Merge "Add ro.boot.serialconsole property"
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 383a282..ed92f1a 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -80,7 +80,7 @@
return paths, nil
}
- return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedStringKeys(b.srcs), " "))
+ return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedKeys(b.srcs), " "))
}
var _ android.OutputFileProducer = (*buildFiles)(nil)
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 477f78f..22f2ffa 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -746,16 +746,6 @@
use_dev_id
}
-class diced
-{
- demote
- demote_self
- derive
- get_attestation_chain
- use_seal
- use_sign
-}
-
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 0d3cc80..200b030 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -163,8 +163,5 @@
# Keystore 2.0 key permissions
class keystore2_key # userspace
-# Diced permissions
-class diced # userspace
-
class drmservice # userspace
# FLASK
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 61bf8fb..cfefc67 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -139,9 +139,6 @@
attribute halclientdomain;
expandattribute halclientdomain true;
-# HALs
-hal_attribute(dice);
-
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
diff --git a/private/bug_map b/private/bug_map
index 083c213..656121f 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -29,6 +29,7 @@
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
system_server zygote process b/77856826
+tombstone_transmit tombstone_transmit capability b/264420112
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 56da496..5737284 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1,4 +1,9 @@
;; types removed from current policy
+(type dice_maintenance_service)
+(type dice_node_service)
+(type diced)
+(type diced_exec)
+(type hal_dice_service)
(type iorap_inode2filename)
(type iorap_inode2filename_exec)
(type iorap_inode2filename_tmpfs)
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 5d5965e..60962cb 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,7 +8,6 @@
-apexd
-bpfloader
-crash_dump
- -diced
-init
-kernel
-keystore
@@ -43,7 +42,6 @@
apexd
userdebug_or_eng(`-apexd')
bpfloader
- diced
init
kernel
keystore
diff --git a/private/diced.te b/private/diced.te
deleted file mode 100644
index b37809c..0000000
--- a/private/diced.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute diced coredomain;
-
-init_daemon_domain(diced)
-
-# Talk to dice HAL.
-hal_client_domain(diced, hal_dice)
diff --git a/private/domain.te b/private/domain.te
index 9a0efb1..1e5e0f5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -18,7 +18,6 @@
-bpfloader
-crash_dump
-crosvm # TODO(b/236672526): Remove exception for crosvm
- -diced
-init
-kernel
-keystore
diff --git a/private/file_contexts b/private/file_contexts
index 2b98801..57fcdfb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -290,7 +290,6 @@
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
-/system/bin/diced u:object_r:diced_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 718ce81..91418b5 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -52,7 +52,6 @@
apexd
app_zygote
bpfloader
- diced
hal_configstore_server
init
kernel
diff --git a/private/llkd.te b/private/llkd.te
index 8512e85..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -23,7 +23,6 @@
allow llkd {
domain
-apexd
- -diced
-kernel
-keystore
-init
diff --git a/private/property.te b/private/property.te
index 4f806d4..4fd9bc3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -632,6 +632,7 @@
domain
-init
-remote_prov_app
+ -shell
} remote_prov_prop:property_service set;
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 418b873..4ce654c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1473,6 +1473,7 @@
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+ro.gms.dck.se_capability u:object_r:dck_prop:s0 exact int
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/private/service_contexts b/private/service_contexts
index db48f62..6543e3f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -84,7 +84,6 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
-android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
@@ -136,8 +135,6 @@
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
-android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0
diff --git a/private/shell.te b/private/shell.te
index 02105a9..cdbf7c2 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -101,6 +101,9 @@
# Allow shell to set this property used for rollback tests
set_prop(shell, rollback_test_prop)
+# Allow shell to set RKP properties for testing purposes
+set_prop(shell, remote_prov_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 27ea187..485ce53 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -47,7 +47,7 @@
; Apps, except isolated apps, are clients of Neuralnetworks HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app_all } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 31fa620..640b054 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -66,7 +66,6 @@
apexd
app_zygote
bpfloader
- diced
hal_configstore_server
init
kernel
diff --git a/public/attributes b/public/attributes
index 4897be5..0b5f596 100644
--- a/public/attributes
+++ b/public/attributes
@@ -336,7 +336,6 @@
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
-hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
diff --git a/public/diced.te b/public/diced.te
deleted file mode 100644
index 0908936..0000000
--- a/public/diced.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type diced, domain;
-type diced_exec, system_file_type, exec_type, file_type;
-
-binder_use(diced)
-binder_service(diced)
-
-add_service(diced, dice_node_service)
-add_service(diced, dice_maintenance_service)
-
-# Check SELinux permissions.
-selinux_check_access(diced)
diff --git a/public/hal_dice.te b/public/hal_dice.te
deleted file mode 100644
index 92222c5..0000000
--- a/public/hal_dice.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_dice_client, hal_dice_server)
-
-hal_attribute_service(hal_dice, hal_dice_service)
-binder_call(hal_dice_server, servicemanager)
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 62d45ab..1dd2e3d 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -827,6 +827,7 @@
define(`FS_IOC_FIEMAP', `0xc020660b')
define(`FS_IOC_FSGETXATTR', `0x801c581f')
define(`FS_IOC_FSSETXATTR', `0x401c5820')
+define(`FS_IOC_GET_ENCRYPTION_KEY_STATUS', `0xc080661a')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
diff --git a/public/service.te b/public/service.te
index 68fd9e2..82a713a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,8 +10,6 @@
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
-type dice_maintenance_service, service_manager_type;
-type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@@ -236,7 +234,7 @@
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, app_api_service, system_server_service, service_manager_type;
+type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
@@ -285,7 +283,6 @@
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
-type hal_dice_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 209bf49..3d204e1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -51,6 +51,7 @@
FS_IOC_SET_ENCRYPTION_POLICY
FS_IOC_ADD_ENCRYPTION_KEY
FS_IOC_REMOVE_ENCRYPTION_KEY
+ FS_IOC_GET_ENCRYPTION_KEY_STATUS
};
# Only vold and init should ever set file-based encryption policies.
@@ -65,7 +66,7 @@
neverallowxperm {
domain
-vold
-} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7d9119e..ac23351 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -95,7 +95,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/vendor/hal_dice_default.te b/vendor/hal_dice_default.te
deleted file mode 100644
index 832e717..0000000
--- a/vendor/hal_dice_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_dice_default, domain;
-hal_server_domain(hal_dice_default, hal_dice)
-
-type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_dice_default)