mdns_socket_27_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_27_0))
(typeattributeset mediacodec_27_0 (mediacodec))
(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
(typeattributeset mediacodec_service_27_0 (mediacodec_service))
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
index 305cb3a..338cbd0 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
@@ -1242,6 +1242,7 @@
(typeattributeset mdnsd_28_0 (mdnsd))
(typeattributeset mdnsd_socket_28_0 (mdnsd_socket))
(typeattributeset mdns_socket_28_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_28_0))
(typeattributeset mediacodec_28_0 (mediacodec))
(typeattributeset mediacodec_exec_28_0 (mediacodec_exec))
(typeattributeset mediacodec_service_28_0 (mediacodec_service))
diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
index 4e2d848..50fc1fc 100644
--- a/private/boringssl_self_test.te
+++ b/private/boringssl_self_test.te
@@ -1,22 +1,65 @@
+# System and vendor domains for BoringSSL self test binaries.
+#
+# For FIPS compliance, all processes linked against libcrypto perform a startup
+# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
+# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
+#
+# The KATs are expensive, and to ensure they are run as few times as possible, they
+# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
+# the hash of the BCM that was computed earlier. The files are zero length and their contents
+# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
+# to create these marker files, there are dedicated self test binaries which this policy
+# gives access to and which are run during early-init.
+#
+# Due to build skew, the version of libcrypto in /vendor may have a different hash than
+# the system one. To cater for this there are vendor variants of the self test binaries
+# which also have permission to write to the same files in /dev/boringssl. In the case where
+# vendor and system libcrypto have the same hash, there will be a race to create the file,
+# but this is harmless.
+#
+# If the self tests fail, then the device should reboot into firmware and for this reason
+# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
+# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
+# reboot. However every binary linked against the vendor libcrypto will abort on startup,
+# so in practice the device will crash anyway in this unlikely scenario.
+
+# System boringssl_self_test domain
type boringssl_self_test, domain, coredomain;
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
-type boringssl_self_test_marker, file_type;
-# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
+# Vendor boringssl_self_test domain
+type vendor_boringssl_self_test, domain;
+type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
+
+# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
init_daemon_domain(boringssl_self_test)
-# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
-# files.
-allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
-allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
+# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
+init_daemon_domain(vendor_boringssl_self_test)
-# Allow boringsself_self_test to write its stdout/stderr messages to kmsg_debug.
-allow boringssl_self_test kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
+# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
+#
+# The files are zero length so there is no issue if both vendor and system code
+# try to create the same file simultaneously. One will succeed and the other will fail
+# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
+# system domain e.g. when system and APEX copies of libcrypto are identical.
+type boringssl_self_test_marker, file_type;
-# No other process should be able to create these files because their existence causes the
-# boringssl self test to be skipped.
+# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
+allow { boringssl_self_test vendor_boringssl_self_test }
+ boringssl_self_test_marker:file create_file_perms;
+allow { boringssl_self_test vendor_boringssl_self_test }
+ boringssl_self_test_marker:dir ra_dir_perms;
+
+# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
+allow { boringssl_self_test vendor_boringssl_self_test }
+ kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
+
+# No other process should be able to create marker files because their existence causes the
+# boringssl KAT to be skipped.
neverallow {
domain
+ -vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
@@ -24,6 +67,7 @@
neverallow {
domain
+ -vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 2d1a612..1cdde2b 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -336,6 +336,7 @@
(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
(typeattributeset mdns_socket_26_0 (mdns_socket))
(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
+(typeattributeset hal_omx_server (mediacodec_26_0))
(typeattributeset mediacodec_26_0 (mediacodec))
(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
(typeattributeset mediacodec_service_26_0 (mediacodec_service))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 4b4d87b..0996e97 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1044,6 +1044,7 @@
(typeattributeset mdnsd_27_0 (mdnsd))
(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
(typeattributeset mdns_socket_27_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_27_0))
(typeattributeset mediacodec_27_0 (mediacodec))
(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
(typeattributeset mediacodec_service_27_0 (mediacodec_service))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d51909d..0de0ad5 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1238,6 +1238,7 @@
(typeattributeset mdnsd_28_0 (mdnsd))
(typeattributeset mdnsd_socket_28_0 (mdnsd_socket))
(typeattributeset mdns_socket_28_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_28_0))
(typeattributeset mediacodec_28_0 (mediacodec))
(typeattributeset mediacodec_exec_28_0 (mediacodec_exec))
(typeattributeset mediacodec_service_28_0 (mediacodec_service))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index b4dd7c5..1d31dbb 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -22,7 +22,6 @@
system_group_file
system_passwd_file
vendor_apex_file
+ vendor_boringssl_self_test
virtual_ab_prop
- wifi_stack
- wifi_stack_service
- wifi_stack_tmpfs))
+ wifi_stack_service))
diff --git a/private/file.te b/private/file.te
index 26b58f4..010b7cf 100644
--- a/private/file.te
+++ b/private/file.te
@@ -23,3 +23,6 @@
# /dev/linkerconfig(/.*)?
type linkerconfig_file, file_type;
+
+# /data/gsi/ota
+type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 52354e2..6393f72 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -253,6 +253,7 @@
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
@@ -359,6 +360,7 @@
/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/vendor/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
@@ -469,6 +471,7 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
+/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -650,6 +653,7 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index d0e13b4..aafaf53 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -3,9 +3,10 @@
init_daemon_domain(fsverity_init)
-# Allow this shell script to run and execute toybox
-allow fsverity_init shell_exec:file rx_file_perms;
-allow fsverity_init toolbox_exec:file rx_file_perms;
+# Allow to retrieve keys from keystore.
+binder_use(fsverity_init)
+use_keystore(fsverity_init)
+allow fsverity_init keystore:keystore_key { list get };
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;
diff --git a/private/gsid.te b/private/gsid.te
index 305b1c2..cc255ca 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -70,7 +70,12 @@
# Needed when running gsi_tool through "su root" rather than adb root.
allow gsid adbd:unix_stream_socket rw_socket_perms;
-neverallow { domain -gsid -init } gsid_prop:property_service set;
+neverallow {
+ domain
+ -gsid
+ -init
+ -update_engine_common
+} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
@@ -98,12 +103,27 @@
# currently running.
#
allow gsid metadata_file:dir { search getattr };
-allow gsid gsi_metadata_file:dir rw_dir_perms;
-allow gsid gsi_metadata_file:file create_file_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:file create_file_perms;
-allow gsid gsi_data_file:dir rw_dir_perms;
-allow gsid gsi_data_file:file create_file_perms;
-allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file create_file_perms;
+allowxperm gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file ioctl FS_IOC_FIEMAP;
neverallow {
domain
diff --git a/private/logd.te b/private/logd.te
index a9c65b0..f24cb80 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,5 +35,5 @@
-shell
userdebug_or_eng(`-su')
-system_app
- -wifi_stack
+ -network_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/network_stack.te b/private/network_stack.te
index b214538..4fd31bd 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,4 +1,4 @@
-# Networking service app
+############### Networking service app - NetworkStack.apk ##############
typeattribute network_stack coredomain;
app_domain(network_stack);
@@ -28,3 +28,42 @@
allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
+
+############### Wifi Service app - WifiStack.apk ##############
+# Data file accesses.
+# Manage /data/misc/wifi & /data/misc_ce/<user_id>/wifi.
+allow network_stack wifi_data_file:dir create_dir_perms;
+allow network_stack wifi_data_file:file create_file_perms;
+
+# Property accesses
+userdebug_or_eng(`
+ set_prop(network_stack, wifi_log_prop)
+
+ # Allow network_stack to read dmesg
+ # TODO(b/137085509): Remove this.
+ allow network_stack kernel:system syslog_read;
+')
+
+# Binder IPC.
+allow network_stack audioserver_service:service_manager find;
+allow network_stack network_score_service:service_manager find;
+allow network_stack network_stack_service:service_manager find;
+allow network_stack radio_service:service_manager find;
+allow network_stack wificond_service:service_manager find;
+allow network_stack wifiscanner_service:service_manager find;
+binder_call(network_stack, system_server)
+binder_call(network_stack, wificond)
+
+# HwBinder IPC.
+hal_client_domain(network_stack, hal_wifi)
+hal_client_domain(network_stack, hal_wifi_hostapd)
+hal_client_domain(network_stack, hal_wifi_supplicant)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow network_stack debugfs_tracing_instances:dir search;
+allow network_stack debugfs_wifi_tracing:dir search;
+allow network_stack debugfs_wifi_tracing:file rw_file_perms;
+
+# dumpstate support
+allow network_stack dumpstate:fd use;
+allow network_stack dumpstate:fifo_file write;
diff --git a/private/platform_app.te b/private/platform_app.te
index 8c2128d..c255605 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,6 +68,9 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
+userdebug_or_eng(`
+ allow platform_app platform_compat_service:service_manager find;
+')
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 705e03d..c74bd2c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,9 +143,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
-user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
new file mode 100644
index 0000000..78bf6fd
--- /dev/null
+++ b/private/snapshotctl.te
@@ -0,0 +1,32 @@
+type snapshotctl, domain, coredomain;
+type snapshotctl_exec, system_file_type, exec_type, file_type;
+
+# Allow init to run snapshotctl and do auto domain transfer.
+init_daemon_domain(snapshotctl);
+
+# Allow to start gsid service.
+set_prop(snapshotctl, ctl_gsid_prop)
+
+# Allow to talk to gsid.
+binder_use(snapshotctl)
+allow snapshotctl gsi_service:service_manager find;
+binder_call(snapshotctl, gsid)
+
+# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+allow snapshotctl metadata_file:dir search;
+allow snapshotctl ota_metadata_file:dir rw_dir_perms;
+allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(snapshotctl, sysfs_dt_firmware_android);
+allow snapshotctl proc_cmdline:file r_file_perms;
+
+# Needed to (re-)map logical partitions.
+allow snapshotctl block_device:dir r_dir_perms;
+allow snapshotctl super_block_device:blk_file r_file_perms;
+
+# Interact with device-mapper to collapse snapshots.
+allow snapshotctl dm_device:chr_file rw_file_perms;
+
+# Needed to mutate device-mapper nodes.
+allow snapshotctl self:global_capability_class_set sys_admin;
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db6..e4e7009 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,7 @@
typeattribute update_engine coredomain;
init_daemon_domain(update_engine);
+
+# Allow to talk to gsid.
+allow update_engine gsi_service:service_manager find;
+binder_call(update_engine, gsid)
diff --git a/private/wifi_stack.te b/private/wifi_stack.te
deleted file mode 100644
index 1f19faa..0000000
--- a/private/wifi_stack.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# Wifi Stack Mandatory
-typeattribute wifi_stack coredomain;
-
-app_domain(wifi_stack)
-net_domain(wifi_stack)
-
-# Data file accesses.
-# Manage /data/misc/wifi.
-allow wifi_stack wifi_data_file:dir create_dir_perms;
-allow wifi_stack wifi_data_file:file create_file_perms;
-allow wifi_stack radio_data_file:dir search;
-
-# Property accesses
-userdebug_or_eng(`
- set_prop(wifi_stack, wifi_log_prop)
-
- # Allow wifi_stack to read dmesg
- # TODO(b/137085509): Remove this.
- allow wifi_stack kernel:system syslog_read;
-')
-
-# ctl interface
-
-# Perform Binder IPC.
-binder_use(wifi_stack)
-allow wifi_stack app_api_service:service_manager find;
-allow wifi_stack network_score_service:service_manager find;
-allow wifi_stack netd_service:service_manager find;
-allow wifi_stack network_stack_service:service_manager find;
-allow wifi_stack radio_service:service_manager find;
-allow wifi_stack wificond_service:service_manager find;
-allow wifi_stack wifiscanner_service:service_manager find;
-binder_call(wifi_stack, system_server)
-binder_call(wifi_stack, wificond)
-binder_call(wifi_stack, network_stack)
-
-# Perform HwBinder IPC.
-hwbinder_use(wifi_stack)
-hal_client_domain(wifi_stack, hal_wifi)
-hal_client_domain(wifi_stack, hal_wifi_hostapd)
-hal_client_domain(wifi_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow wifi_stack debugfs_tracing_instances:dir search;
-allow wifi_stack debugfs_wifi_tracing:dir search;
-allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# Connectivity
-allow wifi_stack self:capability { net_bind_service net_admin net_raw };
-allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
-allow wifi_stack self:netlink_route_socket nlmsg_write;
-allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# dumpstate support
-allow wifi_stack dumpstate:fd use;
-allow wifi_stack dumpstate:fifo_file write;
diff --git a/private/zygote.te b/private/zygote.te
index cf5a7a3..66e14b3 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -146,6 +146,9 @@
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
+# Allow zygote to use ashmem fds from system_server.
+allow zygote system_server:fd use;
+
###
### neverallow rules
###
diff --git a/public/app.te b/public/app.te
index 17b7852..ea3cf15 100644
--- a/public/app.te
+++ b/public/app.te
@@ -365,7 +365,7 @@
# Superuser capabilities.
# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
@@ -488,7 +488,7 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -wifi_stack }
+neverallow { appdomain -network_stack }
wifi_data_file:dir_file_class_set *;
neverallow appdomain
dhcp_data_file:dir_file_class_set
@@ -512,7 +512,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/netd.te b/public/netd.te
index 3e48bd2..c15a03b 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,7 +141,6 @@
-network_stack
-netd
-netutils_wrapper
- -wifi_stack
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -152,12 +151,11 @@
-network_stack
-netd
-netutils_wrapper
- -wifi_stack
} dnsresolver_service:service_manager find;
# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
-neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/update_engine.te b/public/update_engine.te
index 7bcaca6..5410bde 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -54,3 +54,13 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device. ReadDefaultFstab() checks whether a GSI is running by checking
+# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
+# the access.
+dontaudit update_engine gsi_metadata_file:dir search;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 87e3b43..806944f 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -79,3 +79,7 @@
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/public/wifi_stack.te b/public/wifi_stack.te
deleted file mode 100644
index f1a26f5..0000000
--- a/public/wifi_stack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Wifi Stack Mandatory
-type wifi_stack, domain;
diff --git a/public/wificond.te b/public/wificond.te
index ae83846..e11d45d 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,7 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
-binder_call(wificond, wifi_stack)
+binder_call(wificond, network_stack)
add_service(wificond, wificond_service)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1ffd850..a63dd8f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -79,6 +79,12 @@
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
#############################
+# Libraries removed from vndk-sp (must still be accessible by passthrough HALs using them)
+#
+/(vendor|system/vendor)/lib(64)?/libhwbinder.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidltransport.so u:object_r:same_process_hal_file:s0
+
+#############################
# Data files
#
/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0