Merge "Revert "Label audio system properties to load IhalAdapterVendorE..."" into main
diff --git a/apex/Android.bp b/apex/Android.bp
index 0374b62..37400dd 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -328,3 +328,10 @@
"com.android.documentsuibundle-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.profiling-file_contexts",
+ srcs: [
+ "com.android.profiling-file_contexts",
+ ],
+}
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
index 23e7b89..de74547 100644
--- a/apex/com.android.configinfrastructure-file_contexts
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
\ No newline at end of file
+(/.*)? u:object_r:system_file:s0
+/bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0
diff --git a/apex/com.android.profiling-file_contexts b/apex/com.android.profiling-file_contexts
new file mode 100644
index 0000000..796beca
--- /dev/null
+++ b/apex/com.android.profiling-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/trace_redactor u:object_r:trace_redactor_exec:s0
diff --git a/apex/com.android.wifi-file_contexts b/apex/com.android.wifi-file_contexts
index f3a65d4..2355fca 100644
--- a/apex/com.android.wifi-file_contexts
+++ b/apex/com.android.wifi-file_contexts
@@ -1 +1,2 @@
(/.*)? u:object_r:system_file:s0
+/bin/wpa_supplicant_mainline u:object_r:wifi_mainline_supplicant_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 4f4497b..35f4e09 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -56,6 +56,7 @@
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.socket.IBluetoothSocket/default": []string{"android.hardware.bluetooth.socket-service_fuzzer"},
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
@@ -151,6 +152,7 @@
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
"android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.devicestate.IDeviceStateService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
@@ -308,6 +310,7 @@
"inputflinger": EXCEPTION_NO_FUZZER,
"input_method": EXCEPTION_NO_FUZZER,
"input": EXCEPTION_NO_FUZZER,
+ "intrusion_detection": EXCEPTION_NO_FUZZER,
"installd": []string{"installd_service_fuzzer"},
"iphonesubinfo_msim": EXCEPTION_NO_FUZZER,
"iphonesubinfo2": EXCEPTION_NO_FUZZER,
@@ -360,6 +363,7 @@
"meminfo": EXCEPTION_NO_FUZZER,
"memtrack.proxy": EXCEPTION_NO_FUZZER,
"midi": EXCEPTION_NO_FUZZER,
+ "mmd": EXCEPTION_NO_FUZZER,
"mount": EXCEPTION_NO_FUZZER,
"music_recognition": EXCEPTION_NO_FUZZER,
"nearby": EXCEPTION_NO_FUZZER,
@@ -513,7 +517,9 @@
"wifi": EXCEPTION_NO_FUZZER,
"wifinl80211": []string{"wificond_service_fuzzer"},
"wifiaware": EXCEPTION_NO_FUZZER,
+ "wifi_usd": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
+ "wifi_mainline_supplicant": EXCEPTION_NO_FUZZER, // defined internally
"window": EXCEPTION_NO_FUZZER,
"*": EXCEPTION_NO_FUZZER,
}
diff --git a/compat/libgenfslabelsversion/Android.bp b/compat/libgenfslabelsversion/Android.bp
new file mode 100644
index 0000000..7f512a7
--- /dev/null
+++ b/compat/libgenfslabelsversion/Android.bp
@@ -0,0 +1,35 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+rust_defaults {
+ name: "libgenfslabelsversion.default",
+ crate_name: "genfslabelsversion",
+ srcs: ["src/lib.rs"],
+ apex_available: ["//apex_available:platform"],
+}
+
+rust_ffi_static {
+ name: "libgenfslabelsversion.ffi",
+ defaults: ["libgenfslabelsversion.default"],
+ export_include_dirs: ["include"],
+}
diff --git a/compat/libgenfslabelsversion/include/genfslabelsversion.h b/compat/libgenfslabelsversion/include/genfslabelsversion.h
new file mode 100644
index 0000000..4c029c8
--- /dev/null
+++ b/compat/libgenfslabelsversion/include/genfslabelsversion.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int get_genfs_labels_version();
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/compat/libgenfslabelsversion/src/lib.rs b/compat/libgenfslabelsversion/src/lib.rs
new file mode 100644
index 0000000..21619e8
--- /dev/null
+++ b/compat/libgenfslabelsversion/src/lib.rs
@@ -0,0 +1,40 @@
+// Copyright 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Client library to read genfs labels version of the vendor.
+
+use std::fs;
+
+const GENFS_LABELS_VERSION_TXT_PATH: &str = "/vendor/etc/selinux/genfs_labels_version.txt";
+const DEFAULT_GENFS_LABELS_VERSION: i32 = 202404;
+
+/// Get genfs labels version from the vendor partition.
+///
+/// This function reads the genfs labels version from the file
+/// `/vendor/etc/selinux/genfs_labels_version.txt`. If the file does not exist or
+/// cannot be parsed, it returns a default version of 202404.
+///
+/// # Returns
+///
+/// The genfs labels version as an integer.
+#[no_mangle]
+pub extern "C" fn get_genfs_labels_version() -> i32 {
+ match fs::read_to_string(GENFS_LABELS_VERSION_TXT_PATH) {
+ Ok(contents) => match contents.trim().parse::<i32>() {
+ Ok(version) => version,
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ },
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ }
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 51d27d3..fc2d7b8 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -190,7 +190,7 @@
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
-/dev/socket/aconfigd aconfigd_socket
+/dev/socket/aconfigd_mainline aconfigd_mainline_socket
/dev/socket/aconfigd_system aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
@@ -325,6 +325,7 @@
/system/bin/sload_f2fs e2fs_exec
/system/bin/make_f2fs e2fs_exec
/system/bin/fsck_msdos fsck_exec
+/system/bin/prefetch prefetch_exec
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
@@ -398,6 +399,7 @@
/system/bin/bootstrap/linkerconfig linkerconfig_exec
/system/bin/llkd llkd_exec
/system/bin/lmkd lmkd_exec
+/system/bin/mmd mmd_exec
/system/bin/usbd usbd_exec
/system/bin/inputflinger inputflinger_exec
/system/bin/logd logd_exec
@@ -467,7 +469,6 @@
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
-/system/bin/aconfigd aconfigd_exec
/system/bin/aconfigd-system aconfigd_exec
/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
/system/bin/stats stats_exec
@@ -643,6 +644,7 @@
/odm/usr/keylayout/test.kl vendor_keylayout_file
/vendor/odm/usr/keylayout.kl vendor_keylayout_file
/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/usr/keylayout vendor_keylayout_file
/vendor/usr/keylayout.kl vendor_keylayout_file
/vendor/usr/keylayout/test.kl vendor_keylayout_file
/system/vendor/usr/keylayout.kl vendor_keylayout_file
@@ -651,6 +653,7 @@
/odm/usr/keychars/test.kcm vendor_keychars_file
/vendor/odm/usr/keychars.kcm vendor_keychars_file
/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/usr/keychars vendor_keychars_file
/vendor/usr/keychars.kcm vendor_keychars_file
/vendor/usr/keychars/test.kcm vendor_keychars_file
/system/vendor/usr/keychars.kcm vendor_keychars_file
@@ -659,6 +662,7 @@
/odm/usr/idc/test.idc vendor_idc_file
/vendor/odm/usr/idc.idc vendor_idc_file
/vendor/odm/usr/idc/test.idc vendor_idc_file
+/vendor/usr/idc vendor_idc_file
/vendor/usr/idc.idc vendor_idc_file
/vendor/usr/idc/test.idc vendor_idc_file
/system/vendor/usr/idc.idc vendor_idc_file
@@ -692,7 +696,7 @@
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
-/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
@@ -1077,6 +1081,8 @@
/data/misc/wifi/test wifi_data_file
/data/misc_ce/0/wifi wifi_data_file
/data/misc_ce/99/wifi/test wifi_data_file
+/data/misc/wifi/mainline_supplicant mainline_supplicant_data_file
+/data/misc/wifi/mainline_supplicant/sockets mainline_supplicant_data_file
/data/misc/wifi/sockets wpa_socket
/data/misc/wifi/sockets/test wpa_socket
/data/misc/wifi/sockets/wpa_ctrl_test system_wpa_socket
@@ -1264,8 +1270,6 @@
/metadata/aconfig/maps/test aconfig_storage_metadata_file
/metadata/aconfig/boot aconfig_storage_metadata_file
/metadata/aconfig/boot/test aconfig_storage_metadata_file
-/metadata/aconfig_test_missions aconfig_test_mission_files
-/metadata/aconfig_test_missions/test aconfig_test_mission_files
/metadata/apex apex_metadata_file
/metadata/apex/test apex_metadata_file
/metadata/vold vold_metadata_file
@@ -1292,6 +1296,8 @@
/metadata/repair-mode/test repair_mode_metadata_file
/metadata/tradeinmode tradeinmode_metadata_file
/metadata/tradeinmode/test tradeinmode_metadata_file
+/metadata/prefetch prefetch_metadata_file
+/metadata/prefetch/test prefetch_metadata_file
/mnt/asec asec_apk_file
/mnt/asec/test asec_apk_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index f68375b..c92991f 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -30,6 +30,7 @@
"RELEASE_SUPERVISION_SERVICE",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
+ "RELEASE_BLUETOOTH_SOCKET_SERVICE",
],
export_to: ["all_selinux_flags"],
}
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 75c89be..96a05f7 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -129,7 +129,8 @@
allow microdroid_manager ram_device:blk_file rw_file_perms;
# Allow microdroid_manager to read/write failure serial device
-allow microdroid_manager serial_device:chr_file w_file_perms;
+# tcdrain requires ioctl.
+allow microdroid_manager serial_device:chr_file { w_file_perms ioctl };
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 5ee967d..211405b 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -16,12 +16,6 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-# allow aconfigd to access shell_data_file for atest
-userdebug_or_eng(`
- allow aconfigd shell_data_file:dir search;
- allow aconfigd shell_data_file:file { getattr read open map };
-')
-
# allow aconfigd to log to the kernel dmesg via a file descriptor
# passed from init to aconfigd
allow aconfigd kmsg_device:chr_file write;
@@ -33,6 +27,7 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd apex_info_file:file r_file_perms;
###
### Neverallow assertions
@@ -41,3 +36,35 @@
# only init is allowed to enter the aconfigd domain
neverallow { domain -init } aconfigd:process transition;
neverallow * aconfigd:process dyntransition;
+
+# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
+# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
+# platform storage files) and aconfigd_mainline (mainline storage files) processes.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:file no_w_file_perms;
+
+# Only aconfigd and aconfigd_mainline can access persist storage files
+# These files are meant to serve as persist flag value storage, only aconfigd and
+# aconfigd_mainline process should manage them. Other processes should have zero access.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/aconfigd_mainline.te b/private/aconfigd_mainline.te
new file mode 100644
index 0000000..cd98d4b
--- /dev/null
+++ b/private/aconfigd_mainline.te
@@ -0,0 +1,38 @@
+# aconfigd_mainline -- manager for mainline aconfig flags
+type aconfigd_mainline, domain, coredomain, mlstrustedsubject;
+type aconfigd_mainline_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(aconfigd_mainline)
+
+# allow aconfigd_mainline to search /metadata dir as it needs to access files under
+# /metadata/aconfig dir
+allow aconfigd_mainline metadata_file:dir search;
+
+# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+# allow aconfigd_mainline to log to the kernel.
+allow aconfigd_mainline kmsg_device:chr_file write;
+
+# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all
+# dirs under /apex to find all currently mounted mainline modules and get their
+# storage files
+allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms;
+allow aconfigd_mainline apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd_mainline apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd_mainline domain
+neverallow { domain -init } aconfigd_mainline:process transition;
+neverallow * aconfigd_mainline:process dyntransition;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 33d3783..4fe3843 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -6,7 +6,7 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader bpffs_type:dir { add_name create remove_name search setattr write };
+allow bpfloader bpffs_type:dir { add_name create open read remove_name search setattr write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
@@ -29,8 +29,8 @@
###
# Note: we don't care about getattr/mounton/search
-neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search setattr write };
-neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name setattr write };
+neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create open read remove_name setattr write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 5ba9b3f..85eb601 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -2724,7 +2724,7 @@
(typeattributeset virtual_camera_service_202404 (virtual_camera_service))
(typeattributeset virtual_device_native_service_202404 (virtual_device_native_service))
(typeattributeset virtual_device_service_202404 (virtual_device_service))
-(typeattributeset virtual_face_hal_prop_202404 (virtual_face_hal_prop))
+(typeattributeset virtual_face_hal_prop_202404 (virtual_face_hal_prop virtual_face_prop))
(typeattributeset virtual_fingerprint_hal_prop_202404 (virtual_fingerprint_hal_prop virtual_fingerprint_prop))
(typeattributeset virtual_touchpad_202404 (virtual_touchpad))
(typeattributeset virtual_touchpad_exec_202404 (virtual_touchpad_exec))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 3ba4bcd..0bf3f7e 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -23,4 +23,6 @@
advanced_protection_service
sysfs_firmware_acpi_tables
dynamic_instrumentation_service
+ intrusion_detection_service
+ wifi_mainline_supplicant_service
))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a43f0fd..a9a37a4 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -80,6 +80,7 @@
ublk_control_device
usb_uvc_enabled_prop
virtual_face_hal_prop
+ virtual_face_prop
virtual_fingerprint_hal_prop
virtual_fingerprint_prop
hal_gatekeeper_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 8a46a08..23ad43a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -183,6 +183,7 @@
-shell
-system_server
-traceur_app
+ -prefetch
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/crosvm.te b/private/crosvm.te
index 71a35d9..750df24 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -112,11 +112,6 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
- # Allow crosvm to mount Terminal app internal storage directory
- # to guest VM over virtiofs
- allow crosvm privapp_data_file:dir { getattr open read search };
- allow crosvm privapp_data_file:file { open };
-
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
@@ -179,14 +174,12 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
-#
-# crosvm requires access to terminal app internal storage; the directory
-# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
@@ -221,10 +214,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 515317b..4563895 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -584,7 +584,6 @@
# all processes need access to the underlying files.
is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, `
r_dir_file(domain, aconfig_storage_metadata_file);
- r_dir_file(domain, aconfig_test_mission_files);
')
r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
@@ -863,6 +862,7 @@
userdebug_or_eng(`-fsck')
userdebug_or_eng(`-init')
-recovery
+ userdebug_or_eng(`-remount')
-update_engine
} system_block_device:blk_file { write append };
@@ -1658,7 +1658,6 @@
-runas
-system_server
-zygote
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1724,7 +1723,6 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1747,19 +1745,11 @@
-artd # compile secondary dex files
-installd
} {
+ privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { relabelfrom relabelto };
-neverallow {
- domain
- -artd # compile secondary dex files
- -installd
- -vmlauncher_app # it still cannot relabel files belong to other apps due to UID mismatch
-} {
- privapp_data_file
-}:dir_file_class_set { relabelfrom relabelto };
-
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
@@ -2187,7 +2177,6 @@
-artd
-dumpstate
-installd
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -2235,7 +2224,6 @@
-installd
-simpleperf_app_runner
-system_server # why?
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
@@ -2266,10 +2254,6 @@
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
-# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
-
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13b7b9f..5e3bce5 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -34,7 +34,6 @@
')
r_dir_file(dumpstate, aconfig_storage_metadata_file);
-r_dir_file(dumpstate, aconfig_test_mission_files);
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
diff --git a/private/file.te b/private/file.te
index 98fbd35..189fb47 100644
--- a/private/file.te
+++ b/private/file.te
@@ -158,17 +158,21 @@
# Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
+# Type for aconfig mainline daemon socket
+type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;
+
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
# Type for /vendor/etc/aconfig
type vendor_aconfig_storage_file, vendor_file_type, file_type;
-type aconfig_test_mission_files, file_type;
-
# /data/misc/connectivityblobdb
type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/wifi/mainline_supplicant
+type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type;
+
# Type for /mnt/pre_reboot_dexopt
type pre_reboot_dexopt_file, file_type;
@@ -221,6 +225,9 @@
# /metadata/tradeinmode files
type tradeinmode_metadata_file, file_type;
+# /metadata/prefetch files
+type prefetch_metadata_file, file_type;
+
# Types added in 202504 in public/file.te
until_board_api(202504, `
type binderfs_logs_transactions, fs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 20ef9b8..d6f7113 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -156,7 +156,7 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/aconfigd u:object_r:aconfigd_socket:s0
+/dev/socket/aconfigd_mainline u:object_r:aconfigd_mainline_socket:s0
/dev/socket/aconfigd_system u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
@@ -329,6 +329,7 @@
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/mmd u:object_r:mmd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
@@ -396,7 +397,6 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
-/system/bin/aconfigd u:object_r:aconfigd_exec:s0
/system/bin/aconfigd-system u:object_r:aconfigd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -414,6 +414,7 @@
/system/bin/bert_collector u:object_r:bert_collector_exec:s0
/system/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
/system/bin/tradeinmode u:object_r:tradeinmode_exec:s0
+/system/bin/prefetch u:object_r:prefetch_exec:s0
#############################
# Vendor files
@@ -472,8 +473,11 @@
/(odm|vendor/odm|vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
# Input configuration
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)? u:object_r:vendor_keychars_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)? u:object_r:vendor_idc_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
@@ -716,6 +720,7 @@
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/mainline_supplicant(/.*)? u:object_r:mainline_supplicant_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
@@ -895,8 +900,8 @@
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
-/metadata/aconfig_test_missions(/.*)? u:object_r:aconfig_test_mission_files:s0
/metadata/tradeinmode(/.*)? u:object_r:tradeinmode_metadata_file:s0
+/metadata/prefetch(/.*)? u:object_r:prefetch_metadata_file:s0
############################
# mount point for ota metadata
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index c6785dd..db7f08f 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -34,6 +34,7 @@
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, device_config_mmd_native_prop)
set_prop(flags_health_check, next_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a257ce6..3ff1012 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -175,6 +175,7 @@
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
+genfscon sysfs /module/dm_bufio/parameters/max_age_seconds u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index fa3420a..148cb7e 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -132,8 +132,10 @@
allow gmscore_app shell_data_file:dir r_dir_perms;
# allow gms core app write to aconfigd socket
-allow gmscore_app aconfigd_socket:sock_file {read write};
-allow gmscore_app aconfigd:unix_stream_socket connectto;
+unix_socket_connect(gmscore_app, aconfigd, aconfigd);
+
+# allow gms core app write to aconfigd_mainline socket
+unix_socket_connect(gmscore_app, aconfigd_mainline, aconfigd_mainline);
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
diff --git a/private/init.te b/private/init.te
index d1f7c18..012ef0b 100644
--- a/private/init.te
+++ b/private/init.te
@@ -84,6 +84,11 @@
# Allow init to set 16kb app compatibility props
set_prop(init, bionic_linker_16kb_app_compat_prop)
+set_prop(init, pm_16kb_app_compat_prop)
+
+
+# Allow init to set/get prefetch boot prop to initiate record/replay
+set_prop(init, ctl_prefetch_prop);
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
@@ -718,6 +723,8 @@
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
+# Allow to change group owner and permissions for new swap setup in mmd
+allow init swap_block_device:blk_file setattr;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
diff --git a/private/mmd.te b/private/mmd.te
new file mode 100644
index 0000000..90510f1
--- /dev/null
+++ b/private/mmd.te
@@ -0,0 +1,31 @@
+# mmd memory management daemon
+type mmd, domain;
+typeattribute mmd coredomain;
+type mmd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mmd)
+
+# Set mmd.enabled_aconfig properties.
+set_prop(mmd, mmd_prop)
+get_prop(mmd, device_config_mmd_native_prop)
+
+# mmd binder setup
+add_service(mmd, mmd_service)
+binder_use(mmd)
+
+# Read /proc/swaps
+allow mmd proc_swaps:file r_file_perms;
+
+# zram sysfs access
+allow mmd sysfs_zram:dir search;
+allow mmd sysfs_zram:file rw_file_perms;
+
+# procfs
+allow mmd proc_meminfo:file r_file_perms;
+
+# mkswap /dev/block/zram command
+allow mmd block_device:dir search;
+allow mmd swap_block_device:blk_file rw_file_perms;
+
+# swapon syscall
+allow mmd self:capability sys_admin;
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 2fc74b5..04cb70f 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -26,6 +26,9 @@
# Allow OT daemon to read/write on the socket created by System Server
allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;
+# Allow OT daemon to read/write on the UDP sockets created by system server
+allow ot_daemon system_server:udp_socket rw_socket_perms;
+
hal_client_domain(ot_daemon, hal_threadnetwork)
# Only ot_daemon can publish the binder service
diff --git a/private/prefetch.te b/private/prefetch.te
new file mode 100644
index 0000000..21287f3
--- /dev/null
+++ b/private/prefetch.te
@@ -0,0 +1,24 @@
+type prefetch, coredomain, domain;
+type prefetch_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(prefetch)
+
+# Allow prefetch to start recording by enabling tracing event under
+# /sys/kernel/tracing/events/filemap/mm_filemap_add_to_page_cache
+allow prefetch debugfs_tracing_instances:dir create_dir_perms;
+allow prefetch debugfs_tracing_instances:file rw_file_perms;
+
+# Allow to read/write/create/delete to storage prefetch record files
+allow prefetch metadata_file:dir search;
+allow prefetch prefetch_metadata_file:dir rw_dir_perms;
+allow prefetch prefetch_metadata_file:file create_file_perms;
+
+get_prop(prefetch, prefetch_boot_prop);
+set_prop(prefetch, prefetch_service_prop);
+
+# Disallow other domains controlling prefetch service.
+neverallow {
+ domain
+ -init
+ -shell
+} ctl_prefetch_prop:property_service set;
diff --git a/private/property.te b/private/property.te
index 3694666..525754f 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,12 +3,14 @@
system_internal_prop(adbd_tradeinmode_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(ctl_prefetch_prop)
system_internal_prop(ctl_uprobestats_prop)
system_internal_prop(crashrecovery_prop)
system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
+system_internal_prop(device_config_mmd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_remote_key_provisioning_native_prop)
system_internal_prop(device_config_statsd_native_prop)
@@ -34,6 +36,7 @@
system_internal_prop(localization_prop)
system_internal_prop(logd_auditrate_prop)
system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(mmd_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
@@ -42,6 +45,7 @@
system_internal_prop(misctrl_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
+system_internal_prop(prefetch_service_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(remote_prov_prop)
@@ -83,11 +87,14 @@
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
system_restricted_prop(page_size_prop)
+system_restricted_prop(pm_16kb_app_compat_prop)
+
# Properties with no restrictions
until_board_api(202504, `
system_public_prop(bluetooth_finder_prop)
system_public_prop(virtual_fingerprint_prop)
+ system_public_prop(virtual_face_prop)
')
# These types will be public starting at board api 202504
@@ -96,9 +103,15 @@
system_restricted_prop(profcollectd_etr_prop)
')
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
+
# Properties which should only be written by vendor_init
system_vendor_config_prop(avf_virtualizationservice_prop)
system_vendor_config_prop(high_barometer_quality_prop)
+system_vendor_config_prop(prefetch_boot_prop)
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
@@ -866,3 +879,10 @@
-shell
userdebug_or_eng(`-su')
} bionic_linker_16kb_app_compat_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -shell
+ userdebug_or_eng(`-su')
+} pm_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index a9116b3..b67fbff 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -203,6 +203,11 @@
ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+# Restrict access to control prefetch
+ctl.start$prefetch u:object_r:ctl_prefetch_prop:s0
+ctl.stop$prefetch u:object_r:ctl_prefetch_prop:s0
+ctl.restart$prefetch u:object_r:ctl_prefetch_prop:s0
+
# Restrict access to control uprobestats
ctl.start$uprobestats u:object_r:ctl_uprobestats_prop:s0
ctl.stop$uprobestats u:object_r:ctl_uprobestats_prop:s0
@@ -300,6 +305,7 @@
persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+persist.device_config.mmd_native. u:object_r:device_config_mmd_native_prop:s0
# Prop indicates the apex that bundles input configuration files (*.idc,*.kl,*.kcm)
input_device.config_file.apex u:object_r:input_device_config_prop:s0 exact string
@@ -355,6 +361,17 @@
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
ro.product.charger.unplugged_shutdown_time u:object_r:charger_config_prop:s0 exact int
+# Prefetch boot properties which are tunables
+ro.prefetch_boot.enabled u:object_r:prefetch_boot_prop:s0 exact bool
+ro.prefetch_boot.trace_buffer_size_kib u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.duration_s u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.io_depth u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.max_fds u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.record_stop u:object_r:prefetch_boot_prop:s0 exact bool
+# Prefetch property to start and stop the record/replay
+prefetch_boot.record u:object_r:prefetch_service_prop:s0 exact bool
+prefetch_boot.replay u:object_r:prefetch_service_prop:s0 exact bool
+
# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
@@ -426,9 +443,6 @@
audio.timecheck.timeout_duration_ms u:object_r:audio_config_prop:s0 exact int
audio.timecheck.second_chance_duration_ms u:object_r:audio_config_prop:s0 exact int
-# Client wait timeout for audioserver before returning error (usually between 3000 to 10000).
-audio.service.client_wait_ms u:object_r:audio_config_prop:s0 exact int
-
# spatializer tuning
audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
@@ -748,6 +762,8 @@
pm.dexopt. u:object_r:future_pm_prop:s0 prefix
+pm.16kb.app_compat.disabled u:object_r:pm_16kb_app_compat_prop:s0 exact bool
+
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
@@ -1009,6 +1025,7 @@
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.serialconsole u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.public_key_digest u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
@@ -1659,28 +1676,28 @@
composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
# properties for the virtual Face HAL
-persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_hal_prop:s0 exact bool
-persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_hal_prop:s0 exact bool
-persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_hal_prop:s0 exact int
-persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_hal_prop:s0 exact int
-persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.lockout u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.type u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.strength u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.enrollments u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.features u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_prop:s0 exact int
+persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_prop:s0 exact int
+persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.enrollment_hit u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.next_enrollment u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.authenticator_id u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.challenge u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.lockout u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_prop:s0 exact int
# properties for the virtual Fingerprint HAL
persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_prop:s0 exact string
@@ -1763,3 +1780,11 @@
# Properties related to Trusty VMs
trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
+
+# Properties that allows vendors to enable Trusty security VM features
+trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+
+# Properties for mmd
+mmd. u:object_r:mmd_prop:s0
+mmd.enabled_aconfig u:object_r:mmd_prop:s0 exact bool
diff --git a/private/service.te b/private/service.te
index 72949f9..7e89300 100644
--- a/private/service.te
+++ b/private/service.te
@@ -11,11 +11,13 @@
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type feature_flags_service, app_api_service, system_server_service, service_manager_type;
+type fwk_devicestate_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
+type mmd_service, service_manager_type;
type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type profcollectd_service, service_manager_type;
type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -57,8 +59,9 @@
type microfuchsia_service, service_manager_type;
')
-type uce_service, service_manager_type;
-type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
+type uce_service, service_manager_type;
+type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
+type wifi_mainline_supplicant_service, service_manager_type;
###
### Neverallow rules
diff --git a/private/service_contexts b/private/service_contexts
index 56268b6..1478e93 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,6 +3,7 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.frameworks.vibrator.IVibratorControlService/default u:object_r:fwk_vibrator_control_service:s0
+android.frameworks.devicestate.IDeviceStateService/default u:object_r:fwk_devicestate_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
@@ -37,6 +38,7 @@
')
android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+android.hardware.bluetooth.socket.IBluetoothSocket/default u:object_r:hal_bluetooth_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
@@ -300,6 +302,9 @@
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
+starting_at_board_api(202504, `
+ intrusion_detection u:object_r:intrusion_detection_service:s0
+')
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
@@ -351,6 +356,7 @@
meminfo u:object_r:meminfo_service:s0
memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
+mmd u:object_r:mmd_service:s0
mount u:object_r:mount_service:s0
music_recognition u:object_r:music_recognition_service:s0
nearby u:object_r:nearby_service:s0
@@ -511,5 +517,9 @@
wifinl80211 u:object_r:wifinl80211_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
+starting_at_board_api(202504, `
+ wifi_usd u:object_r:wifi_usd_service:s0
+')
+wifi_mainline_supplicant u:object_r:wifi_mainline_supplicant_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/shell.te b/private/shell.te
index 70f296e..890d6f4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -42,10 +42,8 @@
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
-# Allow shell to execute tradeinmode on userdebug builds, for testing.
-userdebug_or_eng(`
- domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
-')
+# Allow shell to execute tradeinmode for testing.
+domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
@@ -116,6 +114,9 @@
# Allow shell to enable 16 KB backcompat globally.
set_prop(shell, bionic_linker_16kb_app_compat_prop)
+# Allow shell to disable compat in package manager
+set_prop(shell, pm_16kb_app_compat_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
@@ -185,6 +186,8 @@
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
set_prop(shell, ctl_snapuserd_prop)
+# Allow shell to start/stop prefetch
+set_prop(shell, ctl_prefetch_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
diff --git a/private/statsd.te b/private/statsd.te
index 8b77c1e..3db5c60 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -41,6 +41,10 @@
# Allow statsd to trigger uprobestats via property.
set_prop(statsd, uprobestats_start_with_config_prop);
+
+# Allow statsd to use io_uring
+io_uring_use(statsd)
+
# Allow statsd to start the uprobestats service.
set_prop(statsd, ctl_uprobestats_prop)
binder_use(statsd)
diff --git a/private/system_server.te b/private/system_server.te
index 6eb5b74..01097f2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -293,6 +293,7 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
+binder_call(system_server, mmd)
binder_call(system_server, netd)
binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
@@ -304,6 +305,7 @@
binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, uprobestats)
+binder_call(system_server, wifi_mainline_supplicant)
binder_service(system_server)
# Use HALs
@@ -392,6 +394,7 @@
mediaswcodec
mediatranscoding
mediatuner
+ mmd
netd
sdcardd
servicemanager
@@ -813,12 +816,16 @@
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, device_config_tethering_u_or_later_native_prop)
+set_prop(system_server, device_config_mmd_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
# staged flag properties
set_prop(system_server, next_boot_prop)
+# Allow system server to read pm.16kb.app_compat.disabled
+get_prop(system_server, pm_16kb_app_compat_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -1005,6 +1012,7 @@
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server mediatuner_service:service_manager find;
+allow system_server mmd_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server ot_daemon_service:service_manager find;
@@ -1023,6 +1031,7 @@
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')
+allow system_server wifi_mainline_supplicant_service:service_manager find;
add_service(system_server, batteryproperties_service)
@@ -1275,6 +1284,11 @@
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
+# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks.
+starting_at_board_api(202504, `
+allow system_server sysfs_type:dir search;
+r_dir_file(system_server, sysfs_udc)
+')
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
@@ -1392,6 +1406,7 @@
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
device_config_tethering_u_or_later_native_prop
+ device_config_mmd_native_prop
next_boot_prop
}:property_service set;
@@ -1518,15 +1533,11 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
-allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_metadata_file:dir search;
+# allow system_server write to aconfigd socket
+unix_socket_connect(system_server, aconfigd, aconfigd);
-allow system_server aconfigd_socket:sock_file {read write};
-allow system_server aconfigd:unix_stream_socket connectto;
-
-allow system_server aconfig_test_mission_files:dir create_dir_perms;
-allow system_server aconfig_test_mission_files:file create_file_perms;
+# allow system_server write to aconfigd_mainline socket
+unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline);
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1576,10 +1587,6 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-# Only system server should access /metadata/aconfig
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
-
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/private/traced.te b/private/traced.te
index 796095f..8a29541 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -53,6 +53,9 @@
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
+# Allow traced to detect if a process is frozen (b/381089063).
+allow traced cgroup_v2:file r_file_perms;
+
# Allow setting debug properties which guard initialization of the Perfetto SDK
# in SurfaceFlinger and HWUI's copy of Skia.
# Required for the android.sdk_sysprop_guard data source.
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index 821faf4..dca1bc1 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -6,11 +6,9 @@
allow tradeinmode adbd_tradeinmode:fd use;
allow tradeinmode adbd_tradeinmode:unix_stream_socket { read write ioctl };
-# Allow running from normal shell on userdebug/eng.
-userdebug_or_eng(`
- allow tradeinmode { adbd shell }:fd use;
- allow tradeinmode adbd:unix_stream_socket { read write ioctl };
-')
+# Allow running from normal shell.
+allow tradeinmode { adbd shell }:fd use;
+allow tradeinmode adbd:unix_stream_socket { read write ioctl };
allow tradeinmode devpts:chr_file rw_file_perms;
@@ -23,6 +21,7 @@
get_prop(tradeinmode, odsign_prop)
get_prop(tradeinmode, build_attestation_prop)
+get_prop(tradeinmode, adbd_tradeinmode_prop)
# Needed to start activities through "am".
binder_call(tradeinmode, system_server)
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 0a2d62c..a50bc27 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -292,6 +292,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, graphics_config_writable_prop)
+set_prop(vendor_init, prefetch_boot_prop);
set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
diff --git a/private/virtual_face.te b/private/virtual_face.te
index 0e33d6b..9a805e8 100644
--- a/private/virtual_face.te
+++ b/private/virtual_face.te
@@ -4,3 +4,4 @@
hal_server_domain(virtual_face, hal_face)
typeattribute virtual_face coredomain;
init_daemon_domain(virtual_face)
+set_prop(virtual_face, virtual_face_prop)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index a78d974..1acf734 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -124,7 +124,6 @@
-init
-virtualizationmanager
-virtualizationservice
- -vmlauncher_app
} virtualizationservice_data_file:file { open create };
neverallow virtualizationservice {
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index abee70f..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -12,9 +12,11 @@
virtualizationservice_use(vmlauncher_app)
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app crosvm:fd use;
+allow vmlauncher_app crosvm_tmpfs:file { map read write };
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
-allow vmlauncher_app virtualizationservice_data_file:file { read relabelto open write unlink };
-allow vmlauncher_app privapp_data_file:file { relabelfrom };
+allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
new file mode 100644
index 0000000..d6c7998
--- /dev/null
+++ b/private/wifi_mainline_supplicant.te
@@ -0,0 +1,31 @@
+type wifi_mainline_supplicant, domain, coredomain;
+type wifi_mainline_supplicant_exec, system_file_type, exec_type, file_type;
+
+binder_use(wifi_mainline_supplicant)
+init_daemon_domain(wifi_mainline_supplicant)
+add_service(wifi_mainline_supplicant, wifi_mainline_supplicant_service)
+
+allow wifi_mainline_supplicant self:global_capability_class_set { setuid setgid net_admin net_raw };
+allow wifi_mainline_supplicant proc_net:file rw_file_perms;
+allow wifi_mainline_supplicant sysfs_net:dir search;
+
+# Allow limited access to the parent directory /data/misc/wifi/
+allow wifi_mainline_supplicant wifi_data_file:dir { getattr search };
+
+# Create temporary socket files in /data/misc/wifi/mainline_supplicant/sockets
+allow wifi_mainline_supplicant mainline_supplicant_data_file:dir create_dir_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:file create_file_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:sock_file { create write setattr unlink };
+
+# UDP sockets
+allow wifi_mainline_supplicant self:udp_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:udp_socket ioctl { priv_sock_ioctls SIOCSIFFLAGS SIOCSIFHWADDR };
+
+# Packet sockets
+allow wifi_mainline_supplicant self:packet_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+# Netlink sockets
+allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
+allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/public/property.te b/public/property.te
index fa89cbb..cb18741 100644
--- a/public/property.te
+++ b/public/property.te
@@ -206,6 +206,9 @@
system_vendor_config_prop(usb_uvc_enabled_prop)
system_vendor_config_prop(setupwizard_mode_prop)
system_vendor_config_prop(pm_archiving_enabled_prop)
+starting_at_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
# Properties with no restrictions
system_public_prop(adbd_config_prop)
@@ -276,7 +279,10 @@
vendor_internal_prop(rebootescrow_hal_prop)
# Properties used in the default Face HAL implementations
-system_public_prop(virtual_face_hal_prop)
+vendor_internal_prop(virtual_face_hal_prop)
+starting_at_board_api(202504, `
+ system_public_prop(virtual_face_prop)
+')
# Properties used in the default Fingerprint HAL implementations
vendor_internal_prop(virtual_fingerprint_hal_prop)
diff --git a/public/service.te b/public/service.te
index 753d20d..854ceef 100644
--- a/public/service.te
+++ b/public/service.te
@@ -168,6 +168,9 @@
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type intrusion_detection_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+')
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -295,6 +298,9 @@
type wifi_service, app_api_service, system_server_service, service_manager_type;
type wifinl80211_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type wifi_usd_service, app_api_service, system_server_service, service_manager_type;
+')
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1e89895..66ac4ec 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -22,6 +22,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.lmp_event-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.socket-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.default u:object_r:hal_face_default_exec:s0
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 3d608cd..b9815ec 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -8,7 +8,10 @@
allow hal_face_default fwk_sensor_service:service_manager find;
# virtual_face_hal_prop is only for debuggable builds
-userdebug_or_eng(`set_prop(hal_face_default, virtual_face_hal_prop)');
+starting_at_board_api(202504, `
+ set_prop(hal_face_default, virtual_face_prop)
+')
+
neverallow { domain -init -dumpstate userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:property_service set;
