Merge "Add bluetooth_prop to system_server sepolicy."
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 60799cd..738460d 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -14,414 +14,423 @@
package selinux
+var EXCEPTION_NO_FUZZER = []string{}
+
+//
+// To add a fuzzer for service, add your service name and fuzzer name in ServiceFuzzerBindings
+// example of entry -
+// "android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
+
var (
ServiceFuzzerBindings = map[string][]string{
- "android.hardware.audio.core.IConfig/default": []string{},
- "android.hardware.audio.core.IModule/default": []string{},
- "android.hardware.audio.effect.IFactory/default": []string{},
- "android.hardware.authsecret.IAuthSecret/default": []string{},
- "android.hardware.automotive.evs.IEvsEnumerator/hw/0": []string{},
- "android.hardware.boot.IBootControl/default": []string{},
- "android.hardware.automotive.evs.IEvsEnumerator/hw/1": []string{},
- "android.hardware.automotive.remoteaccess.IRemoteAccess/default": []string{},
- "android.hardware.automotive.vehicle.IVehicle/default": []string{},
- "android.hardware.automotive.audiocontrol.IAudioControl/default": []string{},
- "android.hardware.biometrics.face.IFace/default": []string{},
- "android.hardware.biometrics.fingerprint.IFingerprint/default": []string{},
- "android.hardware.biometrics.fingerprint.IFingerprint/virtual": []string{},
- "android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": []string{},
- "android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{},
- "android.hardware.broadcastradio.IBroadcastRadio/dab": []string{},
- "android.hardware.camera.provider.ICameraProvider/internal/0": []string{},
- "android.hardware.cas.IMediaCasService/default": []string{},
- "android.hardware.confirmationui.IConfirmationUI/default": []string{},
- "android.hardware.contexthub.IContextHub/default": []string{},
- "android.hardware.drm.IDrmFactory/clearkey": []string{},
- "android.hardware.drm.ICryptoFactory/clearkey": []string{},
- "android.hardware.dumpstate.IDumpstateDevice/default": []string{},
- "android.hardware.gatekeeper.IGatekeeper/default": []string{},
- "android.hardware.gnss.IGnss/default": []string{},
- "android.hardware.graphics.allocator.IAllocator/default": []string{},
- "android.hardware.graphics.composer3.IComposer/default": []string{},
- "android.hardware.health.storage.IStorage/default": []string{},
+ "android.hardware.audio.core.IConfig/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/1": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.remoteaccess.IRemoteAccess/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
+ "android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
+ "android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
+ "android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.drm.IDrmFactory/clearkey": EXCEPTION_NO_FUZZER,
+ "android.hardware.drm.ICryptoFactory/clearkey": EXCEPTION_NO_FUZZER,
+ "android.hardware.dumpstate.IDumpstateDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.fastboot.IFastboot/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.gatekeeper.IGatekeeper/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.gnss.IGnss/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.graphics.allocator.IAllocator/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.graphics.composer3.IComposer/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.health.storage.IStorage/default": EXCEPTION_NO_FUZZER,
"android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
- "android.hardware.identity.IIdentityCredentialStore/default": []string{},
- "android.hardware.input.processor.IInputProcessor/default": []string{},
- "android.hardware.ir.IConsumerIr/default": []string{},
- "android.hardware.light.ILights/default": []string{},
- "android.hardware.memtrack.IMemtrack/default": []string{},
- "android.hardware.net.nlinterceptor.IInterceptor/default": []string{},
- "android.hardware.nfc.INfc/default": []string{},
- "android.hardware.oemlock.IOemLock/default": []string{},
- "android.hardware.power.IPower/default": []string{},
- "android.hardware.power.stats.IPowerStats/default": []string{},
- "android.hardware.radio.config.IRadioConfig/default": []string{},
- "android.hardware.radio.data.IRadioData/slot1": []string{},
- "android.hardware.radio.data.IRadioData/slot2": []string{},
- "android.hardware.radio.data.IRadioData/slot3": []string{},
- "android.hardware.radio.ims.IRadioIms/slot1": []string{},
- "android.hardware.radio.ims.IRadioIms/slot2": []string{},
- "android.hardware.radio.ims.IRadioIms/slot3": []string{},
- "android.hardware.radio.ims.media.IImsMedia/default": []string{},
- "android.hardware.radio.messaging.IRadioMessaging/slot1": []string{},
- "android.hardware.radio.messaging.IRadioMessaging/slot2": []string{},
- "android.hardware.radio.messaging.IRadioMessaging/slot3": []string{},
- "android.hardware.radio.modem.IRadioModem/slot1": []string{},
- "android.hardware.radio.modem.IRadioModem/slot2": []string{},
- "android.hardware.radio.modem.IRadioModem/slot3": []string{},
- "android.hardware.radio.network.IRadioNetwork/slot1": []string{},
- "android.hardware.radio.network.IRadioNetwork/slot2": []string{},
- "android.hardware.radio.network.IRadioNetwork/slot3": []string{},
- "android.hardware.radio.sim.IRadioSim/slot1": []string{},
- "android.hardware.radio.sim.IRadioSim/slot2": []string{},
- "android.hardware.radio.sim.IRadioSim/slot3": []string{},
- "android.hardware.radio.voice.IRadioVoice/slot1": []string{},
- "android.hardware.radio.voice.IRadioVoice/slot2": []string{},
- "android.hardware.radio.voice.IRadioVoice/slot3": []string{},
- "android.hardware.rebootescrow.IRebootEscrow/default": []string{},
- "android.hardware.security.dice.IDiceDevice/default": []string{},
- "android.hardware.security.keymint.IKeyMintDevice/default": []string{},
- "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": []string{},
- "android.hardware.security.secureclock.ISecureClock/default": []string{},
- "android.hardware.security.sharedsecret.ISharedSecret/default": []string{},
- "android.hardware.sensors.ISensors/default": []string{},
- "android.hardware.soundtrigger3.ISoundTriggerHw/default": []string{},
- "android.hardware.thermal.IThermal/default": []string{},
- "android.hardware.tv.cec.IHdmiCec/default": []string{},
- "android.hardware.tv.hdmi.IHdmi/default": []string{},
- "android.hardware.tv.input.ITvInput/default": []string{},
- "android.hardware.tv.tuner.ITuner/default": []string{},
- "android.hardware.usb.IUsb/default": []string{},
- "android.hardware.usb.gadget.IUsbGadget/default": []string{},
- "android.hardware.uwb.IUwb/default": []string{},
- "android.hardware.vibrator.IVibrator/default": []string{},
+ "android.hardware.identity.IIdentityCredentialStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.oemlock.IOemLock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.power.IPower/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.power.stats.IPowerStats/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.config.IRadioConfig/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.data.IRadioData/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.IRadioIms/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.ims.media.IImsMedia/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.messaging.IRadioMessaging/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.modem.IRadioModem/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.network.IRadioNetwork/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.voice.IRadioVoice/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.rebootescrow.IRebootEscrow/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.IHdmi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.usb.gadget.IUsbGadget/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.uwb.IUwb/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.vibrator.IVibrator/default": EXCEPTION_NO_FUZZER,
"android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
- "android.hardware.weaver.IWeaver/default": []string{},
- "android.hardware.wifi.IWifi/default": []string{},
- "android.hardware.wifi.hostapd.IHostapd/default": []string{},
- "android.hardware.wifi.supplicant.ISupplicant/default": []string{},
- "android.frameworks.stats.IStats/default": []string{},
- "android.se.omapi.ISecureElementService/default": []string{},
- "android.system.keystore2.IKeystoreService/default": []string{},
- "android.system.net.netd.INetd/default": []string{},
- "android.system.suspend.ISystemSuspend/default": []string{},
- "accessibility": []string{},
- "account": []string{},
- "activity": []string{},
- "activity_task": []string{},
- "adb": []string{},
- "adservices_manager": []string{},
- "aidl_lazy_test_1": []string{},
- "aidl_lazy_test_2": []string{},
- "aidl_lazy_cb_test": []string{},
- "alarm": []string{},
- "android.hardware.automotive.evs.IEvsEnumerator/default": []string{},
- "android.os.UpdateEngineService": []string{},
- "android.os.UpdateEngineStableService": []string{},
- "android.frameworks.automotive.display.ICarDisplayProxy/default": []string{},
- "android.security.apc": []string{},
- "android.security.authorization": []string{},
- "android.security.compat": []string{},
- "android.security.dice.IDiceMaintenance": []string{},
- "android.security.dice.IDiceNode": []string{},
- "android.security.identity": []string{},
- "android.security.keystore": []string{},
- "android.security.legacykeystore": []string{},
- "android.security.maintenance": []string{},
- "android.security.metrics": []string{},
- "android.security.remoteprovisioning": []string{},
- "android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": []string{},
- "android.service.gatekeeper.IGateKeeperService": []string{},
- "android.system.composd": []string{},
- "android.system.virtualizationservice": []string{},
- "ambient_context": []string{},
- "app_binding": []string{},
- "app_hibernation": []string{},
- "app_integrity": []string{},
- "app_prediction": []string{},
- "app_search": []string{},
- "apexservice": []string{},
- "attestation_verification": []string{},
- "blob_store": []string{},
- "gsiservice": []string{},
- "appops": []string{},
- "appwidget": []string{},
- "artd": []string{},
- "assetatlas": []string{},
- "attention": []string{},
- "audio": []string{},
- "auth": []string{},
- "autofill": []string{},
- "background_install_control": []string{},
- "backup": []string{},
- "batteryproperties": []string{},
- "batterystats": []string{},
- "battery": []string{},
- "binder_calls_stats": []string{},
- "biometric": []string{},
- "bluetooth_manager": []string{},
- "bluetooth": []string{},
- "broadcastradio": []string{},
- "bugreport": []string{},
- "cacheinfo": []string{},
- "carrier_config": []string{},
- "clipboard": []string{},
- "cloudsearch": []string{},
- "cloudsearch_service": []string{},
- "com.android.net.IProxyService": []string{},
- "companiondevice": []string{},
- "communal": []string{},
- "platform_compat": []string{},
- "platform_compat_native": []string{},
- "connectivity": []string{},
- "connectivity_native": []string{},
- "connmetrics": []string{},
- "consumer_ir": []string{},
- "content": []string{},
- "content_capture": []string{},
- "content_suggestions": []string{},
- "contexthub": []string{},
- "country_detector": []string{},
- "coverage": []string{},
- "cpuinfo": []string{},
- "credential": []string{},
- "crossprofileapps": []string{},
- "dataloader_manager": []string{},
- "dbinfo": []string{},
- "device_config": []string{},
- "device_policy": []string{},
- "device_identifiers": []string{},
- "deviceidle": []string{},
- "device_lock": []string{},
- "device_state": []string{},
- "devicestoragemonitor": []string{},
- "diskstats": []string{},
- "display": []string{},
- "dnsresolver": []string{},
- "domain_verification": []string{},
- "color_display": []string{},
- "netd_listener": []string{},
- "network_watchlist": []string{},
- "DockObserver": []string{},
- "dreams": []string{},
- "drm.drmManager": []string{},
- "dropbox": []string{},
- "dumpstate": []string{},
- "dynamic_system": []string{},
- "econtroller": []string{},
- "emergency_affordance": []string{},
- "euicc_card_controller": []string{},
- "external_vibrator_service": []string{},
- "ethernet": []string{},
- "face": []string{},
- "file_integrity": []string{},
- "fingerprint": []string{},
- "font": []string{},
- "android.hardware.fingerprint.IFingerprintDaemon": []string{},
- "game": []string{},
- "gfxinfo": []string{},
- "gnss_time_update_service": []string{},
- "graphicsstats": []string{},
- "gpu": []string{},
- "hardware": []string{},
- "hardware_properties": []string{},
- "hdmi_control": []string{},
- "healthconnect": []string{},
- "ions": []string{},
- "idmap": []string{},
- "incident": []string{},
- "incidentcompanion": []string{},
- "inputflinger": []string{},
- "input_method": []string{},
- "input": []string{},
- "installd": []string{},
- "iphonesubinfo_msim": []string{},
- "iphonesubinfo2": []string{},
- "iphonesubinfo": []string{},
- "ims": []string{},
- "imms": []string{},
- "incremental": []string{},
- "ipsec": []string{},
- "ircsmessage": []string{},
- "iris": []string{},
- "isms_msim": []string{},
- "isms2": []string{},
- "isms": []string{},
- "isub": []string{},
- "jobscheduler": []string{},
- "launcherapps": []string{},
- "legacy_permission": []string{},
- "lights": []string{},
- "locale": []string{},
- "location": []string{},
- "location_time_zone_manager": []string{},
- "lock_settings": []string{},
- "logcat": []string{},
- "logd": []string{},
- "looper_stats": []string{},
- "lpdump_service": []string{},
- "mdns": []string{},
- "media.aaudio": []string{},
- "media.audio_flinger": []string{},
- "media.audio_policy": []string{},
- "media.camera": []string{},
- "media.camera.proxy": []string{},
- "media.log": []string{},
- "media.player": []string{},
- "media.metrics": []string{},
- "media.extractor": []string{},
- "media.transcoding": []string{},
- "media.resource_manager": []string{},
- "media.resource_observer": []string{},
- "media.sound_trigger_hw": []string{},
- "media.drm": []string{},
- "media.tuner": []string{},
- "media_communication": []string{},
- "media_metrics": []string{},
- "media_projection": []string{},
- "media_resource_monitor": []string{},
- "media_router": []string{},
- "media_session": []string{},
- "meminfo": []string{},
- "memtrack.proxy": []string{},
- "midi": []string{},
- "mount": []string{},
- "music_recognition": []string{},
- "nearby": []string{},
- "netd": []string{},
- "netpolicy": []string{},
- "netstats": []string{},
- "network_stack": []string{},
- "network_management": []string{},
- "network_score": []string{},
- "network_time_update_service": []string{},
- "nfc": []string{},
- "notification": []string{},
- "oem_lock": []string{},
- "otadexopt": []string{},
- "overlay": []string{},
- "pac_proxy": []string{},
- "package": []string{},
- "package_native": []string{},
- "people": []string{},
- "performance_hint": []string{},
- "permission": []string{},
- "permissionmgr": []string{},
- "permission_checker": []string{},
- "persistent_data_block": []string{},
- "phone_msim": []string{},
- "phone1": []string{},
- "phone2": []string{},
- "phone": []string{},
- "pinner": []string{},
- "powerstats": []string{},
- "power": []string{},
- "print": []string{},
- "processinfo": []string{},
- "procstats": []string{},
- "profcollectd": []string{},
- "radio.phonesubinfo": []string{},
- "radio.phone": []string{},
- "radio.sms": []string{},
- "rcs": []string{},
- "reboot_readiness": []string{},
- "recovery": []string{},
- "resolver": []string{},
- "resources": []string{},
- "restrictions": []string{},
- "rkpd.registrar": []string{},
- "rkpd.refresh": []string{},
- "role": []string{},
- "rollback": []string{},
- "rttmanager": []string{},
- "runtime": []string{},
- "safety_center": []string{},
- "samplingprofiler": []string{},
- "scheduling_policy": []string{},
- "search": []string{},
- "search_ui": []string{},
- "secure_element": []string{},
- "sec_key_att_app_id_provider": []string{},
- "selection_toolbar": []string{},
- "sensorservice": []string{},
- "sensor_privacy": []string{},
- "serial": []string{},
- "servicediscovery": []string{},
+ "android.hardware.weaver.IWeaver/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.sensorservice.ISensorManager/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
+ "android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
+ "android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
+ "android.system.net.netd.INetd/default": EXCEPTION_NO_FUZZER,
+ "android.system.suspend.ISystemSuspend/default": EXCEPTION_NO_FUZZER,
+ "accessibility": EXCEPTION_NO_FUZZER,
+ "account": EXCEPTION_NO_FUZZER,
+ "activity": EXCEPTION_NO_FUZZER,
+ "activity_task": EXCEPTION_NO_FUZZER,
+ "adb": EXCEPTION_NO_FUZZER,
+ "adservices_manager": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
+ "alarm": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.evs.IEvsEnumerator/default": EXCEPTION_NO_FUZZER,
+ "android.os.UpdateEngineService": EXCEPTION_NO_FUZZER,
+ "android.os.UpdateEngineStableService": EXCEPTION_NO_FUZZER,
+ "android.frameworks.automotive.display.ICarDisplayProxy/default": EXCEPTION_NO_FUZZER,
+ "android.security.apc": EXCEPTION_NO_FUZZER,
+ "android.security.authorization": EXCEPTION_NO_FUZZER,
+ "android.security.compat": EXCEPTION_NO_FUZZER,
+ "android.security.dice.IDiceMaintenance": EXCEPTION_NO_FUZZER,
+ "android.security.dice.IDiceNode": EXCEPTION_NO_FUZZER,
+ "android.security.identity": EXCEPTION_NO_FUZZER,
+ "android.security.keystore": EXCEPTION_NO_FUZZER,
+ "android.security.legacykeystore": EXCEPTION_NO_FUZZER,
+ "android.security.maintenance": EXCEPTION_NO_FUZZER,
+ "android.security.metrics": EXCEPTION_NO_FUZZER,
+ "android.security.remoteprovisioning": EXCEPTION_NO_FUZZER,
+ "android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": EXCEPTION_NO_FUZZER,
+ "android.service.gatekeeper.IGateKeeperService": EXCEPTION_NO_FUZZER,
+ "android.system.composd": EXCEPTION_NO_FUZZER,
+ "android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
+ "ambient_context": EXCEPTION_NO_FUZZER,
+ "app_binding": EXCEPTION_NO_FUZZER,
+ "app_hibernation": EXCEPTION_NO_FUZZER,
+ "app_integrity": EXCEPTION_NO_FUZZER,
+ "app_prediction": EXCEPTION_NO_FUZZER,
+ "app_search": EXCEPTION_NO_FUZZER,
+ "apexservice": EXCEPTION_NO_FUZZER,
+ "attestation_verification": EXCEPTION_NO_FUZZER,
+ "blob_store": EXCEPTION_NO_FUZZER,
+ "gsiservice": EXCEPTION_NO_FUZZER,
+ "appops": EXCEPTION_NO_FUZZER,
+ "appwidget": EXCEPTION_NO_FUZZER,
+ "artd": EXCEPTION_NO_FUZZER,
+ "assetatlas": EXCEPTION_NO_FUZZER,
+ "attention": EXCEPTION_NO_FUZZER,
+ "audio": EXCEPTION_NO_FUZZER,
+ "auth": EXCEPTION_NO_FUZZER,
+ "autofill": EXCEPTION_NO_FUZZER,
+ "background_install_control": EXCEPTION_NO_FUZZER,
+ "backup": EXCEPTION_NO_FUZZER,
+ "batteryproperties": EXCEPTION_NO_FUZZER,
+ "batterystats": EXCEPTION_NO_FUZZER,
+ "battery": EXCEPTION_NO_FUZZER,
+ "binder_calls_stats": EXCEPTION_NO_FUZZER,
+ "biometric": EXCEPTION_NO_FUZZER,
+ "bluetooth_manager": EXCEPTION_NO_FUZZER,
+ "bluetooth": EXCEPTION_NO_FUZZER,
+ "broadcastradio": EXCEPTION_NO_FUZZER,
+ "bugreport": EXCEPTION_NO_FUZZER,
+ "cacheinfo": EXCEPTION_NO_FUZZER,
+ "carrier_config": EXCEPTION_NO_FUZZER,
+ "clipboard": EXCEPTION_NO_FUZZER,
+ "cloudsearch": EXCEPTION_NO_FUZZER,
+ "cloudsearch_service": EXCEPTION_NO_FUZZER,
+ "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
+ "companiondevice": EXCEPTION_NO_FUZZER,
+ "communal": EXCEPTION_NO_FUZZER,
+ "platform_compat": EXCEPTION_NO_FUZZER,
+ "platform_compat_native": EXCEPTION_NO_FUZZER,
+ "connectivity": EXCEPTION_NO_FUZZER,
+ "connectivity_native": EXCEPTION_NO_FUZZER,
+ "connmetrics": EXCEPTION_NO_FUZZER,
+ "consumer_ir": EXCEPTION_NO_FUZZER,
+ "content": EXCEPTION_NO_FUZZER,
+ "content_capture": EXCEPTION_NO_FUZZER,
+ "content_suggestions": EXCEPTION_NO_FUZZER,
+ "contexthub": EXCEPTION_NO_FUZZER,
+ "country_detector": EXCEPTION_NO_FUZZER,
+ "coverage": EXCEPTION_NO_FUZZER,
+ "cpuinfo": EXCEPTION_NO_FUZZER,
+ "credential": EXCEPTION_NO_FUZZER,
+ "crossprofileapps": EXCEPTION_NO_FUZZER,
+ "dataloader_manager": EXCEPTION_NO_FUZZER,
+ "dbinfo": EXCEPTION_NO_FUZZER,
+ "device_config": EXCEPTION_NO_FUZZER,
+ "device_policy": EXCEPTION_NO_FUZZER,
+ "device_identifiers": EXCEPTION_NO_FUZZER,
+ "deviceidle": EXCEPTION_NO_FUZZER,
+ "device_lock": EXCEPTION_NO_FUZZER,
+ "device_state": EXCEPTION_NO_FUZZER,
+ "devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "diskstats": EXCEPTION_NO_FUZZER,
+ "display": EXCEPTION_NO_FUZZER,
+ "dnsresolver": EXCEPTION_NO_FUZZER,
+ "domain_verification": EXCEPTION_NO_FUZZER,
+ "color_display": EXCEPTION_NO_FUZZER,
+ "netd_listener": EXCEPTION_NO_FUZZER,
+ "network_watchlist": EXCEPTION_NO_FUZZER,
+ "DockObserver": EXCEPTION_NO_FUZZER,
+ "dreams": EXCEPTION_NO_FUZZER,
+ "drm.drmManager": EXCEPTION_NO_FUZZER,
+ "dropbox": EXCEPTION_NO_FUZZER,
+ "dumpstate": EXCEPTION_NO_FUZZER,
+ "dynamic_system": EXCEPTION_NO_FUZZER,
+ "econtroller": EXCEPTION_NO_FUZZER,
+ "emergency_affordance": EXCEPTION_NO_FUZZER,
+ "euicc_card_controller": EXCEPTION_NO_FUZZER,
+ "external_vibrator_service": EXCEPTION_NO_FUZZER,
+ "ethernet": EXCEPTION_NO_FUZZER,
+ "face": EXCEPTION_NO_FUZZER,
+ "file_integrity": EXCEPTION_NO_FUZZER,
+ "fingerprint": EXCEPTION_NO_FUZZER,
+ "font": EXCEPTION_NO_FUZZER,
+ "android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
+ "game": EXCEPTION_NO_FUZZER,
+ "gfxinfo": EXCEPTION_NO_FUZZER,
+ "gnss_time_update_service": EXCEPTION_NO_FUZZER,
+ "graphicsstats": EXCEPTION_NO_FUZZER,
+ "gpu": EXCEPTION_NO_FUZZER,
+ "hardware": EXCEPTION_NO_FUZZER,
+ "hardware_properties": EXCEPTION_NO_FUZZER,
+ "hdmi_control": EXCEPTION_NO_FUZZER,
+ "healthconnect": EXCEPTION_NO_FUZZER,
+ "ions": EXCEPTION_NO_FUZZER,
+ "idmap": EXCEPTION_NO_FUZZER,
+ "incident": EXCEPTION_NO_FUZZER,
+ "incidentcompanion": EXCEPTION_NO_FUZZER,
+ "inputflinger": EXCEPTION_NO_FUZZER,
+ "input_method": EXCEPTION_NO_FUZZER,
+ "input": EXCEPTION_NO_FUZZER,
+ "installd": EXCEPTION_NO_FUZZER,
+ "iphonesubinfo_msim": EXCEPTION_NO_FUZZER,
+ "iphonesubinfo2": EXCEPTION_NO_FUZZER,
+ "iphonesubinfo": EXCEPTION_NO_FUZZER,
+ "ims": EXCEPTION_NO_FUZZER,
+ "imms": EXCEPTION_NO_FUZZER,
+ "incremental": EXCEPTION_NO_FUZZER,
+ "ipsec": EXCEPTION_NO_FUZZER,
+ "ircsmessage": EXCEPTION_NO_FUZZER,
+ "iris": EXCEPTION_NO_FUZZER,
+ "isms_msim": EXCEPTION_NO_FUZZER,
+ "isms2": EXCEPTION_NO_FUZZER,
+ "isms": EXCEPTION_NO_FUZZER,
+ "isub": EXCEPTION_NO_FUZZER,
+ "jobscheduler": EXCEPTION_NO_FUZZER,
+ "launcherapps": EXCEPTION_NO_FUZZER,
+ "legacy_permission": EXCEPTION_NO_FUZZER,
+ "lights": EXCEPTION_NO_FUZZER,
+ "locale": EXCEPTION_NO_FUZZER,
+ "location": EXCEPTION_NO_FUZZER,
+ "location_time_zone_manager": EXCEPTION_NO_FUZZER,
+ "lock_settings": EXCEPTION_NO_FUZZER,
+ "logcat": EXCEPTION_NO_FUZZER,
+ "logd": EXCEPTION_NO_FUZZER,
+ "looper_stats": EXCEPTION_NO_FUZZER,
+ "lpdump_service": EXCEPTION_NO_FUZZER,
+ "mdns": EXCEPTION_NO_FUZZER,
+ "media.aaudio": EXCEPTION_NO_FUZZER,
+ "media.audio_flinger": EXCEPTION_NO_FUZZER,
+ "media.audio_policy": EXCEPTION_NO_FUZZER,
+ "media.camera": EXCEPTION_NO_FUZZER,
+ "media.camera.proxy": EXCEPTION_NO_FUZZER,
+ "media.log": EXCEPTION_NO_FUZZER,
+ "media.player": EXCEPTION_NO_FUZZER,
+ "media.metrics": EXCEPTION_NO_FUZZER,
+ "media.extractor": EXCEPTION_NO_FUZZER,
+ "media.transcoding": EXCEPTION_NO_FUZZER,
+ "media.resource_manager": EXCEPTION_NO_FUZZER,
+ "media.resource_observer": EXCEPTION_NO_FUZZER,
+ "media.sound_trigger_hw": EXCEPTION_NO_FUZZER,
+ "media.drm": EXCEPTION_NO_FUZZER,
+ "media.tuner": EXCEPTION_NO_FUZZER,
+ "media_communication": EXCEPTION_NO_FUZZER,
+ "media_metrics": EXCEPTION_NO_FUZZER,
+ "media_projection": EXCEPTION_NO_FUZZER,
+ "media_resource_monitor": EXCEPTION_NO_FUZZER,
+ "media_router": EXCEPTION_NO_FUZZER,
+ "media_session": EXCEPTION_NO_FUZZER,
+ "meminfo": EXCEPTION_NO_FUZZER,
+ "memtrack.proxy": EXCEPTION_NO_FUZZER,
+ "midi": EXCEPTION_NO_FUZZER,
+ "mount": EXCEPTION_NO_FUZZER,
+ "music_recognition": EXCEPTION_NO_FUZZER,
+ "nearby": EXCEPTION_NO_FUZZER,
+ "netd": EXCEPTION_NO_FUZZER,
+ "netpolicy": EXCEPTION_NO_FUZZER,
+ "netstats": EXCEPTION_NO_FUZZER,
+ "network_stack": EXCEPTION_NO_FUZZER,
+ "network_management": EXCEPTION_NO_FUZZER,
+ "network_score": EXCEPTION_NO_FUZZER,
+ "network_time_update_service": EXCEPTION_NO_FUZZER,
+ "nfc": EXCEPTION_NO_FUZZER,
+ "notification": EXCEPTION_NO_FUZZER,
+ "oem_lock": EXCEPTION_NO_FUZZER,
+ "otadexopt": EXCEPTION_NO_FUZZER,
+ "overlay": EXCEPTION_NO_FUZZER,
+ "pac_proxy": EXCEPTION_NO_FUZZER,
+ "package": EXCEPTION_NO_FUZZER,
+ "package_native": EXCEPTION_NO_FUZZER,
+ "people": EXCEPTION_NO_FUZZER,
+ "performance_hint": EXCEPTION_NO_FUZZER,
+ "permission": EXCEPTION_NO_FUZZER,
+ "permissionmgr": EXCEPTION_NO_FUZZER,
+ "permission_checker": EXCEPTION_NO_FUZZER,
+ "persistent_data_block": EXCEPTION_NO_FUZZER,
+ "phone_msim": EXCEPTION_NO_FUZZER,
+ "phone1": EXCEPTION_NO_FUZZER,
+ "phone2": EXCEPTION_NO_FUZZER,
+ "phone": EXCEPTION_NO_FUZZER,
+ "pinner": EXCEPTION_NO_FUZZER,
+ "powerstats": EXCEPTION_NO_FUZZER,
+ "power": EXCEPTION_NO_FUZZER,
+ "print": EXCEPTION_NO_FUZZER,
+ "processinfo": EXCEPTION_NO_FUZZER,
+ "procstats": EXCEPTION_NO_FUZZER,
+ "profcollectd": EXCEPTION_NO_FUZZER,
+ "radio.phonesubinfo": EXCEPTION_NO_FUZZER,
+ "radio.phone": EXCEPTION_NO_FUZZER,
+ "radio.sms": EXCEPTION_NO_FUZZER,
+ "rcs": EXCEPTION_NO_FUZZER,
+ "reboot_readiness": EXCEPTION_NO_FUZZER,
+ "recovery": EXCEPTION_NO_FUZZER,
+ "resolver": EXCEPTION_NO_FUZZER,
+ "resources": EXCEPTION_NO_FUZZER,
+ "restrictions": EXCEPTION_NO_FUZZER,
+ "rkpd.registrar": EXCEPTION_NO_FUZZER,
+ "rkpd.refresh": EXCEPTION_NO_FUZZER,
+ "role": EXCEPTION_NO_FUZZER,
+ "rollback": EXCEPTION_NO_FUZZER,
+ "rttmanager": EXCEPTION_NO_FUZZER,
+ "runtime": EXCEPTION_NO_FUZZER,
+ "safety_center": EXCEPTION_NO_FUZZER,
+ "samplingprofiler": EXCEPTION_NO_FUZZER,
+ "scheduling_policy": EXCEPTION_NO_FUZZER,
+ "search": EXCEPTION_NO_FUZZER,
+ "search_ui": EXCEPTION_NO_FUZZER,
+ "secure_element": EXCEPTION_NO_FUZZER,
+ "sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
+ "selection_toolbar": EXCEPTION_NO_FUZZER,
+ "sensorservice": EXCEPTION_NO_FUZZER,
+ "sensor_privacy": EXCEPTION_NO_FUZZER,
+ "serial": EXCEPTION_NO_FUZZER,
+ "servicediscovery": EXCEPTION_NO_FUZZER,
"manager": []string{"servicemanager_fuzzer"},
- "settings": []string{},
- "shortcut": []string{},
- "simphonebook_msim": []string{},
- "simphonebook2": []string{},
- "simphonebook": []string{},
- "sip": []string{},
- "slice": []string{},
- "smartspace": []string{},
- "speech_recognition": []string{},
- "stats": []string{},
- "statsbootstrap": []string{},
- "statscompanion": []string{},
- "statsmanager": []string{},
- "soundtrigger": []string{},
- "soundtrigger_middleware": []string{},
- "statusbar": []string{},
- "storaged": []string{},
- "storaged_pri": []string{},
- "storagestats": []string{},
- "sdk_sandbox": []string{},
- "SurfaceFlinger": []string{},
- "SurfaceFlingerAIDL": []string{},
- "suspend_control": []string{},
- "suspend_control_internal": []string{},
- "system_config": []string{},
- "system_server_dumper": []string{},
- "system_update": []string{},
- "tare": []string{},
- "task": []string{},
- "telecom": []string{},
- "telephony.registry": []string{},
- "telephony_ims": []string{},
- "testharness": []string{},
- "tethering": []string{},
- "textclassification": []string{},
- "textservices": []string{},
- "texttospeech": []string{},
- "time_detector": []string{},
- "time_zone_detector": []string{},
- "thermalservice": []string{},
- "tracing.proxy": []string{},
- "translation": []string{},
- "transparency": []string{},
- "trust": []string{},
- "tv_interactive_app": []string{},
- "tv_input": []string{},
- "tv_tuner_resource_mgr": []string{},
- "uce": []string{},
- "uimode": []string{},
- "updatelock": []string{},
- "uri_grants": []string{},
- "usagestats": []string{},
- "usb": []string{},
- "user": []string{},
- "uwb": []string{},
- "vcn_management": []string{},
- "vibrator": []string{},
- "vibrator_manager": []string{},
- "virtualdevice": []string{},
- "virtual_touchpad": []string{},
- "voiceinteraction": []string{},
- "vold": []string{},
- "vpn_management": []string{},
- "vrmanager": []string{},
- "wallpaper": []string{},
- "wallpaper_effects_generation": []string{},
- "webviewupdate": []string{},
- "wifip2p": []string{},
- "wifiscanner": []string{},
- "wifi": []string{},
- "wifinl80211": []string{},
- "wifiaware": []string{},
- "wifirtt": []string{},
- "window": []string{},
- "*": []string{},
+ "settings": EXCEPTION_NO_FUZZER,
+ "shortcut": EXCEPTION_NO_FUZZER,
+ "simphonebook_msim": EXCEPTION_NO_FUZZER,
+ "simphonebook2": EXCEPTION_NO_FUZZER,
+ "simphonebook": EXCEPTION_NO_FUZZER,
+ "sip": EXCEPTION_NO_FUZZER,
+ "slice": EXCEPTION_NO_FUZZER,
+ "smartspace": EXCEPTION_NO_FUZZER,
+ "speech_recognition": EXCEPTION_NO_FUZZER,
+ "stats": EXCEPTION_NO_FUZZER,
+ "statsbootstrap": EXCEPTION_NO_FUZZER,
+ "statscompanion": EXCEPTION_NO_FUZZER,
+ "statsmanager": EXCEPTION_NO_FUZZER,
+ "soundtrigger": EXCEPTION_NO_FUZZER,
+ "soundtrigger_middleware": EXCEPTION_NO_FUZZER,
+ "statusbar": EXCEPTION_NO_FUZZER,
+ "storaged": EXCEPTION_NO_FUZZER,
+ "storaged_pri": EXCEPTION_NO_FUZZER,
+ "storagestats": EXCEPTION_NO_FUZZER,
+ "sdk_sandbox": EXCEPTION_NO_FUZZER,
+ "SurfaceFlinger": EXCEPTION_NO_FUZZER,
+ "SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
+ "suspend_control": EXCEPTION_NO_FUZZER,
+ "suspend_control_internal": EXCEPTION_NO_FUZZER,
+ "system_config": EXCEPTION_NO_FUZZER,
+ "system_server_dumper": EXCEPTION_NO_FUZZER,
+ "system_update": EXCEPTION_NO_FUZZER,
+ "tare": EXCEPTION_NO_FUZZER,
+ "task": EXCEPTION_NO_FUZZER,
+ "telecom": EXCEPTION_NO_FUZZER,
+ "telephony.registry": EXCEPTION_NO_FUZZER,
+ "telephony_ims": EXCEPTION_NO_FUZZER,
+ "testharness": EXCEPTION_NO_FUZZER,
+ "tethering": EXCEPTION_NO_FUZZER,
+ "textclassification": EXCEPTION_NO_FUZZER,
+ "textservices": EXCEPTION_NO_FUZZER,
+ "texttospeech": EXCEPTION_NO_FUZZER,
+ "time_detector": EXCEPTION_NO_FUZZER,
+ "time_zone_detector": EXCEPTION_NO_FUZZER,
+ "thermalservice": EXCEPTION_NO_FUZZER,
+ "tracing.proxy": EXCEPTION_NO_FUZZER,
+ "translation": EXCEPTION_NO_FUZZER,
+ "transparency": EXCEPTION_NO_FUZZER,
+ "trust": EXCEPTION_NO_FUZZER,
+ "tv_interactive_app": EXCEPTION_NO_FUZZER,
+ "tv_input": EXCEPTION_NO_FUZZER,
+ "tv_tuner_resource_mgr": EXCEPTION_NO_FUZZER,
+ "uce": EXCEPTION_NO_FUZZER,
+ "uimode": EXCEPTION_NO_FUZZER,
+ "updatelock": EXCEPTION_NO_FUZZER,
+ "uri_grants": EXCEPTION_NO_FUZZER,
+ "usagestats": EXCEPTION_NO_FUZZER,
+ "usb": EXCEPTION_NO_FUZZER,
+ "user": EXCEPTION_NO_FUZZER,
+ "uwb": EXCEPTION_NO_FUZZER,
+ "vcn_management": EXCEPTION_NO_FUZZER,
+ "vibrator": EXCEPTION_NO_FUZZER,
+ "vibrator_manager": EXCEPTION_NO_FUZZER,
+ "virtualdevice": EXCEPTION_NO_FUZZER,
+ "virtual_touchpad": EXCEPTION_NO_FUZZER,
+ "voiceinteraction": EXCEPTION_NO_FUZZER,
+ "vold": EXCEPTION_NO_FUZZER,
+ "vpn_management": EXCEPTION_NO_FUZZER,
+ "vrmanager": EXCEPTION_NO_FUZZER,
+ "wallpaper": EXCEPTION_NO_FUZZER,
+ "wallpaper_effects_generation": EXCEPTION_NO_FUZZER,
+ "webviewupdate": EXCEPTION_NO_FUZZER,
+ "wifip2p": EXCEPTION_NO_FUZZER,
+ "wifiscanner": EXCEPTION_NO_FUZZER,
+ "wifi": EXCEPTION_NO_FUZZER,
+ "wifinl80211": EXCEPTION_NO_FUZZER,
+ "wifiaware": EXCEPTION_NO_FUZZER,
+ "wifirtt": EXCEPTION_NO_FUZZER,
+ "window": EXCEPTION_NO_FUZZER,
+ "*": EXCEPTION_NO_FUZZER,
}
)
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
index 8ec131c..c9d7647 100644
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@@ -17,3 +17,6 @@
# Write to /dev/kmsg.
allow compos_key_helper kmsg_device:chr_file rw_file_perms;
+
+# Communicate with microdroid manager to get DICE information
+unix_socket_connect(compos_key_helper, vm_payload_service, microdroid_manager)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 7968ff3..15f56c1 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -73,6 +73,8 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
+/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
index c0ab735..8d40986 100644
--- a/microdroid/system/private/kexec.te
+++ b/microdroid/system/private/kexec.te
@@ -10,3 +10,6 @@
# allow kexec to have SYS_BOOT
allow kexec self:capability sys_boot;
+
+# allow kexec to write kmsg_debug
+allow kexec kmsg_debug_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index ac92f38..5996b55 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -48,6 +48,9 @@
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+# Let microdroid_manager listen/accept from the host for stdio proxy
+allow microdroid_manager self:vsock_socket { listen accept };
+
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
@@ -111,6 +114,9 @@
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
+# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
+allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 851a85a..b0501e9 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,8 +27,16 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+# Allow microdroid_payload to host binder servers via vsock. Listening
+# for connections from the host is permitted, but connecting out to
+# the host is not. Inbound connections are mediated by
+# virtualiationservice which ensures a process can only connect to a
+# VM that it owns.
+allow microdroid_payload self:vsock_socket {
+ create listen accept read getattr write setattr lock append bind
+ getopt setopt shutdown map
+};
+neverallow microdroid_payload self:vsock_socket connect;
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
@@ -41,6 +49,9 @@
allow microdroid_payload authfs_binder_service:service_manager find;
binder_call(microdroid_payload, authfs_service);
+# Allow payload to communicate with authfs_service
+unix_socket_connect(microdroid_payload, authfs_service, authfs_service)
+
# Allow locating the authfs mount directory.
allow microdroid_payload authfs_data_file:dir search;
@@ -51,3 +62,6 @@
# Allow use of virtual_machine_payload_service.
allow microdroid_payload vm_payload_binder_service:service_manager find;
binder_call(microdroid_payload, microdroid_manager)
+
+# Allow payload to communicate with microdroid manager
+unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 47d29aa..46ead43 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -5,6 +5,7 @@
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
+type authfs_service_socket, file_type, coredomain_socket;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
@@ -43,6 +44,7 @@
type vendor_data_file, file_type, data_file_type;
type vendor_file, file_type, vendor_file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
+type vm_payload_service_socket, file_type, coredomain_socket;
# file system types
type binderfs, fs_type;
diff --git a/private/app.te b/private/app.te
index 005a078..ae8b206 100644
--- a/private/app.te
+++ b/private/app.te
@@ -52,6 +52,12 @@
get_prop(appdomain, device_config_runtime_native_prop)
get_prop(appdomain, device_config_runtime_native_boot_prop)
+# Allow to read ro.vendor.camera.extensions.enabled
+get_prop(appdomain, camera2_extensions_prop)
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a5d5f98..48c8eb4 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,12 +5,14 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adaptive_haptics_prop
apex_ready_prop
artd
credential_service
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
devicelock_service
+ fwk_sensor_service
hal_bootctl_service
hal_cas_service
hal_remoteaccess_service
@@ -22,8 +24,10 @@
hal_wifi_service
healthconnect_service
keystore_config_prop
+ ntfs
permissive_mte_prop
prng_seeder
+ rkpdapp
servicemanager_prop
system_net_netd_service
timezone_metadata_prop
@@ -34,4 +38,5 @@
hal_gatekeeper_service
hal_broadcastradio_service
hal_confirmationui_service
+ hal_fastboot_service
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 5971b91..9c45131 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -10,9 +10,6 @@
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
-# Let crosvm mlock VM memory and page tables.
-allow crosvm self:capability ipc_lock;
-
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
diff --git a/private/domain.te b/private/domain.te
index 60303ff..65e2029 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -101,6 +101,48 @@
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
+# Public readable properties
+get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_odm_prop)
+get_prop(domain, build_prop)
+get_prop(domain, build_vendor_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
+get_prop(domain, gwp_asan_prop)
+get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, locale_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, surfaceflinger_prop)
+get_prop(domain, telephony_status_prop)
+get_prop(domain, timezone_prop)
+get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
+get_prop(domain, vendor_socket_hook_prop)
+get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
+
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
+get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
+
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
diff --git a/private/fastbootd.te b/private/fastbootd.te
index c33e044..d93ee42 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -45,6 +45,9 @@
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
+ # Let this domain use the hal fastboot service
+ binder_use(fastbootd)
+ hal_client_domain(fastbootd, hal_fastboot)
')
# io_uring_setup needs ipc_lock and permission to operate anon inodes
diff --git a/private/file_contexts b/private/file_contexts
index 4deecf7..72fae62 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -230,6 +230,7 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6578470..29d8561 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -385,6 +385,7 @@
genfscon vfat / u:object_r:vfat:s0
genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
diff --git a/private/init.te b/private/init.te
index f03a138..2fd2940 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, rootfs, hal_bootctl_server)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
+ domain_trans(init, rootfs, hal_fastboot_server)
domain_trans(init, rootfs, hal_health_server)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
diff --git a/private/property_contexts b/private/property_contexts
index d1a4ecf..b8503bd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -564,6 +564,8 @@
bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -1436,19 +1438,34 @@
# properties for the virtual Fingerprint HAL
persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_location u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_enable u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_timed_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_timed_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_permanent_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
# properties for tuner
ro.tuner.lazyhal u:object_r:tuner_config_prop:s0 exact bool
tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool
+
+# Adaptive haptics settings property
+vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
new file mode 100644
index 0000000..535f324
--- /dev/null
+++ b/private/rkpd_app.te
@@ -0,0 +1,20 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+typeattribute rkpdapp coredomain;
+
+app_domain(rkpdapp)
+
+# RKPD needs to be able to call the remote provisioning HALs
+hal_client_domain(rkpdapp, hal_keymint)
+
+# Grant access to certain system properties related to RKP
+get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+
+# Grant access to the normal services that are available to all apps
+allow rkpdapp app_api_service:service_manager find;
+
+# Grant access to statsd
+allow rkpdapp statsmanager_service:service_manager find;
+binder_call(rkpdapp, statsd)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index b26d977..81563a5 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -164,6 +164,7 @@
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 2b9e88f..562e3d4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,5 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
+android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
@@ -24,6 +25,7 @@
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
+android.hardware.fastboot.IFastboot/default u:object_r:hal_fastboot_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
diff --git a/private/shell.te b/private/shell.te
index c20e612..02105a9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -121,6 +121,9 @@
allow shell profcollectd:binder call;
')
+# Allow shell to run remount command.
+allow shell remount_exec:file rx_file_perms;
+
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
@@ -181,6 +184,9 @@
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
+# Allow shell to execute the remote key provisioning factory tool
+binder_call(shell, hal_keymint)
+
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
diff --git a/private/stats.te b/private/stats.te
index db29072..c784145 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-mediametrics
-platform_app
-priv_app
+ -rkpdapp
-shell
-stats
-statsd
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index dbb5507..26c781b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -132,6 +132,9 @@
# Allow to use files supplied by hal_evs
allow surfaceflinger hal_evs:fd use;
+# Allow to use release fence fds supplied by hal_camera
+allow surfaceflinger hal_camera:fd use;
+
# Allow pushing jank event atoms to statsd
userdebug_or_eng(`
unix_socket_send(surfaceflinger, statsdw, statsd)
diff --git a/private/system_app.te b/private/system_app.te
index 61d3b5d..3b92c0f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, adaptive_haptics_prop)
set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
@@ -192,3 +193,6 @@
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };
+
+# system_app should be the only domain writing the adaptive haptics prop
+neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index 6186a32..3a7dd8a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1217,8 +1217,8 @@
# Font files are written by system server
allow system_server font_data_file:file create_file_perms;
allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Allow system process to setup and measure fs-verity for font files
+allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY };
# Read qemu.hw.mainkeys property
get_prop(system_server, qemu_hw_prop)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3e057fe..46871b7 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,6 +22,9 @@
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+allow virtualizationservice self:capability sys_resource;
+
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;
@@ -81,6 +84,9 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationservice, crosvm);
+
neverallow {
domain
-init
diff --git a/public/app.te b/public/app.te
index de3d0ca..9ce0255 100644
--- a/public/app.te
+++ b/public/app.te
@@ -233,9 +233,3 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
-
-# Allow to read ro.vendor.camera.extensions.enabled
-get_prop(appdomain, camera2_extensions_prop)
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/attributes b/public/attributes
index 121adc0..ae610e6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -338,6 +338,7 @@
hal_attribute(dumpstate);
hal_attribute(evs);
hal_attribute(face);
+hal_attribute(fastboot);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
diff --git a/public/domain.te b/public/domain.te
index f9e4c46..217738d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -101,48 +101,6 @@
allow domain properties_serial:file r_file_perms;
allow domain property_info:file r_file_perms;
-# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, apexd_select_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bluetooth_config_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, exported_config_prop)
-get_prop(domain, exported_default_prop)
-get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_secure_prop)
-get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, framework_status_prop)
-get_prop(domain, gwp_asan_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, locale_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
-get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
-get_prop(domain, timezone_prop)
-get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
-get_prop(domain, vendor_socket_hook_prop)
-get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
-
-# Binder cache properties are world-readable
-get_prop(domain, binder_cache_bluetooth_server_prop)
-get_prop(domain, binder_cache_system_server_prop)
-get_prop(domain, binder_cache_telephony_server_prop)
-
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
@@ -593,6 +551,7 @@
-hal_camera_server
-hal_cas_server
-hal_drm_server
+ -hal_keymint_server
userdebug_or_eng(`-incidentd')
-init
-mediadrmserver
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c73c2e7..c0af235 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -75,6 +75,7 @@
vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+ evsmanagerd
hal_audio_server
hal_audiocontrol_server
hal_bluetooth_server
@@ -243,9 +244,9 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
+# Access /data/misc/update_engine & /data/misc/update_engine_log
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
@@ -364,7 +365,7 @@
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate binderfs_logs_proc:file r_file_perms;
-allow dumpstate apex_info_file:file getattr;
+use_apex_info(dumpstate)
###
### neverallow rules
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 68cb9e0..8452b97 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -13,6 +13,7 @@
# fastbootd can use AIDL HALs in binder mode
binder_use(fastbootd)
hal_client_domain(fastbootd, hal_health)
+ hal_client_domain(fastbootd, hal_fastboot)
# Access /dev/usb-ffs/fastbootd/ep0
allow fastbootd functionfs:dir search;
diff --git a/public/file.te b/public/file.te
index eb55210..8d33a9d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -157,6 +157,7 @@
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 886286e..7d4d150 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,11 +49,11 @@
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
+ fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
diff --git a/public/hal_fastboot.te b/public/hal_fastboot.te
new file mode 100644
index 0000000..7aecac1
--- /dev/null
+++ b/public/hal_fastboot.te
@@ -0,0 +1,7 @@
+# allow binder connection from client to server
+binder_call(hal_fastboot_client, hal_fastboot_server)
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_fastboot, hal_fastboot_service)
+# allow binder communication from server to service_manager
+binder_call(hal_fastboot_server, servicemanager)
+
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 9c65e22..ba29956 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -4,5 +4,5 @@
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
-allow hal_keymint tee_device:chr_file rw_file_perms;
-allow hal_keymint ion_device:chr_file r_file_perms;
+allow hal_keymint_server tee_device:chr_file rw_file_perms;
+allow hal_keymint_server ion_device:chr_file r_file_perms;
diff --git a/public/property.te b/public/property.te
index a9e61b5..14abd0f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(adaptive_haptics_prop)
system_restricted_prop(apex_ready_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
diff --git a/public/rkpd_app.te b/public/rkpd_app.te
new file mode 100644
index 0000000..2aaf3b8
--- /dev/null
+++ b/public/rkpd_app.te
@@ -0,0 +1,6 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+
+type rkpdapp, domain;
diff --git a/public/service.te b/public/service.te
index db7c298..1ff3668 100644
--- a/public/service.te
+++ b/public/service.te
@@ -131,6 +131,7 @@
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
+type fwk_sensor_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
@@ -281,6 +282,7 @@
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;
type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fastboot_service, protected_service, hal_service_type, service_manager_type;
type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_allocator_service, hal_service_type, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 496061c..6c67cea 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@
-apex_service
-dnsresolver_service
-gatekeeper_service
+ -hal_keymint_service
+ -hal_secureclock_service
+ -hal_sharedsecret_service
-incident_service
-installd_service
-mdns_service
@@ -196,6 +199,14 @@
### Neverallow rules
###
+# Do not allow shell to talk directly to security HAL services other than
+# hal_remotelyprovisionedcomponent_service
+neverallow shell {
+ hal_keymint_service
+ hal_secureclock_service
+ hal_sharedsecret_service
+}:service_manager find;
+
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5681054..c69b451 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -51,6 +51,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
diff --git a/vendor/hal_fastboot_default.te b/vendor/hal_fastboot_default.te
new file mode 100644
index 0000000..4a52642
--- /dev/null
+++ b/vendor/hal_fastboot_default.te
@@ -0,0 +1,6 @@
+type hal_fastboot_default, domain;
+
+hal_server_domain(hal_fastboot_default, hal_fastboot)
+
+type hal_fastboot_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fastboot_default)