Merge "Convert recovery_available modules to recovery specific modules" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 35f4e09..257cee6 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -197,101 +197,102 @@
"android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
"android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
- "ambient_context": EXCEPTION_NO_FUZZER,
- "app_binding": EXCEPTION_NO_FUZZER,
- "app_function": EXCEPTION_NO_FUZZER,
- "app_hibernation": EXCEPTION_NO_FUZZER,
- "app_integrity": EXCEPTION_NO_FUZZER,
- "app_prediction": EXCEPTION_NO_FUZZER,
- "app_search": EXCEPTION_NO_FUZZER,
- "apexservice": EXCEPTION_NO_FUZZER,
- "archive": EXCEPTION_NO_FUZZER,
- "attestation_verification": EXCEPTION_NO_FUZZER,
- "authentication_policy": EXCEPTION_NO_FUZZER,
- "blob_store": EXCEPTION_NO_FUZZER,
- "gsiservice": EXCEPTION_NO_FUZZER,
- "appops": EXCEPTION_NO_FUZZER,
- "appwidget": EXCEPTION_NO_FUZZER,
- "artd": []string{"artd_fuzzer"},
- "artd_pre_reboot": []string{"artd_fuzzer"},
- "assetatlas": EXCEPTION_NO_FUZZER,
- "attention": EXCEPTION_NO_FUZZER,
- "audio": EXCEPTION_NO_FUZZER,
- "auth": EXCEPTION_NO_FUZZER,
- "autofill": EXCEPTION_NO_FUZZER,
- "background_install_control": EXCEPTION_NO_FUZZER,
- "backup": EXCEPTION_NO_FUZZER,
- "batteryproperties": EXCEPTION_NO_FUZZER,
- "batterystats": EXCEPTION_NO_FUZZER,
- "battery": EXCEPTION_NO_FUZZER,
- "binder_calls_stats": EXCEPTION_NO_FUZZER,
- "biometric": EXCEPTION_NO_FUZZER,
- "bluetooth_manager": EXCEPTION_NO_FUZZER,
- "bluetooth": EXCEPTION_NO_FUZZER,
- "broadcastradio": EXCEPTION_NO_FUZZER,
- "bugreport": EXCEPTION_NO_FUZZER,
- "cacheinfo": EXCEPTION_NO_FUZZER,
- "carrier_config": EXCEPTION_NO_FUZZER,
- "clipboard": EXCEPTION_NO_FUZZER,
- "cloudsearch": EXCEPTION_NO_FUZZER,
- "cloudsearch_service": EXCEPTION_NO_FUZZER,
- "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
- "companiondevice": EXCEPTION_NO_FUZZER,
- "communal": EXCEPTION_NO_FUZZER,
- "platform_compat": EXCEPTION_NO_FUZZER,
- "platform_compat_native": EXCEPTION_NO_FUZZER,
- "connectivity": EXCEPTION_NO_FUZZER,
- "connectivity_native": EXCEPTION_NO_FUZZER,
- "connmetrics": EXCEPTION_NO_FUZZER,
- "consumer_ir": EXCEPTION_NO_FUZZER,
- "content": EXCEPTION_NO_FUZZER,
- "content_capture": EXCEPTION_NO_FUZZER,
- "content_suggestions": EXCEPTION_NO_FUZZER,
- "contexthub": EXCEPTION_NO_FUZZER,
- "contextual_search": EXCEPTION_NO_FUZZER,
- "country_detector": EXCEPTION_NO_FUZZER,
- "coverage": EXCEPTION_NO_FUZZER,
- "cpuinfo": EXCEPTION_NO_FUZZER,
- "cpu_monitor": EXCEPTION_NO_FUZZER,
- "credential": EXCEPTION_NO_FUZZER,
- "crossprofileapps": EXCEPTION_NO_FUZZER,
- "dataloader_manager": EXCEPTION_NO_FUZZER,
- "dbinfo": EXCEPTION_NO_FUZZER,
- "device_config": EXCEPTION_NO_FUZZER,
- "device_config_updatable": EXCEPTION_NO_FUZZER,
- "device_policy": EXCEPTION_NO_FUZZER,
- "device_identifiers": EXCEPTION_NO_FUZZER,
- "deviceidle": EXCEPTION_NO_FUZZER,
- "device_lock": EXCEPTION_NO_FUZZER,
- "device_state": EXCEPTION_NO_FUZZER,
- "devicestoragemonitor": EXCEPTION_NO_FUZZER,
- "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
- "diskstats": EXCEPTION_NO_FUZZER,
- "display": EXCEPTION_NO_FUZZER,
- "dnsresolver": []string{"resolv_service_fuzzer"},
- "domain_verification": EXCEPTION_NO_FUZZER,
- "color_display": EXCEPTION_NO_FUZZER,
- "netd_listener": EXCEPTION_NO_FUZZER,
- "network_watchlist": EXCEPTION_NO_FUZZER,
- "DockObserver": EXCEPTION_NO_FUZZER,
- "dreams": EXCEPTION_NO_FUZZER,
- "drm.drmManager": []string{"drmserver_fuzzer"},
- "dropbox": EXCEPTION_NO_FUZZER,
- "dumpstate": EXCEPTION_NO_FUZZER,
- "dynamic_system": EXCEPTION_NO_FUZZER,
- "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
- "econtroller": EXCEPTION_NO_FUZZER,
- "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
- "emergency_affordance": EXCEPTION_NO_FUZZER,
- "euicc_card_controller": EXCEPTION_NO_FUZZER,
- "external_vibrator_service": EXCEPTION_NO_FUZZER,
- "ethernet": EXCEPTION_NO_FUZZER,
- "face": EXCEPTION_NO_FUZZER,
- "file_integrity": EXCEPTION_NO_FUZZER,
- "fingerprint": EXCEPTION_NO_FUZZER,
- "feature_flags": EXCEPTION_NO_FUZZER,
- "font": EXCEPTION_NO_FUZZER,
- "forensic": EXCEPTION_NO_FUZZER,
+ "android.system.vold.IVold/default": []string{"vold_native_service_fuzzer"},
+ "ambient_context": EXCEPTION_NO_FUZZER,
+ "app_binding": EXCEPTION_NO_FUZZER,
+ "app_function": EXCEPTION_NO_FUZZER,
+ "app_hibernation": EXCEPTION_NO_FUZZER,
+ "app_integrity": EXCEPTION_NO_FUZZER,
+ "app_prediction": EXCEPTION_NO_FUZZER,
+ "app_search": EXCEPTION_NO_FUZZER,
+ "apexservice": EXCEPTION_NO_FUZZER,
+ "archive": EXCEPTION_NO_FUZZER,
+ "attestation_verification": EXCEPTION_NO_FUZZER,
+ "authentication_policy": EXCEPTION_NO_FUZZER,
+ "blob_store": EXCEPTION_NO_FUZZER,
+ "gsiservice": EXCEPTION_NO_FUZZER,
+ "appops": EXCEPTION_NO_FUZZER,
+ "appwidget": EXCEPTION_NO_FUZZER,
+ "artd": []string{"artd_fuzzer"},
+ "artd_pre_reboot": []string{"artd_fuzzer"},
+ "assetatlas": EXCEPTION_NO_FUZZER,
+ "attention": EXCEPTION_NO_FUZZER,
+ "audio": EXCEPTION_NO_FUZZER,
+ "auth": EXCEPTION_NO_FUZZER,
+ "autofill": EXCEPTION_NO_FUZZER,
+ "background_install_control": EXCEPTION_NO_FUZZER,
+ "backup": EXCEPTION_NO_FUZZER,
+ "batteryproperties": EXCEPTION_NO_FUZZER,
+ "batterystats": EXCEPTION_NO_FUZZER,
+ "battery": EXCEPTION_NO_FUZZER,
+ "binder_calls_stats": EXCEPTION_NO_FUZZER,
+ "biometric": EXCEPTION_NO_FUZZER,
+ "bluetooth_manager": EXCEPTION_NO_FUZZER,
+ "bluetooth": EXCEPTION_NO_FUZZER,
+ "broadcastradio": EXCEPTION_NO_FUZZER,
+ "bugreport": EXCEPTION_NO_FUZZER,
+ "cacheinfo": EXCEPTION_NO_FUZZER,
+ "carrier_config": EXCEPTION_NO_FUZZER,
+ "clipboard": EXCEPTION_NO_FUZZER,
+ "cloudsearch": EXCEPTION_NO_FUZZER,
+ "cloudsearch_service": EXCEPTION_NO_FUZZER,
+ "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
+ "companiondevice": EXCEPTION_NO_FUZZER,
+ "communal": EXCEPTION_NO_FUZZER,
+ "platform_compat": EXCEPTION_NO_FUZZER,
+ "platform_compat_native": EXCEPTION_NO_FUZZER,
+ "connectivity": EXCEPTION_NO_FUZZER,
+ "connectivity_native": EXCEPTION_NO_FUZZER,
+ "connmetrics": EXCEPTION_NO_FUZZER,
+ "consumer_ir": EXCEPTION_NO_FUZZER,
+ "content": EXCEPTION_NO_FUZZER,
+ "content_capture": EXCEPTION_NO_FUZZER,
+ "content_suggestions": EXCEPTION_NO_FUZZER,
+ "contexthub": EXCEPTION_NO_FUZZER,
+ "contextual_search": EXCEPTION_NO_FUZZER,
+ "country_detector": EXCEPTION_NO_FUZZER,
+ "coverage": EXCEPTION_NO_FUZZER,
+ "cpuinfo": EXCEPTION_NO_FUZZER,
+ "cpu_monitor": EXCEPTION_NO_FUZZER,
+ "credential": EXCEPTION_NO_FUZZER,
+ "crossprofileapps": EXCEPTION_NO_FUZZER,
+ "dataloader_manager": EXCEPTION_NO_FUZZER,
+ "dbinfo": EXCEPTION_NO_FUZZER,
+ "device_config": EXCEPTION_NO_FUZZER,
+ "device_config_updatable": EXCEPTION_NO_FUZZER,
+ "device_policy": EXCEPTION_NO_FUZZER,
+ "device_identifiers": EXCEPTION_NO_FUZZER,
+ "deviceidle": EXCEPTION_NO_FUZZER,
+ "device_lock": EXCEPTION_NO_FUZZER,
+ "device_state": EXCEPTION_NO_FUZZER,
+ "devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
+ "diskstats": EXCEPTION_NO_FUZZER,
+ "display": EXCEPTION_NO_FUZZER,
+ "dnsresolver": []string{"resolv_service_fuzzer"},
+ "domain_verification": EXCEPTION_NO_FUZZER,
+ "color_display": EXCEPTION_NO_FUZZER,
+ "netd_listener": EXCEPTION_NO_FUZZER,
+ "network_watchlist": EXCEPTION_NO_FUZZER,
+ "DockObserver": EXCEPTION_NO_FUZZER,
+ "dreams": EXCEPTION_NO_FUZZER,
+ "drm.drmManager": []string{"drmserver_fuzzer"},
+ "dropbox": EXCEPTION_NO_FUZZER,
+ "dumpstate": EXCEPTION_NO_FUZZER,
+ "dynamic_system": EXCEPTION_NO_FUZZER,
+ "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
+ "econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
+ "emergency_affordance": EXCEPTION_NO_FUZZER,
+ "euicc_card_controller": EXCEPTION_NO_FUZZER,
+ "external_vibrator_service": EXCEPTION_NO_FUZZER,
+ "ethernet": EXCEPTION_NO_FUZZER,
+ "face": EXCEPTION_NO_FUZZER,
+ "file_integrity": EXCEPTION_NO_FUZZER,
+ "fingerprint": EXCEPTION_NO_FUZZER,
+ "feature_flags": EXCEPTION_NO_FUZZER,
+ "font": EXCEPTION_NO_FUZZER,
+ "forensic": EXCEPTION_NO_FUZZER,
"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 9a0345f..11e398e 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -19,6 +19,12 @@
allow init self:global_capability2_class_set perfmon;
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow opening /proc/kallsyms so that on boot, init can create and retain an
+# fd with the full address visibility (which is evaluated on open and persists
+# for the lifetime of the open file description). This fd can then be shared
+# with other privileged processes.
+allow init proc_kallsyms:file r_file_perms;
+
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 85eb601..c78632b 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,8 +1,10 @@
;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
-(type virtual_fingerprint_hal_prop)
+(type cgroup_desc_api_file)
(type otapreopt_chroot)
+(type task_profiles_api_file)
(type vendor_hidraw_device)
+(type virtual_fingerprint_hal_prop)
(typeattributeset dev_type (vendor_hidraw_device))
;; mapping information from ToT policy's types to 202404 policy's types.
@@ -2473,7 +2475,7 @@
(typeattributeset surfaceflinger_tmpfs_202404 (surfaceflinger_tmpfs))
(typeattributeset suspend_prop_202404 (suspend_prop))
(typeattributeset swap_block_device_202404 (swap_block_device))
-(typeattributeset sysfs_202404 (sysfs))
+(typeattributeset sysfs_202404 (sysfs sysfs_udc))
(typeattributeset sysfs_android_usb_202404 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_202404 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_202404 (sysfs_bluetooth_writable))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 2ddfec3..0aa0580 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -5,27 +5,33 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
- bluetooth_finder_prop
- profcollectd_etr_prop
- fstype_prop
- binderfs_logs_transactions
- binderfs_logs_transaction_history
- proc_compaction_proactiveness
- proc_cgroups
- ranging_service
- supervision_service
- app_function_service
- virtual_fingerprint
- virtual_fingerprint_exec
- virtual_face
- virtual_face_exec
- hal_mediaquality_service
- media_quality_service
advanced_protection_service
- sysfs_firmware_acpi_tables
- intrusion_detection_service
- wifi_mainline_supplicant_service
+ app_function_service
+ binderfs_logs_transaction_history
+ binderfs_logs_transactions
+ bluetooth_finder_prop
crosvm
early_virtmgr
+ early_virtmgr_exec
+ forensic_service
+ fstype_prop
+ hal_mediaquality_service
+ intrusion_detection_service
+ media_quality_service
+ proc_cgroups
+ proc_compaction_proactiveness
+ profcollectd_etr_prop
+ ranging_service
+ supervision_service
+ sysfs_firmware_acpi_tables
+ tee_service_contexts_file
+ trusty_security_vm_sys_vendor_prop
+ virtual_face
+ virtual_face_exec
+ virtual_fingerprint
+ virtual_fingerprint_exec
virtualizationmanager
+ virtualizationmanager_exec
+ wifi_mainline_supplicant_service
+ wifi_usd_service
))
diff --git a/private/domain.te b/private/domain.te
index 684cc9e..a8ec298 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2122,18 +2122,24 @@
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
+# Allow init to open /proc/kallsyms while kernel address mappings are still
+# visible, and later share it with tracing daemons (traced_probes,
+# traced_perf). These daemons are allowed to read from the shared fd, but also
+# to separately open the file (which will always have zeroed out addresses due
+# to init raising kptr_restrict) for locking to coordinate access to the shared
+# fd. The performance traces contain only the referenced kernel symbols, and
+# never the raw addresses (i.e. KASLR is not disclosed).
+# On debuggable builds, performance tools are allowed to open and read the file
+# directly because init is allowed to temporarily unrestrict systemwide address
+# visibility.
neverallow {
domain
-init
- userdebug_or_eng(`-profcollectd')
- -vendor_init
- userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
-} proc_kallsyms:file { open read };
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
+} proc_kallsyms:file *;
# debugfs_kcov type is not included in this neverallow statement since the KCOV
# tool uses it for kernel fuzzing.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 5e3bce5..1020088 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -539,6 +539,9 @@
vm_data_file
}:dir getattr;
+#suppress denials for dumpstate to call vitualizationservice.
+dontaudit dumpstate virtualizationservice:binder { call };
+
# Allow dumpstate to talk to bufferhubd over binder
binder_call(dumpstate, bufferhubd);
diff --git a/private/init.te b/private/init.te
index 012ef0b..23c464c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -68,6 +68,12 @@
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;
+# Allow opening /proc/kallsyms so that on boot, init can create and retain an
+# fd with the full address visibility (which is evaluated on open and persists
+# for the lifetime of the open file description). This fd can then be shared
+# with other privileged processes.
+allow init proc_kallsyms:file r_file_perms;
+
# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
allow init snapuserd_socket:sock_file write;
diff --git a/private/property_contexts b/private/property_contexts
index ace1470..643a179 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -776,6 +776,7 @@
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+ro.bluetooth.leaudio_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index a90b3ba..ce648c2 100644
--- a/private/service.te
+++ b/private/service.te
@@ -60,6 +60,7 @@
')
type uce_service, service_manager_type;
+type fwk_vold_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 2e050eb..e2998c7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -141,6 +141,7 @@
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
+android.system.vold.IVold/default u:object_r:fwk_vold_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
diff --git a/private/traced_perf.te b/private/traced_perf.te
index c7e81cd..8bd7ad3 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -35,10 +35,13 @@
r_dir_file(traced_perf, apex_art_data_file)
allow traced_perf apex_module_data_file:dir { getattr search };
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
+# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
+# from init, as well as separately opening and locking the file for
+# coordinating the use of that shared fd.
+# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
+# lift kptr_restrict systemwide.
userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
-allow traced_perf proc_kallsyms:file r_file_perms;
+allow traced_perf proc_kallsyms:file { open read lock };
# Allow reading tracefs files to get the format and numeric ids of tracepoints.
allow traced_perf debugfs_tracing:dir r_dir_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 6540420..78dc7eb 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,10 +35,13 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
+# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
+# from init, as well as separately opening and locking the file for
+# coordinating the use of that shared fd.
+# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
+# lift kptr_restrict systemwide.
userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
+allow traced_probes proc_kallsyms:file { open read lock };
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index a50bc27..60962d4 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -116,6 +116,7 @@
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
-tradeinmode_metadata_file
+ -proc_kallsyms
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -195,6 +196,7 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ -proc_kallsyms
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
diff --git a/private/vold.te b/private/vold.te
index c242040..8fe8518 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -291,9 +291,10 @@
# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
wakelock_use(vold)
-# Allow vold to publish a binder service and make binder calls.
+# Allow vold to make binder calls and publish binder services.
binder_use(vold)
add_service(vold, vold_service)
+add_service(vold, fwk_vold_service)
# Allow vold to call into the system server so it can check permissions.
binder_call(vold, system_server)
diff --git a/treble_sepolicy_tests_for_release/Android.bp b/treble_sepolicy_tests_for_release/Android.bp
index 7756cbb..d27dc56 100644
--- a/treble_sepolicy_tests_for_release/Android.bp
+++ b/treble_sepolicy_tests_for_release/Android.bp
@@ -38,12 +38,12 @@
srcs: [
":29.0_plat_policy.cil",
":29.0_mapping.combined.cil",
- ":29.0_plat_pub_policy.cil",
+ ":base_plat_pub_policy.cil",
],
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_29.0"],
cmd: "$(location treble_sepolicy_tests) " +
- "-b $(location :29.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :29.0_mapping.combined.cil) " +
"-o $(location :29.0_plat_policy.cil) && " +
"touch $(out)",
@@ -92,8 +92,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":30.0_plat_pub_policy.cil"],
- (default, default): [":30.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_30.0"],
@@ -102,12 +102,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :30.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :30.0_mapping.combined.cil) " +
"-o $(location :30.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :30.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :30.0_mapping.combined.cil) " +
"-o $(location :30.0_plat_policy.cil) && " +
"touch $(out)",
@@ -157,8 +157,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":31.0_plat_pub_policy.cil"],
- (default, default): [":31.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_31.0"],
@@ -167,12 +167,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :31.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :31.0_mapping.combined.cil) " +
"-o $(location :31.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :31.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :31.0_mapping.combined.cil) " +
"-o $(location :31.0_plat_policy.cil) && " +
"touch $(out)",
@@ -222,8 +222,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":32.0_plat_pub_policy.cil"],
- (default, default): [":32.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_32.0"],
@@ -232,12 +232,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :32.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :32.0_mapping.combined.cil) " +
"-o $(location :32.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :32.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :32.0_mapping.combined.cil) " +
"-o $(location :32.0_plat_policy.cil) && " +
"touch $(out)",
@@ -287,8 +287,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":33.0_plat_pub_policy.cil"],
- (default, default): [":33.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_33.0"],
@@ -297,12 +297,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :33.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :33.0_mapping.combined.cil) " +
"-o $(location :33.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :33.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :33.0_mapping.combined.cil) " +
"-o $(location :33.0_plat_policy.cil) && " +
"touch $(out)",
@@ -352,8 +352,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":34.0_plat_pub_policy.cil"],
- (default, default): [":34.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_34.0"],
@@ -362,12 +362,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :34.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :34.0_mapping.combined.cil) " +
"-o $(location :34.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :34.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :34.0_mapping.combined.cil) " +
"-o $(location :34.0_plat_policy.cil) && " +
"touch $(out)",
@@ -422,8 +422,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":202404_plat_pub_policy.cil"],
- (default, default): [":202404_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_202404"],
@@ -435,12 +435,12 @@
("202404", false, false): "touch $(out)",
("202404", default, default): "touch $(out)",
(default, false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :202404_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :202404_mapping.combined.cil) " +
"-o $(location :202404_plat_policy.cil) && " +
"touch $(out)",
(default, default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :202404_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :202404_mapping.combined.cil) " +
"-o $(location :202404_plat_policy.cil) && " +
"touch $(out)",
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index efa75a7..2b3729d 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,7 +1,7 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default bt_device:chr_file { open read write ioctl };
allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
