Merge "create new system label for biometric virtual hal sysprop" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index a21a6e8..9484326 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -361,6 +361,7 @@
"meminfo": EXCEPTION_NO_FUZZER,
"memtrack.proxy": EXCEPTION_NO_FUZZER,
"midi": EXCEPTION_NO_FUZZER,
+ "mmd": EXCEPTION_NO_FUZZER,
"mount": EXCEPTION_NO_FUZZER,
"music_recognition": EXCEPTION_NO_FUZZER,
"nearby": EXCEPTION_NO_FUZZER,
diff --git a/compat/libgenfslabelsversion/Android.bp b/compat/libgenfslabelsversion/Android.bp
new file mode 100644
index 0000000..7f512a7
--- /dev/null
+++ b/compat/libgenfslabelsversion/Android.bp
@@ -0,0 +1,35 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+rust_defaults {
+ name: "libgenfslabelsversion.default",
+ crate_name: "genfslabelsversion",
+ srcs: ["src/lib.rs"],
+ apex_available: ["//apex_available:platform"],
+}
+
+rust_ffi_static {
+ name: "libgenfslabelsversion.ffi",
+ defaults: ["libgenfslabelsversion.default"],
+ export_include_dirs: ["include"],
+}
diff --git a/compat/libgenfslabelsversion/include/genfslabelsversion.h b/compat/libgenfslabelsversion/include/genfslabelsversion.h
new file mode 100644
index 0000000..4c029c8
--- /dev/null
+++ b/compat/libgenfslabelsversion/include/genfslabelsversion.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int get_genfs_labels_version();
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/compat/libgenfslabelsversion/src/lib.rs b/compat/libgenfslabelsversion/src/lib.rs
new file mode 100644
index 0000000..21619e8
--- /dev/null
+++ b/compat/libgenfslabelsversion/src/lib.rs
@@ -0,0 +1,40 @@
+// Copyright 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Client library to read genfs labels version of the vendor.
+
+use std::fs;
+
+const GENFS_LABELS_VERSION_TXT_PATH: &str = "/vendor/etc/selinux/genfs_labels_version.txt";
+const DEFAULT_GENFS_LABELS_VERSION: i32 = 202404;
+
+/// Get genfs labels version from the vendor partition.
+///
+/// This function reads the genfs labels version from the file
+/// `/vendor/etc/selinux/genfs_labels_version.txt`. If the file does not exist or
+/// cannot be parsed, it returns a default version of 202404.
+///
+/// # Returns
+///
+/// The genfs labels version as an integer.
+#[no_mangle]
+pub extern "C" fn get_genfs_labels_version() -> i32 {
+ match fs::read_to_string(GENFS_LABELS_VERSION_TXT_PATH) {
+ Ok(contents) => match contents.trim().parse::<i32>() {
+ Ok(version) => version,
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ },
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ }
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 5ccf086..b3aaff1 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -399,6 +399,7 @@
/system/bin/bootstrap/linkerconfig linkerconfig_exec
/system/bin/llkd llkd_exec
/system/bin/lmkd lmkd_exec
+/system/bin/mmd mmd_exec
/system/bin/usbd usbd_exec
/system/bin/inputflinger inputflinger_exec
/system/bin/logd logd_exec
diff --git a/private/file_contexts b/private/file_contexts
index 59ef299..bb8a35a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -329,6 +329,7 @@
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/mmd u:object_r:mmd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
diff --git a/private/mmd.te b/private/mmd.te
new file mode 100644
index 0000000..193c307
--- /dev/null
+++ b/private/mmd.te
@@ -0,0 +1,17 @@
+# mmd memory management daemon
+type mmd, domain;
+typeattribute mmd coredomain;
+type mmd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mmd)
+
+# mmd binder setup
+add_service(mmd, mmd_service)
+binder_use(mmd)
+
+# zram sysfs access
+allow mmd sysfs_zram:dir search;
+allow mmd sysfs_zram:file rw_file_perms;
+
+# procfs
+allow mmd proc_meminfo:file r_file_perms;
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 2fc74b5..04cb70f 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -26,6 +26,9 @@
# Allow OT daemon to read/write on the socket created by System Server
allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;
+# Allow OT daemon to read/write on the UDP sockets created by system server
+allow ot_daemon system_server:udp_socket rw_socket_perms;
+
hal_client_domain(ot_daemon, hal_threadnetwork)
# Only ot_daemon can publish the binder service
diff --git a/private/service.te b/private/service.te
index bb24fd4..c12c1a0 100644
--- a/private/service.te
+++ b/private/service.te
@@ -16,6 +16,7 @@
type logcat_service, system_server_service, service_manager_type;
type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
+type mmd_service, service_manager_type;
type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type profcollectd_service, service_manager_type;
type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 4fc9435..fbdc081 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -354,6 +354,7 @@
meminfo u:object_r:meminfo_service:s0
memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
+mmd u:object_r:mmd_service:s0
mount u:object_r:mount_service:s0
music_recognition u:object_r:music_recognition_service:s0
nearby u:object_r:nearby_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 044edc1..aeeb566 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -293,6 +293,7 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
+binder_call(system_server, mmd)
binder_call(system_server, netd)
binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
@@ -393,6 +394,7 @@
mediaswcodec
mediatranscoding
mediatuner
+ mmd
netd
sdcardd
servicemanager
@@ -1006,6 +1008,7 @@
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server mediatuner_service:service_manager find;
+allow system_server mmd_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server ot_daemon_service:service_manager find;