[automerger skipped] Allow virtual_camera to read and open dmabuf_system_heap_device am: ee976448c3 -s ours
am skip reason: Merged-In I418131f20b9384e37db3c16d52fe87f3d14440a5 with SHA-1 f9cba80a06 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3420299
Change-Id: I691434753f5b8bacd7b3ce6fea6c5c0b37a17e32
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/Android.bp b/Android.bp
index dc6761c..558810c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -102,6 +102,7 @@
"plat_property_contexts",
"plat_seapp_contexts",
"plat_sepolicy.cil",
+ "plat_sepolicy_genfs_202504.cil",
"plat_service_contexts",
"secilc",
"plat_29.0.cil",
@@ -125,6 +126,9 @@
}) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
true: ["plat_sepolicy_and_mapping.sha256"],
default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
}),
}
@@ -146,7 +150,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_policy,
installable: false,
}
@@ -182,7 +186,7 @@
//
se_policy_conf {
name: "pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -202,7 +206,7 @@
se_policy_conf {
name: "system_ext_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
@@ -221,7 +225,7 @@
se_policy_conf {
name: "plat_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
installable: false,
@@ -410,7 +414,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -452,7 +456,7 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -509,7 +513,7 @@
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
-genrule {
+java_genrule {
name: "plat_sepolicy_and_mapping.sha256_gen",
srcs: [
":plat_sepolicy.cil",
@@ -526,7 +530,7 @@
relative_install_path: "selinux",
}
-genrule {
+java_genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [
":system_ext_sepolicy.cil",
@@ -544,7 +548,7 @@
system_ext_specific: true,
}
-genrule {
+java_genrule {
name: "product_sepolicy_and_mapping.sha256_gen",
srcs: [
":product_sepolicy.cil",
@@ -568,6 +572,22 @@
vendor: true,
}
+genrule {
+ name: "genfs_labels_version.txt.gen",
+ out: ["genfs_labels_version.txt"],
+ cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+ any @ value: "echo " + value + " > $(out)",
+ default: "echo > $(out)",
+ }),
+}
+
+prebuilt_etc {
+ name: "genfs_labels_version.txt",
+ src: ":genfs_labels_version.txt.gen",
+ relative_install_path: "selinux",
+ vendor: true,
+}
+
soong_config_module_type {
name: "precompiled_sepolicy_prebuilts_defaults",
module_type: "prebuilt_defaults",
@@ -640,7 +660,7 @@
filegroup {
name: "precompiled_sepolicy_srcs",
- srcs: [
+ device_common_srcs: [
":plat_sepolicy.cil",
":plat_pub_versioned.cil",
":system_ext_sepolicy.cil",
@@ -651,6 +671,10 @@
":system_ext_mapping_file",
":product_mapping_file",
],
+ device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+ "202504": [":plat_sepolicy_genfs_202504.cil"],
+ default: [],
+ }),
// Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
// Useful when some partitions need to be bind mounted across VM boundaries.
visibility: ["//visibility:public"],
@@ -793,7 +817,7 @@
se_policy_conf {
name: "base_plat_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
build_variant: "user",
@@ -813,7 +837,7 @@
se_policy_conf {
name: "base_product_pub_policy.conf",
- defaults: ["se_policy_conf_public_flags_defaults"],
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
@@ -890,7 +914,7 @@
// sepolicy_test checks various types of violations, which can't be easily done
// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
//////////////////////////////////
-genrule {
+java_genrule {
name: "sepolicy_test",
srcs: [
":plat_file_contexts",
@@ -918,7 +942,7 @@
soong_config_module_type {
name: "dev_type_test_genrule",
- module_type: "genrule",
+ module_type: "java_genrule",
config_namespace: "ANDROID",
bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
properties: ["cmd"],
@@ -953,3 +977,383 @@
},
},
}
+
+phony {
+ name: "selinux_policy_system_ext",
+ required: [
+ //"ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY" check included in system_ext_pub_policy.cil
+ "system_ext_mapping_file",
+ //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil
+ "system_ext_sepolicy.cil",
+ ] + [
+ //"ifdef HAS_SYSTEM_EXT_SEPOLICY" check included in .cil
+ "system_ext_29.0.cil",
+ "system_ext_30.0.cil",
+ "system_ext_31.0.cil",
+ "system_ext_32.0.cil",
+ "system_ext_33.0.cil",
+ "system_ext_34.0.cil",
+ ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "system_ext_202404.cil",
+ ],
+ }) +
+ select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ true: ["system_ext_sepolicy_and_mapping.sha256"],
+ default: [],
+ }) + [
+ "system_ext_file_contexts",
+ "system_ext_file_contexts_test",
+ "system_ext_keystore2_key_contexts",
+ "system_ext_hwservice_contexts",
+ "system_ext_hwservice_contexts_test",
+ "system_ext_property_contexts",
+ "system_ext_property_contexts_test",
+ "system_ext_seapp_contexts",
+ "system_ext_service_contexts",
+ "system_ext_service_contexts_test",
+ "system_ext_mac_permissions.xml",
+ "system_ext_bug_map",
+ // $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+ "system_ext_29.0.compat.cil",
+ "system_ext_30.0.compat.cil",
+ "system_ext_31.0.compat.cil",
+ "system_ext_32.0.compat.cil",
+ "system_ext_33.0.compat.cil",
+ "system_ext_34.0.compat.cil",
+ ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "system_ext_202404.compat.cil",
+ ],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["system_ext_tee_service_contexts"],
+ default: [],
+ }),
+ system_ext_specific: true,
+}
+
+phony {
+ name: "selinux_policy_product",
+ required: [
+ "product_mapping_file",
+ "product_sepolicy.cil",
+ // "ifdef HAS_PRODUCT_PUBLIC_SEPOLICY" check included in .cil
+ "product_29.0.cil",
+ "product_30.0.cil",
+ "product_31.0.cil",
+ "product_32.0.cil",
+ "product_33.0.cil",
+ "product_34.0.cil",
+ "product_file_contexts",
+ // "ifdef HAS_PRODUCT_SEPOLICY_DIR" in Android.mk can be ignored.
+ "product_file_contexts_test",
+ "product_keystore2_key_contexts",
+ "product_hwservice_contexts",
+ "product_hwservice_contexts_test",
+ "product_property_contexts",
+ "product_property_contexts_test",
+ "product_seapp_contexts",
+ "product_service_contexts",
+ "product_service_contexts_test",
+ "product_mac_permissions.xml",
+ ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ true: ["product_sepolicy_and_mapping.sha256"],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "product_202404.cil",
+ ],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["product_tee_service_contexts"],
+ default: [],
+ }),
+ product_specific: true,
+}
+
+phony {
+ name: "selinux_policy_nonsystem",
+ required: [
+ "selinux_policy_system_ext",
+ "selinux_policy_product",
+ "selinux_policy_vendor",
+ "selinux_policy_odm",
+ // Builds an additional userdebug sepolicy into the debug ramdisk.
+ "userdebug_plat_sepolicy.cil",
+ ],
+}
+
+phony {
+ name: "selinux_policy_vendor",
+ required: [
+ "genfs_labels_version.txt",
+ "plat_pub_versioned.cil",
+ "vendor_sepolicy.cil",
+ "plat_sepolicy_vers.txt",
+ "vendor_file_contexts",
+ "vendor_file_contexts_test",
+ "vendor_keystore2_key_contexts",
+ "vendor_mac_permissions.xml",
+ "vendor_property_contexts",
+ "vendor_property_contexts_test",
+ "vendor_seapp_contexts",
+ "vendor_service_contexts",
+ "vendor_service_contexts_test",
+ "vendor_hwservice_contexts",
+ "vendor_hwservice_contexts_test",
+ "vendor_bug_map",
+ "vndservice_contexts",
+ "vndservice_contexts_test",
+ ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["vendor_tee_service_contexts"],
+ default: [],
+ }),
+ vendor: true,
+}
+
+phony {
+ name: "selinux_policy_odm",
+ required: [
+ "odm_sepolicy.cil",
+ "odm_file_contexts",
+ "odm_file_contexts_test",
+ "odm_seapp_contexts",
+ "odm_property_contexts",
+ "odm_property_contexts_test",
+ "odm_service_contexts",
+ "odm_service_contexts_test",
+ "odm_hwservice_contexts",
+ "odm_hwservice_contexts_test",
+ "odm_mac_permissions.xml",
+ ] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ true: [
+ "precompiled_sepolicy",
+ "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ ],
+ default: [],
+ }),
+ device_specific: true,
+}
+
+phony {
+ name: "selinux_policy_system",
+ required: [
+ "29.0.compat.cil",
+ "30.0.compat.cil",
+ "31.0.compat.cil",
+ "32.0.compat.cil",
+ "33.0.compat.cil",
+ "34.0.compat.cil",
+ "build_sepolicy",
+ "fuzzer_bindings_test",
+ "plat_29.0.cil",
+ "plat_30.0.cil",
+ "plat_31.0.cil",
+ "plat_32.0.cil",
+ "plat_33.0.cil",
+ "plat_34.0.cil",
+ "plat_bug_map",
+ "plat_file_contexts",
+ "plat_file_contexts_data_test",
+ "plat_file_contexts_test",
+ "plat_hwservice_contexts",
+ "plat_hwservice_contexts_test",
+ "plat_keystore2_key_contexts",
+ "plat_mac_permissions.xml",
+ "plat_mapping_file",
+ "plat_property_contexts",
+ "plat_property_contexts_test",
+ "plat_seapp_contexts",
+ "plat_sepolicy.cil",
+ "plat_sepolicy_genfs_202504.cil",
+ "plat_service_contexts",
+ "plat_service_contexts_test",
+ "searchpolicy",
+ "secilc",
+ ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "202404.compat.cil",
+ "plat_202404.cil",
+ ],
+ }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ true: ["plat_sepolicy_and_mapping.sha256"],
+ default: [],
+ }) + select((
+ soong_config_variable("ANDROID", "ASAN_ENABLED"),
+ product_variable("selinux_ignore_neverallows"),
+ ), {
+ (true, true): [
+ ],
+ (default, default): [
+ "sepolicy_compat_test",
+ "sepolicy_test",
+ "sepolicy_dev_type_test",
+ "treble_sepolicy_tests_29.0",
+ "treble_sepolicy_tests_30.0",
+ "treble_sepolicy_tests_31.0",
+ "treble_sepolicy_tests_32.0",
+ "treble_sepolicy_tests_33.0",
+ "treble_sepolicy_tests_34.0",
+ ],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "ASAN_ENABLED"),
+ product_variable("selinux_ignore_neverallows"),
+ ), {
+ ("202404", true, true): [],
+ (default, true, true): [],
+ (default, default, default): [
+ "treble_sepolicy_tests_202404",
+ ],
+ }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
+ true: ["se_freeze_test"],
+ default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
+ }),
+}
+
+phony {
+ name: "selinux_policy",
+ required: [
+ // Runs checkfc against merged service_contexts files
+ "merged_hwservice_contexts_test",
+ "merged_service_contexts_test",
+ "selinux_policy_nonsystem",
+ "selinux_policy_system",
+ ],
+}
+
+// selinux_policy is a main goal and triggers lots of tests.
+// Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
+// By setting as droidcore's dependency, tests will run on normal builds.
+phony_rule {
+ name: "droidcore",
+ phony_deps: ["selinux_policy"],
+}
+
+//-----------------------------------------------------------------------------
+// TODO - remove this. Keep around until we get the filesystem creation stuff
+// taken care of.
+//
+// The file_contexts.bin is built in the following way:
+// 1. Collect all file_contexts files in THIS repository and process them with
+// m4 into a tmp file called file_contexts.local.tmp.
+// 2. Collect all device specific file_contexts files and process them with m4
+// into a tmp file called file_contexts.device.tmp.
+// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
+// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+// into file_contexts.concat.tmp.
+// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+// file_contexts.bin.
+//
+// Note: That a newline file is placed between each file_context file found to
+// ensure a proper build when an fc file is missing an ending newline.
+//---
+// 1. Collect all file_contexts files in THIS repository and process them with
+// m4 into a tmp file called file_contexts.local.tmp.
+java_genrule {
+ name: "file_contexts.local.tmp",
+ srcs: [
+ ":plat_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.local.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s $(in) > $(out)",
+}
+
+// 2. Collect all device specific file_contexts files and process them with m4
+// into a tmp file called file_contexts.device.tmp.
+PRIVATE_ADDITIONAL_M4DEFS = select(soong_config_variable("ANDROID", "ADDITIONAL_M4DEFS"), {
+ any @ m4defs: m4defs,
+ default: "",
+})
+java_genrule {
+ name: "file_contexts.device.tmp",
+ srcs: [
+ ":vendor_file_contexts",
+ ":odm_file_contexts",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.device.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s " + PRIVATE_ADDITIONAL_M4DEFS +
+ " $(in) > $(out)",
+}
+
+// 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+// file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
+java_genrule {
+ name: "file_contexts.device.sorted.tmp",
+ srcs: [
+ ":file_contexts.device.tmp",
+ ":precompiled_sepolicy",
+ ],
+ tools: [
+ "checkfc",
+ "fc_sort",
+ ],
+ out: ["file_contexts.device.sorted.tmp"],
+ cmd: "$(location checkfc) " +
+ "-e $(location :precompiled_sepolicy) " +
+ "$(location :file_contexts.device.tmp) && " +
+ "$(location fc_sort) " +
+ "-i $(location :file_contexts.device.tmp) " +
+ "-o $(out)",
+}
+
+// 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+// into file_contexts.concat.tmp.
+java_genrule {
+ name: "file_contexts.concat.tmp",
+ srcs: [
+ ":file_contexts.local.tmp",
+ ":file_contexts.device.sorted.tmp",
+ ],
+ tools: [
+ "m4",
+ ],
+ out: ["file_contexts.concat.tmp"],
+ cmd: "$(location m4) --fatal-warnings " +
+ "-s $(location :file_contexts.local.tmp) " +
+ "$(location :file_contexts.device.sorted.tmp) > $(out)",
+}
+
+// 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+// file_contexts.bin.
+java_genrule {
+ name: "file_contexts_bin_gen",
+ srcs: [
+ ":file_contexts.concat.tmp",
+ ":precompiled_sepolicy",
+ ],
+ tools: [
+ "checkfc",
+ "sefcontext_compile",
+ ],
+ out: ["file_contexts.bin"],
+ cmd: "$(location checkfc) " +
+ "$(location :precompiled_sepolicy) " +
+ "$(location :file_contexts.concat.tmp) && " +
+ "$(location sefcontext_compile) " +
+ "-o $(out) $(location :file_contexts.concat.tmp)",
+}
+
+prebuilt_etc {
+ name: "file_contexts.bin",
+ src: ":file_contexts_bin_gen",
+}
diff --git a/Android.mk b/Android.mk
deleted file mode 100644
index dc62833..0000000
--- a/Android.mk
+++ /dev/null
@@ -1,560 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-ifdef BOARD_SEPOLICY_UNION
-$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_M4DEFS
-LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
-else
-LOCAL_ADDITIONAL_M4DEFS :=
-endif
-
-# sepolicy is now divided into multiple portions:
-# public - policy exported on which non-platform policy developers may write
-# additional policy. types and attributes are versioned and included in
-# delivered non-platform policy, which is to be combined with platform policy.
-# private - platform-only policy required for platform functionality but which
-# is not exported to vendor policy developers and as such may not be assumed
-# to exist.
-# vendor - vendor-only policy required for vendor functionality. This policy can
-# reference the public policy but cannot reference the private policy. This
-# policy is for components which are produced from the core/non-vendor tree and
-# placed into a vendor partition.
-# mapping - This contains policy statements which map the attributes
-# exposed in the public policy of previous versions to the concrete types used
-# in this policy to ensure that policy targeting attributes from public
-# policy from an older platform version continues to work.
-
-# build process for device:
-# 1) convert policies to CIL:
-# - private + public platform policy to CIL
-# - mapping file to CIL (should already be in CIL form)
-# - non-platform public policy to CIL
-# - non-platform public + private policy to CIL
-# 2) attributize policy
-# - run script which takes non-platform public and non-platform combined
-# private + public policy and produces attributized and versioned
-# non-platform policy
-# 3) combine policy files
-# - combine mapping, platform and non-platform policy.
-# - compile output binary policy file
-
-PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
-PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
-PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
-REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-
-SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-
-PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
-PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
-
-ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
-HAS_SYSTEM_EXT_SEPOLICY_DIR := true
-endif
-
-# TODO(b/119305624): Currently if the device doesn't have a product partition,
-# we install product sepolicy into /system/product. We do that because bits of
-# product sepolicy that's still in /system might depend on bits that have moved
-# to /product. Once we finish migrating product sepolicy out of system, change
-# it so that if no product partition is present, product sepolicy artifacts are
-# not built and installed at all.
-ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY_DIR := true
-endif
-
-ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
-ifeq ($(TARGET_BUILD_VARIANT),user)
-$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
-endif
-$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
- It does not work in user builds and using it will \
- not stop you from failing CTS.)
-endif
-
-# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
-# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
-# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
-# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.
-ifdef BOARD_SEPOLICY_DIRS
-BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
-endif
-
-###########################################################
-# Compute policy files to be used in policy build.
-# $(1): files to include
-# $(2): directories in which to find files
-###########################################################
-
-define build_policy
-$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
-endef
-
-sepolicy_build_files := security_classes \
- initial_sids \
- access_vectors \
- global_macros \
- neverallow_macros \
- mls_macros \
- mls_decl \
- mls \
- policy_capabilities \
- te_macros \
- attributes \
- ioctl_defines \
- ioctl_macros \
- *.te \
- roles_decl \
- roles \
- users \
- initial_sid_contexts \
- fs_use \
- genfs_contexts \
- port_contexts
-
-sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))
-
-# Security classes and permissions defined outside of system/sepolicy.
-security_class_extension_files := $(call build_policy, security_classes access_vectors, \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-
-ifneq (,$(strip $(security_class_extension_files)))
- $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
- # Checks if there are public system_ext policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
- endif
- # Checks if there are public/private system_ext policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_SYSTEM_EXT_SEPOLICY := true
- endif
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
- # Checks if there are public product policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_PRODUCT_PUBLIC_SEPOLICY := true
- endif
- # Checks if there are public/private product policy files.
- policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
- ifneq (,$(strip $(policy_files)))
- HAS_PRODUCT_SEPOLICY := true
- endif
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-with_asan := false
-ifneq (,$(filter address,$(SANITIZE_TARGET)))
- with_asan := true
-endif
-
-ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
- #$(warning no product shipping level defined)
-else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
- ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
- $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
- endif
-endif
-
-ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
- #$(warning no product shipping level defined)
-else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
- ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
- $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
- endif
-endif
-
-#################################
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_policy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_TAGS := optional
-LOCAL_REQUIRED_MODULES += \
- selinux_policy_nonsystem \
- selinux_policy_system \
-
-include $(BUILD_PHONY_PACKAGE)
-
-# selinux_policy is a main goal and triggers lots of tests.
-# Most tests are FAKE modules, so aren'triggered on normal builds. (e.g. 'm')
-# By setting as droidcore's dependency, tests will run on normal builds.
-droidcore: selinux_policy
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy_system
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# These build targets are not used on non-Treble devices. However, we build these to avoid
-# divergence between Treble and non-Treble devices.
-LOCAL_REQUIRED_MODULES += \
- plat_mapping_file \
- $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
- $(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
- plat_sepolicy.cil \
- secilc \
-
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
-endif
-
-LOCAL_REQUIRED_MODULES += \
- build_sepolicy \
- plat_file_contexts \
- plat_file_contexts_test \
- plat_keystore2_key_contexts \
- plat_mac_permissions.xml \
- plat_property_contexts \
- plat_property_contexts_test \
- plat_seapp_contexts \
- plat_service_contexts \
- plat_service_contexts_test \
- plat_hwservice_contexts \
- plat_hwservice_contexts_test \
- fuzzer_bindings_test \
- plat_bug_map \
- searchpolicy \
-
-ifneq ($(with_asan),true)
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
-LOCAL_REQUIRED_MODULES += \
- sepolicy_compat_test \
-
-# HACK: sepolicy_test is implemented as genrule
-# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
-# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
-LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
-LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
-
-LOCAL_REQUIRED_MODULES += \
- $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
-
-endif # SELINUX_IGNORE_NEVERALLOWS
-endif # with_asan
-
-ifeq ($(RELEASE_BOARD_API_LEVEL_FROZEN),true)
-LOCAL_REQUIRED_MODULES += \
- se_freeze_test
-endif
-
-include $(BUILD_PHONY_PACKAGE)
-
-#################################
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_policy_system_ext
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# Include precompiled policy, unless told otherwise.
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
-endif
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- system_ext_mapping_file
-
-system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
-
-LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
-
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- system_ext_file_contexts \
- system_ext_file_contexts_test \
- system_ext_keystore2_key_contexts \
- system_ext_hwservice_contexts \
- system_ext_hwservice_contexts_test \
- system_ext_property_contexts \
- system_ext_property_contexts_test \
- system_ext_seapp_contexts \
- system_ext_service_contexts \
- system_ext_service_contexts_test \
- system_ext_mac_permissions.xml \
- system_ext_bug_map \
- $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
-
-endif
-
-include $(BUILD_PHONY_PACKAGE)
-
-#################################
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_policy_product
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# Include precompiled policy, unless told otherwise.
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
-endif
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_sepolicy.cil
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- product_mapping_file
-
-product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
-
-LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
-
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- product_file_contexts \
- product_file_contexts_test \
- product_keystore2_key_contexts \
- product_hwservice_contexts \
- product_hwservice_contexts_test \
- product_property_contexts \
- product_property_contexts_test \
- product_seapp_contexts \
- product_service_contexts \
- product_service_contexts_test \
- product_mac_permissions.xml \
-
-endif
-
-include $(BUILD_PHONY_PACKAGE)
-
-#################################
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_policy_nonsystem
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# Include precompiled policy, unless told otherwise.
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += \
- precompiled_sepolicy \
- precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-endif
-
-endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-
-
-# These build targets are not used on non-Treble devices. However, we build these to avoid
-# divergence between Treble and non-Treble devices.
-LOCAL_REQUIRED_MODULES += \
- plat_pub_versioned.cil \
- vendor_sepolicy.cil \
- plat_sepolicy_vers.txt \
-
-LOCAL_REQUIRED_MODULES += \
- vendor_file_contexts \
- vendor_file_contexts_test \
- vendor_keystore2_key_contexts \
- vendor_mac_permissions.xml \
- vendor_property_contexts \
- vendor_property_contexts_test \
- vendor_seapp_contexts \
- vendor_service_contexts \
- vendor_service_contexts_test \
- vendor_hwservice_contexts \
- vendor_hwservice_contexts_test \
- vendor_bug_map \
- vndservice_contexts \
- vndservice_contexts_test \
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-LOCAL_REQUIRED_MODULES += \
- odm_sepolicy.cil \
- odm_file_contexts \
- odm_file_contexts_test \
- odm_seapp_contexts \
- odm_property_contexts \
- odm_property_contexts_test \
- odm_service_contexts \
- odm_service_contexts_test \
- odm_hwservice_contexts \
- odm_hwservice_contexts_test \
- odm_mac_permissions.xml
-endif
-
-LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
-LOCAL_REQUIRED_MODULES += selinux_policy_product
-
-# Builds an addtional userdebug sepolicy into the debug ramdisk.
-LOCAL_REQUIRED_MODULES += \
- userdebug_plat_sepolicy.cil \
-
-include $(BUILD_PHONY_PACKAGE)
-
-##################################
-# Policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of policy files.
-#
-built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
-
-##################################
-# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
-#
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := file_contexts.bin
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# The file_contexts.bin is built in the following way:
-# 1. Collect all file_contexts files in THIS repository and process them with
-# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all device specific file_contexts files and process them with m4
-# into a tmp file called file_contexts.device.tmp.
-# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
-# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
-# into file_contexts.concat.tmp.
-# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
-# file_contexts.bin.
-#
-# Note: That a newline file is placed between each file_context file found to
-# ensure a proper build when an fc file is missing an ending newline.
-
-local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
-endif
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
-
-file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
-
-device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
-endif
-
-file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
-$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(file_contexts.device.tmp): PRIVATE_DEVICE_FC_FILES := $(device_fc_files)
-$(file_contexts.device.tmp): $(device_fc_files) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_DEVICE_FC_FILES) > $@
-
-file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
-$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
- $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
- $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
-
-file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
- $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-
-local_fc_files :=
-device_fc_files :=
-file_contexts.concat.tmp :=
-file_contexts.device.sorted.tmp :=
-file_contexts.device.tmp :=
-file_contexts.local.tmp :=
-
-##################################
-# Tests for Treble compatibility of current platform policy and vendor policy of
-# given release version.
-
-ver := $(PLATFORM_SEPOLICY_VERSION)
-ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
-# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
-else
-# If not, use ToT for compat test
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
-endif
-ver :=
-
-$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(eval version_under_treble_tests := $(v)) \
- $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
-)
-
-base_plat_pub_policy.cil :=
-base_product_pub_policy.cil :=
-
-#################################
-
-
-build_policy :=
-built_sepolicy :=
-sepolicy_build_files :=
-with_asan :=
diff --git a/apex/Android.bp b/apex/Android.bp
index c9c06e3..66f8ef3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -156,6 +156,13 @@
}
filegroup {
+ name: "com.android.nfcservices-file_contexts",
+ srcs: [
+ "com.android.nfcservices-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.os.statsd-file_contexts",
srcs: [
"com.android.os.statsd-file_contexts",
@@ -246,6 +253,13 @@
}
filegroup {
+ name: "com.android.bt-file_contexts",
+ srcs: [
+ "com.android.bt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
@@ -286,3 +300,45 @@
"com.android.telephonymodules-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.configinfrastructure-file_contexts",
+ srcs: [
+ "com.android.configinfrastructure-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.biometrics.virtual.fingerprint-file_contexts",
+ srcs: [
+ "com.android.biometrics.virtual.fingerprint-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.uprobestats-file_contexts",
+ srcs: [
+ "com.android.uprobestats-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.biometrics.virtual.face-file_contexts",
+ srcs: [
+ "com.android.biometrics.virtual.face-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.documentsuibundle-file_contexts",
+ srcs: [
+ "com.android.documentsuibundle-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.profiling-file_contexts",
+ srcs: [
+ "com.android.profiling-file_contexts",
+ ],
+}
diff --git a/apex/com.android.biometrics.virtual.face-file_contexts b/apex/com.android.biometrics.virtual.face-file_contexts
new file mode 100644
index 0000000..07fc0a8
--- /dev/null
+++ b/apex/com.android.biometrics.virtual.face-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:vendor_file:s0
+/etc(/.*)? u:object_r:vendor_configs_file:s0
+/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:virtual_face_exec:s0
diff --git a/apex/com.android.biometrics.virtual.fingerprint-file_contexts b/apex/com.android.biometrics.virtual.fingerprint-file_contexts
new file mode 100644
index 0000000..940934b
--- /dev/null
+++ b/apex/com.android.biometrics.virtual.fingerprint-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:virtual_fingerprint_exec:s0
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.bt-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth-file_contexts
rename to apex/com.android.bt-file_contexts
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
new file mode 100644
index 0000000..de74547
--- /dev/null
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.documentsuibundle-file_contexts
similarity index 100%
copy from apex/com.android.bluetooth-file_contexts
copy to apex/com.android.documentsuibundle-file_contexts
diff --git a/apex/com.android.profiling-file_contexts b/apex/com.android.profiling-file_contexts
new file mode 100644
index 0000000..796beca
--- /dev/null
+++ b/apex/com.android.profiling-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/trace_redactor u:object_r:trace_redactor_exec:s0
diff --git a/apex/com.android.uprobestats-file_contexts b/apex/com.android.uprobestats-file_contexts
new file mode 100644
index 0000000..994951b
--- /dev/null
+++ b/apex/com.android.uprobestats-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/bin/uprobestats u:object_r:uprobestats_exec:s0
+/bin/uprobestatsbpfload u:object_r:bpfloader_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index d8fc8df..bb0f909 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -9,3 +9,7 @@
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
/bin/vmnic u:object_r:vmnic_exec:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ /bin/early_virtmgr u:object_r:early_virtmgr_exec:s0
+')
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.wifi-file_contexts b/apex/com.android.wifi-file_contexts
index f3a65d4..2355fca 100644
--- a/apex/com.android.wifi-file_contexts
+++ b/apex/com.android.wifi-file_contexts
@@ -1 +1,2 @@
(/.*)? u:object_r:system_file:s0
+/bin/wpa_supplicant_mainline u:object_r:wifi_mainline_supplicant_exec:s0
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index fef2e69..33c6d3b 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
+ ctx.RegisterModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -116,10 +116,10 @@
// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
// current policy.
-func compatTestFactory() android.SingletonModule {
+func compatTestFactory() android.Module {
f := &compatTestModule{}
f.AddProperties(&f.properties)
- android.InitAndroidModule(f)
+ android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
})
@@ -127,7 +127,7 @@
}
type compatTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
properties struct {
// Default modules for conf
Defaults []string
@@ -180,11 +180,11 @@
}
}
-func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
-}
-
func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "sepolicy_compat_test" || ctx.ModuleDir() != "system/sepolicy/compat" {
+ // two compat test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_compat_test module named sepolicy_compat_test in system/sepolicy/compat")
+ }
var inputs android.Paths
ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
outputs := android.OutputFilesForModule(ctx, child, "")
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4476f94..8bdf01b 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -91,8 +91,8 @@
// Desired number of MLS categories. Defaults to 1024
Mls_cats *int64
- // Board api level of policy files. Set "vendor" for RELEASE_BOARD_API_LEVEL, "system" for
- // turning off the guard, or a direct version string (e.g. "202404"). Defaults to "system"
+ // Board api level of policy files. Set "current" for RELEASE_BOARD_API_LEVEL, or a direct
+ // version string (e.g. "202404"). Defaults to "current"
Board_api_level *string
}
@@ -224,20 +224,6 @@
return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
}
-func (c *policyConf) boardApiLevel(ctx android.ModuleContext) string {
- level := proptools.StringDefault(c.properties.Board_api_level, "system")
-
- if level == "system" {
- // aribtrary value greater than any other vendor API levels
- return "1000000"
- } else if level == "vendor" {
- return ctx.Config().VendorApiLevel()
- } else {
- return level
- }
-
-}
-
func findPolicyConfOrder(name string) int {
for idx, pattern := range policyConfOrder {
// We could use regexp but it seems like an overkill
@@ -279,7 +265,7 @@
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
- FlagWithArg("-D target_board_api_level=", c.boardApiLevel(ctx)).
+ Flag(boardApiLevelToM4Macro(ctx, c.properties.Board_api_level)).
Flags(flagsToM4Macros(flags)).
Flag("-s").
Inputs(srcs).
diff --git a/build/soong/selinux.go b/build/soong/selinux.go
index f811231..51ff732 100644
--- a/build/soong/selinux.go
+++ b/build/soong/selinux.go
@@ -16,6 +16,7 @@
import (
"github.com/google/blueprint"
+ "github.com/google/blueprint/proptools"
"android/soong/android"
)
@@ -50,3 +51,12 @@
}
return flagMacros
}
+
+// boardApiLevel returns the M4 argument containing the target board API level.
+func boardApiLevelToM4Macro(ctx android.ModuleContext, apiLevel *string) string {
+ level := proptools.StringDefault(apiLevel, "current")
+ if level == "current" {
+ level = ctx.Config().VendorApiLevel()
+ }
+ return "-D target_board_api_level=" + level
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index d4c81e8..c96dda5 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -46,6 +46,10 @@
// Make this module available when building for recovery
Recovery_available *bool
+
+ // Board api level of policy files. Set "current" for RELEASE_BOARD_API_LEVEL, or a direct
+ // version string (e.g. "202404"). Defaults to "current"
+ Board_api_level *string
}
type seappProperties struct {
@@ -87,6 +91,7 @@
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
+ android.RegisterModuleType("tee_service_contexts", teeServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
@@ -224,46 +229,46 @@
}
}
-func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.ImageInterfaceContext) {
if proptools.Bool(m.properties.Recovery_available) && m.ModuleBase.InstallInRecovery() {
ctx.PropertyErrorf("recovery_available",
"doesn't make sense at the same time as `recovery: true`")
}
}
-func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) VendorVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) ProductVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.ImageInterfaceContext) bool {
return !m.ModuleBase.InstallInRecovery()
}
-func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.ImageInterfaceContext) bool {
return m.ModuleBase.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
-func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+func (m *selinuxContextsModule) ExtraImageVariations(ctx android.ImageInterfaceContext) []string {
return nil
}
-func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string) {
+func (m *selinuxContextsModule) SetImageVariation(ctx android.ImageInterfaceContext, variation string) {
}
var _ android.ImageInterface = (*selinuxContextsModule)(nil)
@@ -288,6 +293,7 @@
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flag(boardApiLevelToM4Macro(ctx, m.properties.Board_api_level)).
Flags(flagsToM4Macros(flags)).
Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
@@ -533,6 +539,12 @@
return m
}
+func teeServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
+
func seappFactory() android.Module {
m := newModule()
m.build = m.buildSeappContexts
@@ -711,42 +723,42 @@
// contextsTestModule implements ImageInterface to be able to include recovery_available contexts
// modules as its sources.
-func (m *contextsTestModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+func (m *contextsTestModule) ImageMutatorBegin(ctx android.ImageInterfaceContext) {
}
-func (m *contextsTestModule) VendorVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) VendorVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) ProductVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) ProductVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) CoreVariantNeeded(ctx android.ImageInterfaceContext) bool {
return true
}
-func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.ImageInterfaceContext) bool {
return false
}
-func (m *contextsTestModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+func (m *contextsTestModule) ExtraImageVariations(ctx android.ImageInterfaceContext) []string {
return nil
}
-func (m *contextsTestModule) SetImageVariation(ctx android.BaseModuleContext, variation string) {
+func (m *contextsTestModule) SetImageVariation(ctx android.ImageInterfaceContext, variation string) {
}
var _ android.ImageInterface = (*contextsTestModule)(nil)
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index d6f4f3c..41d460d 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -25,15 +25,15 @@
func init() {
ctx := android.InitRegistrationContext
- ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
+ ctx.RegisterModuleType("se_freeze_test", freezeTestFactory)
}
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
-func freezeTestFactory() android.SingletonModule {
+func freezeTestFactory() android.Module {
f := &freezeTestModule{}
- android.InitAndroidModule(f)
+ android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
})
@@ -41,7 +41,7 @@
}
type freezeTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
freezeTestTimestamp android.ModuleOutPath
}
@@ -82,10 +82,6 @@
ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
deps := ctx.GetDirectDepsWithTag(depTag)
if len(deps) != 1 {
@@ -104,6 +100,11 @@
}
func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "se_freeze_test" || ctx.ModuleDir() != "system/sepolicy" {
+ // two freeze test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_freeze_test module named se_freeze_test in system/sepolicy")
+ }
+
f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
if !f.shouldRunTest(ctx) {
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 78cbc84..c2a21dd 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -57,7 +57,7 @@
func neverallowTestFactory() android.Module {
n := &neverallowTestModule{}
n.AddProperties(&n.properties)
- android.InitAndroidModule(n)
+ android.InitAndroidArchModule(n, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(n, func(ctx android.LoadHookContext) {
n.loadHook(ctx)
})
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 293d7de..35f4e09 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -45,8 +45,10 @@
"android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
"android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
@@ -54,6 +56,7 @@
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.socket.IBluetoothSocket/default": []string{"android.hardware.bluetooth.socket-service_fuzzer"},
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
@@ -80,7 +83,7 @@
"android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
- "android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.nfc.INfc/default": []string{"nfc_service_fuzzer"},
"android.hardware.oemlock.IOemLock/default": EXCEPTION_NO_FUZZER,
"android.hardware.power.IPower/default": EXCEPTION_NO_FUZZER,
"android.hardware.power.stats.IPowerStats/default": EXCEPTION_NO_FUZZER,
@@ -137,6 +140,7 @@
"android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.mediaquality.IMediaQuality/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.gadget.IUsbGadget/default": EXCEPTION_NO_FUZZER,
@@ -148,6 +152,7 @@
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
"android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.devicestate.IDeviceStateService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
@@ -162,6 +167,7 @@
"activity_task": EXCEPTION_NO_FUZZER,
"adb": EXCEPTION_NO_FUZZER,
"adservices_manager": EXCEPTION_NO_FUZZER,
+ "advanced_protection": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_quit": EXCEPTION_NO_FUZZER,
@@ -183,6 +189,7 @@
"android.security.metrics": EXCEPTION_NO_FUZZER,
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
+ "android.system.microfuchsiad": EXCEPTION_NO_FUZZER,
// TODO(b/294158658): add fuzzer
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": []string{"virtualizationmanager_fuzzer"},
@@ -192,6 +199,7 @@
"android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
+ "app_function": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
"app_integrity": EXCEPTION_NO_FUZZER,
"app_prediction": EXCEPTION_NO_FUZZER,
@@ -199,6 +207,7 @@
"apexservice": EXCEPTION_NO_FUZZER,
"archive": EXCEPTION_NO_FUZZER,
"attestation_verification": EXCEPTION_NO_FUZZER,
+ "authentication_policy": EXCEPTION_NO_FUZZER,
"blob_store": EXCEPTION_NO_FUZZER,
"gsiservice": EXCEPTION_NO_FUZZER,
"appops": EXCEPTION_NO_FUZZER,
@@ -270,6 +279,7 @@
"dropbox": EXCEPTION_NO_FUZZER,
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
+ "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
"ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
@@ -281,6 +291,7 @@
"fingerprint": EXCEPTION_NO_FUZZER,
"feature_flags": EXCEPTION_NO_FUZZER,
"font": EXCEPTION_NO_FUZZER,
+ "forensic": EXCEPTION_NO_FUZZER,
"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
@@ -299,6 +310,7 @@
"inputflinger": EXCEPTION_NO_FUZZER,
"input_method": EXCEPTION_NO_FUZZER,
"input": EXCEPTION_NO_FUZZER,
+ "intrusion_detection": EXCEPTION_NO_FUZZER,
"installd": []string{"installd_service_fuzzer"},
"iphonesubinfo_msim": EXCEPTION_NO_FUZZER,
"iphonesubinfo2": EXCEPTION_NO_FUZZER,
@@ -344,12 +356,14 @@
"media_communication": EXCEPTION_NO_FUZZER,
"media_metrics": EXCEPTION_NO_FUZZER,
"media_projection": EXCEPTION_NO_FUZZER,
+ "media_quality": EXCEPTION_NO_FUZZER,
"media_resource_monitor": EXCEPTION_NO_FUZZER,
"media_router": EXCEPTION_NO_FUZZER,
"media_session": EXCEPTION_NO_FUZZER,
"meminfo": EXCEPTION_NO_FUZZER,
"memtrack.proxy": EXCEPTION_NO_FUZZER,
"midi": EXCEPTION_NO_FUZZER,
+ "mmd": EXCEPTION_NO_FUZZER,
"mount": EXCEPTION_NO_FUZZER,
"music_recognition": EXCEPTION_NO_FUZZER,
"nearby": EXCEPTION_NO_FUZZER,
@@ -389,9 +403,11 @@
"procstats": EXCEPTION_NO_FUZZER,
"profcollectd": EXCEPTION_NO_FUZZER,
"profiling_service": EXCEPTION_NO_FUZZER,
+ "protolog_configuration": EXCEPTION_NO_FUZZER,
"radio.phonesubinfo": EXCEPTION_NO_FUZZER,
"radio.phone": EXCEPTION_NO_FUZZER,
"radio.sms": EXCEPTION_NO_FUZZER,
+ "ranging": EXCEPTION_NO_FUZZER,
"rcs": EXCEPTION_NO_FUZZER,
"reboot_readiness": EXCEPTION_NO_FUZZER,
"recovery": EXCEPTION_NO_FUZZER,
@@ -402,6 +418,7 @@
"restrictions": EXCEPTION_NO_FUZZER,
"rkpd.registrar": EXCEPTION_NO_FUZZER,
"rkpd.refresh": EXCEPTION_NO_FUZZER,
+ "rkp_cert_processor.service": EXCEPTION_NO_FUZZER,
"role": EXCEPTION_NO_FUZZER,
"rollback": EXCEPTION_NO_FUZZER,
"rttmanager": EXCEPTION_NO_FUZZER,
@@ -445,6 +462,7 @@
"SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
"suspend_control": []string{"suspend_service_fuzzer"},
"suspend_control_internal": []string{"suspend_service_internal_fuzzer"},
+ "supervision": EXCEPTION_NO_FUZZER,
"system_config": EXCEPTION_NO_FUZZER,
"system_server_dumper": EXCEPTION_NO_FUZZER,
"system_update": EXCEPTION_NO_FUZZER,
@@ -463,6 +481,7 @@
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
"tracing.proxy": EXCEPTION_NO_FUZZER,
+ "tradeinmode": EXCEPTION_NO_FUZZER,
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
@@ -498,7 +517,9 @@
"wifi": EXCEPTION_NO_FUZZER,
"wifinl80211": []string{"wificond_service_fuzzer"},
"wifiaware": EXCEPTION_NO_FUZZER,
+ "wifi_usd": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
+ "wifi_mainline_supplicant": EXCEPTION_NO_FUZZER, // defined internally
"window": EXCEPTION_NO_FUZZER,
"*": EXCEPTION_NO_FUZZER,
}
diff --git a/compat/Android.bp b/compat/Android.bp
index f09fb21..28936dd 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -585,3 +585,9 @@
system_ext_specific: true,
version: "202404",
}
+
+prebuilt_etc {
+ name: "plat_sepolicy_genfs_202504.cil",
+ src: "plat_sepolicy_genfs_202504.cil",
+ relative_install_path: "selinux",
+}
diff --git a/compat/libgenfslabelsversion/Android.bp b/compat/libgenfslabelsversion/Android.bp
new file mode 100644
index 0000000..7f512a7
--- /dev/null
+++ b/compat/libgenfslabelsversion/Android.bp
@@ -0,0 +1,35 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+rust_defaults {
+ name: "libgenfslabelsversion.default",
+ crate_name: "genfslabelsversion",
+ srcs: ["src/lib.rs"],
+ apex_available: ["//apex_available:platform"],
+}
+
+rust_ffi_static {
+ name: "libgenfslabelsversion.ffi",
+ defaults: ["libgenfslabelsversion.default"],
+ export_include_dirs: ["include"],
+}
diff --git a/compat/libgenfslabelsversion/include/genfslabelsversion.h b/compat/libgenfslabelsversion/include/genfslabelsversion.h
new file mode 100644
index 0000000..4c029c8
--- /dev/null
+++ b/compat/libgenfslabelsversion/include/genfslabelsversion.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int get_genfs_labels_version();
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/compat/libgenfslabelsversion/src/lib.rs b/compat/libgenfslabelsversion/src/lib.rs
new file mode 100644
index 0000000..21619e8
--- /dev/null
+++ b/compat/libgenfslabelsversion/src/lib.rs
@@ -0,0 +1,40 @@
+// Copyright 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Client library to read genfs labels version of the vendor.
+
+use std::fs;
+
+const GENFS_LABELS_VERSION_TXT_PATH: &str = "/vendor/etc/selinux/genfs_labels_version.txt";
+const DEFAULT_GENFS_LABELS_VERSION: i32 = 202404;
+
+/// Get genfs labels version from the vendor partition.
+///
+/// This function reads the genfs labels version from the file
+/// `/vendor/etc/selinux/genfs_labels_version.txt`. If the file does not exist or
+/// cannot be parsed, it returns a default version of 202404.
+///
+/// # Returns
+///
+/// The genfs labels version as an integer.
+#[no_mangle]
+pub extern "C" fn get_genfs_labels_version() -> i32 {
+ match fs::read_to_string(GENFS_LABELS_VERSION_TXT_PATH) {
+ Ok(contents) => match contents.trim().parse::<i32>() {
+ Ok(version) => version,
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ },
+ Err(_) => DEFAULT_GENFS_LABELS_VERSION,
+ }
+}
diff --git a/compat/plat_sepolicy_genfs_202504.cil b/compat/plat_sepolicy_genfs_202504.cil
new file mode 100644
index 0000000..79cc732
--- /dev/null
+++ b/compat/plat_sepolicy_genfs_202504.cil
@@ -0,0 +1 @@
+(genfscon sysfs "/class/udc" (u object_r sysfs_udc ((s0) (s0))))
diff --git a/contexts/Android.bp b/contexts/Android.bp
index ca3cf57..08a4f64 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -68,6 +68,11 @@
srcs: ["vndservice_contexts"],
}
+se_build_files {
+ name: "tee_service_contexts_files",
+ srcs: ["tee_service_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
defaults: ["contexts_flags_defaults"],
@@ -206,6 +211,18 @@
device_specific: true,
}
+hwservice_contexts {
+ name: "merged_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":plat_hwservice_contexts",
+ ":system_ext_hwservice_contexts",
+ ":product_hwservice_contexts",
+ ":vendor_hwservice_contexts",
+ ":odm_hwservice_contexts",
+ ],
+}
+
property_contexts {
name: "plat_property_contexts",
defaults: ["contexts_flags_defaults"],
@@ -308,6 +325,18 @@
recovery_available: true,
}
+service_contexts {
+ name: "merged_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":plat_service_contexts",
+ ":system_ext_service_contexts",
+ ":product_service_contexts",
+ ":vendor_service_contexts",
+ ":odm_service_contexts",
+ ],
+}
+
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
defaults: ["contexts_flags_defaults"],
@@ -490,6 +519,12 @@
sepolicy: ":precompiled_sepolicy",
}
+hwservice_contexts_test {
+ name: "merged_hwservice_contexts_test",
+ srcs: [":merged_hwservice_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
property_contexts_test {
name: "plat_property_contexts_test",
srcs: [":plat_property_contexts"],
@@ -568,6 +603,12 @@
sepolicy: ":precompiled_sepolicy",
}
+service_contexts_test {
+ name: "merged_service_contexts_test",
+ srcs: [":merged_service_contexts"],
+ sepolicy: ":precompiled_sepolicy",
+}
+
vndservice_contexts_test {
name: "vndservice_contexts_test",
srcs: [":vndservice_contexts"],
@@ -578,3 +619,34 @@
name: "fuzzer_bindings_test",
srcs: [":plat_service_contexts"],
}
+
+tee_service_contexts {
+ name: "plat_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.plat_private}"],
+}
+
+tee_service_contexts {
+ name: "system_ext_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+tee_service_contexts {
+ name: "product_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+tee_service_contexts {
+ name: "vendor_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":tee_service_contexts_files{.plat_vendor}",
+ ":tee_service_contexts_files{.vendor}",
+ ":tee_service_contexts_files{.reqd_mask}",
+ ],
+ soc_specific: true,
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c8f9cb..fc2d7b8 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -3,7 +3,7 @@
# It can be passed to checkfc to confirm that the regular expressions in
# file_contexts are matching the intended paths.
/ rootfs
-/adb_keys adb_keys_file
+/adb_keys system_file
/build.prop rootfs
/default.prop rootfs
/fstab.persist rootfs
@@ -37,6 +37,7 @@
/sys sysfs
/apex apex_mnt_dir
/bootstrap-apex apex_mnt_dir
+/mnt/vm vm_data_file
/postinstall postinstall_mnt_dir
/postinstall/apex postinstall_apex_mnt_dir
@@ -64,6 +65,7 @@
/vendor_seapp_contexts seapp_contexts_file
/plat_seapp_contexts seapp_contexts_file
/sepolicy sepolicy_file
+/plat_tee_service_contexts tee_service_contexts_file
/plat_service_contexts service_contexts_file
/plat_hwservice_contexts hwservice_contexts_file
/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -188,7 +190,8 @@
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
-/dev/socket/aconfigd aconfigd_socket
+/dev/socket/aconfigd_mainline aconfigd_mainline_socket
+/dev/socket/aconfigd_system aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
/dev/socket/fwmarkd fwmarkd_socket
@@ -322,6 +325,7 @@
/system/bin/sload_f2fs e2fs_exec
/system/bin/make_f2fs e2fs_exec
/system/bin/fsck_msdos fsck_exec
+/system/bin/prefetch prefetch_exec
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
@@ -395,6 +399,7 @@
/system/bin/bootstrap/linkerconfig linkerconfig_exec
/system/bin/llkd llkd_exec
/system/bin/lmkd lmkd_exec
+/system/bin/mmd mmd_exec
/system/bin/usbd usbd_exec
/system/bin/inputflinger inputflinger_exec
/system/bin/logd logd_exec
@@ -408,6 +413,7 @@
/system/bin/traced_perf traced_perf_exec
/system/bin/traced_probes traced_probes_exec
/system/bin/traced_relay traced_exec
+/system/bin/tradeinmode tradeinmode_exec
/system/bin/heapprofd heapprofd_exec
/system/bin/uncrypt uncrypt_exec
/system/bin/update_verifier update_verifier_exec
@@ -416,7 +422,6 @@
/system/bin/cppreopts.sh cppreopts_exec
/system/bin/preloads_copy.sh preloads_copy_exec
/system/bin/preopt2cachename preopt2cachename_exec
-/system/bin/viewcompiler viewcompiler_exec
/system/bin/sgdisk sgdisk_exec
/system/bin/blkid blkid_exec
/system/bin/flags_health_check flags_health_check_exec
@@ -433,8 +438,8 @@
/system/bin/hw/android.system.suspend-service system_suspend_exec
/system/etc/aconfig system_aconfig_storage_file
/system/etc/cgroups.json cgroup_desc_file
-/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
-/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_0.json cgroup_desc_file
+/system/etc/task_profiles/cgroups_999.json cgroup_desc_file
/system/etc/event-log-tags system_event_log_tags_file
/system/etc/font_fallback.xml system_font_fallback_file
/system/etc/group system_group_file
@@ -450,6 +455,7 @@
#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_tee_service_contexts tee_service_contexts_file
/system/etc/selinux/plat_service_contexts service_contexts_file
/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -458,12 +464,12 @@
/system/etc/selinux/plat_sepolicy.cil sepolicy_file
/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
/system/etc/task_profiles.json task_profiles_file
-/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
-/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_file
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
-/system/bin/aconfigd aconfigd_exec
+/system/bin/aconfigd-system aconfigd_exec
/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
/system/bin/stats stats_exec
/system/bin/statsd statsd_exec
@@ -485,6 +491,7 @@
/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
/system/bin/uprobestats uprobestats_exec
/system/bin/trace_redactor trace_redactor_exec
+/system/bin/bert_collector bert_collector_exec
/vendor vendor_file
/vendor/does_not_exist vendor_file
@@ -637,6 +644,7 @@
/odm/usr/keylayout/test.kl vendor_keylayout_file
/vendor/odm/usr/keylayout.kl vendor_keylayout_file
/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/usr/keylayout vendor_keylayout_file
/vendor/usr/keylayout.kl vendor_keylayout_file
/vendor/usr/keylayout/test.kl vendor_keylayout_file
/system/vendor/usr/keylayout.kl vendor_keylayout_file
@@ -645,6 +653,7 @@
/odm/usr/keychars/test.kcm vendor_keychars_file
/vendor/odm/usr/keychars.kcm vendor_keychars_file
/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/usr/keychars vendor_keychars_file
/vendor/usr/keychars.kcm vendor_keychars_file
/vendor/usr/keychars/test.kcm vendor_keychars_file
/system/vendor/usr/keychars.kcm vendor_keychars_file
@@ -653,6 +662,7 @@
/odm/usr/idc/test.idc vendor_idc_file
/vendor/odm/usr/idc.idc vendor_idc_file
/vendor/odm/usr/idc/test.idc vendor_idc_file
+/vendor/usr/idc vendor_idc_file
/vendor/usr/idc.idc vendor_idc_file
/vendor/usr/idc/test.idc vendor_idc_file
/system/vendor/usr/idc.idc vendor_idc_file
@@ -685,6 +695,8 @@
/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
@@ -713,6 +725,8 @@
/system/product/etc/selinux/product_service_contexts service_contexts_file
/product/etc/selinux/product_mac_permissions.xml mac_perms_file
/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
+/system/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
/product/lib system_lib_file
/product/lib/does_not_exist system_lib_file
@@ -723,6 +737,9 @@
/system/product/lib64 system_lib_file
/system/product/lib64/does_not_exist system_lib_file
+/product/etc/security/adb_keys adb_keys_file
+/system/product/etc/security/adb_keys adb_keys_file
+
/system_ext system_file
/system_ext/does_not_exist system_file
/system/system_ext system_file
@@ -754,6 +771,8 @@
/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
+/system/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
@@ -768,14 +787,16 @@
/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+/system_ext/bin/rkp_cert_processor rkp_cert_processor_exec
+/system/system_ext/bin/rkp_cert_processor rkp_cert_processor_exec
+
/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
-/system_ext/bin/custom_vm_setup custom_vm_setup_exec
-/system/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+/system/bin/linux_vm_setup linux_vm_setup_exec
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
@@ -1060,6 +1081,8 @@
/data/misc/wifi/test wifi_data_file
/data/misc_ce/0/wifi wifi_data_file
/data/misc_ce/99/wifi/test wifi_data_file
+/data/misc/wifi/mainline_supplicant mainline_supplicant_data_file
+/data/misc/wifi/mainline_supplicant/sockets mainline_supplicant_data_file
/data/misc/wifi/sockets wpa_socket
/data/misc/wifi/sockets/test wpa_socket
/data/misc/wifi/sockets/wpa_ctrl_test system_wpa_socket
@@ -1247,8 +1270,6 @@
/metadata/aconfig/maps/test aconfig_storage_metadata_file
/metadata/aconfig/boot aconfig_storage_metadata_file
/metadata/aconfig/boot/test aconfig_storage_metadata_file
-/metadata/aconfig_test_missions aconfig_test_mission_files
-/metadata/aconfig_test_missions/test aconfig_test_mission_files
/metadata/apex apex_metadata_file
/metadata/apex/test apex_metadata_file
/metadata/vold vold_metadata_file
@@ -1269,12 +1290,14 @@
/metadata/bootstat/test metadata_bootstat_file
/metadata/staged-install staged_install_file
/metadata/staged-install/test staged_install_file
-/metadata/userspacereboot userspace_reboot_metadata_file
-/metadata/userspacereboot/test userspace_reboot_metadata_file
/metadata/watchdog watchdog_metadata_file
/metadata/watchdog/test watchdog_metadata_file
/metadata/repair-mode repair_mode_metadata_file
/metadata/repair-mode/test repair_mode_metadata_file
+/metadata/tradeinmode tradeinmode_metadata_file
+/metadata/tradeinmode/test tradeinmode_metadata_file
+/metadata/prefetch prefetch_metadata_file
+/metadata/prefetch/test prefetch_metadata_file
/mnt/asec asec_apk_file
/mnt/asec/test asec_apk_file
@@ -1302,6 +1325,11 @@
/mnt/product mnt_product_file
/mnt/product/test mnt_product_file
+
+/mnt/scratch_ota_metadata_super ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota/snapshots ota_metadata_file
+
/system/bin/check_dynamic_partitions postinstall_exec
/product/bin/check_dynamic_partitions postinstall_exec
/system/bin/otapreopt_script postinstall_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
index ce20323..c92991f 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -18,12 +18,19 @@
name: "aosp_selinux_flags",
flags: [
"RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
+ "RELEASE_AVF_ENABLE_EARLY_VM",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
+ "RELEASE_AVF_ENABLE_MICROFUCHSIA",
+ "RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST",
+ "RELEASE_AVF_ENABLE_WIDEVINE_PVM",
+ "RELEASE_RANGING_STACK",
"RELEASE_READ_FROM_NEW_STORAGE",
+ "RELEASE_SUPERVISION_SERVICE",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
+ "RELEASE_BLUETOOTH_SOCKET_SERVICE",
],
export_to: ["all_selinux_flags"],
}
@@ -39,13 +46,6 @@
build_flags: ["all_selinux_flags"],
}
-se_policy_conf_defaults {
- name: "se_policy_conf_public_flags_defaults",
- srcs: [":sepolicy_flagging_macros"],
- build_flags: ["all_selinux_flags"],
- board_api_level: "vendor",
-}
-
contexts_defaults {
name: "contexts_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
diff --git a/flagging/flagging_macros b/flagging/flagging_macros
index baf26c3..44cd33a 100644
--- a/flagging/flagging_macros
+++ b/flagging/flagging_macros
@@ -9,16 +9,15 @@
define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
####################################
-# starting_at_board_api(api_level, rules)
+# starting_at_board_api(api_level, rules_if_api_level)
#
-# This macro conditionally exposes SELinux rules within system/sepolicy/public,
-# ensuring they are available to vendors only when the board API level is at or
-# above the specified 'api_level'.
-#
-# * Platform sepolicy: Rules are always enabled, regardless of API level.
-# * Vendor sepolicy: Rules are enabled only when the board API level meets or
-# exceeds the value provided in 'api_level'.
-#
-# Apply this macro to public types and attributes (in system/sepolicy/public) to
-# restrict vendor access based on board API level.
+# This macro conditionally exposes SELinux rules ensuring they are available
+# only when the board API level is at or above the specified 'api_level'.
define(`starting_at_board_api', `ifelse(eval(target_board_api_level >= $1), 1, `$2')')
+
+####################################
+# until_board_api(api_level, rules_if_lower_api_level)
+#
+# This macro conditionally exposes SELinux rules ensuring they are available
+# only when the board API level is below the specified 'api_level'.
+define(`until_board_api', `ifelse(eval(target_board_api_level < $1), 1, `$2')')
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index e9b4b1e..a20ce93 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -212,7 +212,7 @@
}
// sepolicy sha256 for vendor
-genrule {
+java_genrule {
name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
srcs: [
":microdroid_plat_sepolicy.cil",
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 275a455..8c331d0 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -92,6 +92,9 @@
# apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
+# apexd can set apex.all.ready sysprop
+set_prop(apexd, apex_ready_prop)
+
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7361462..40cfe5b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -230,7 +230,6 @@
allow { domain } cgroup_v2:file w_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
# Allow all processes to connect to PRNG seeder daemon.
unix_socket_connect(domain, prng_seeder, prng_seeder)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 6414f76..8416087 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -113,7 +113,7 @@
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -127,7 +127,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
#############################
# Vendor files
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 67af209..9a0345f 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -114,7 +114,6 @@
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d26154a..77667ff 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -8,3 +8,7 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Let microdroid_manager kernel-log.
+allow microdroid_app kmsg_device:chr_file w_file_perms;
+allow microdroid_app kmsg_debug_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 75c89be..96a05f7 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -129,7 +129,8 @@
allow microdroid_manager ram_device:blk_file rw_file_perms;
# Allow microdroid_manager to read/write failure serial device
-allow microdroid_manager serial_device:chr_file w_file_perms;
+# tcdrain requires ioctl.
+allow microdroid_manager serial_device:chr_file { w_file_perms ioctl };
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2bd5a22..803e25e 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -58,6 +58,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
+apex.all.ready u:object_r:apex_ready_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 0ea67a7..ba88770 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -43,7 +43,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 8d3f76a..8551bb6 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -6,7 +6,9 @@
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
type authfs_service_socket, file_type, coredomain_socket;
-type cgroup_desc_api_file, file_type, system_file_type;
+until_board_api(202504, `
+ type cgroup_desc_api_file, file_type, system_file_type;
+')
type cgroup_desc_file, file_type, system_file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
@@ -30,7 +32,9 @@
type system_passwd_file, file_type, system_file_type;
type system_seccomp_policy_file, file_type, system_file_type;
type system_security_cacerts_file, file_type, system_file_type;
-type task_profiles_api_file, file_type, system_file_type;
+until_board_api(202504, `
+ type task_profiles_api_file, file_type, system_file_type;
+')
type task_profiles_file, file_type, system_file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type;
type unlabeled, file_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 7db53d0..18dab10 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -2,6 +2,7 @@
type apex_config_prop, property_type;
type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
+type apex_ready_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
diff --git a/prebuilts/api/34.0/public/hal_neverallows.te b/prebuilts/api/34.0/public/hal_neverallows.te
index fed9d78..1aae9ee 100644
--- a/prebuilts/api/34.0/public/hal_neverallows.te
+++ b/prebuilts/api/34.0/public/hal_neverallows.te
@@ -12,7 +12,6 @@
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
- -hal_tv_tuner_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -34,7 +33,6 @@
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
- -hal_tv_tuner_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -47,7 +45,6 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_nlinterceptor_server
- -hal_tv_tuner_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/private/access_vectors b/private/access_vectors
index 9d82ac8..f91c1a4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -807,3 +807,8 @@
{
create
}
+
+class tee_service
+{
+ use
+}
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 97e7493..211405b 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -1,15 +1,9 @@
# aconfigd -- manager for aconfig flags
-type aconfigd, domain;
+type aconfigd, domain, coredomain, mlstrustedsubject;
type aconfigd_exec, exec_type, file_type, system_file_type;
-typeattribute aconfigd coredomain;
-
init_daemon_domain(aconfigd)
-# only init is allowed to enter the aconfigd domain
-neverallow { domain -init } aconfigd:process transition;
-neverallow * aconfigd:process dyntransition;
-
allow aconfigd metadata_file:dir search;
allow aconfigd {
@@ -22,17 +16,9 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
-allow aconfigd aconfigd_socket:sock_file rw_file_perms;
-
-# allow aconfigd to access shell_data_file for atest
-userdebug_or_eng(`
- allow aconfigd shell_data_file:dir search;
- allow aconfigd shell_data_file:file { getattr read open map };
-')
-
-# allow aconfigd to log to the kernel.
-allow aconfigd kmsg_device:chr_file w_file_perms;
+# allow aconfigd to log to the kernel dmesg via a file descriptor
+# passed from init to aconfigd
+allow aconfigd kmsg_device:chr_file write;
# allow aconfigd to read vendor partition storage files
allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
@@ -41,3 +27,44 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
+
+# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
+# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
+# platform storage files) and aconfigd_mainline (mainline storage files) processes.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:file no_w_file_perms;
+
+# Only aconfigd and aconfigd_mainline can access persist storage files
+# These files are meant to serve as persist flag value storage, only aconfigd and
+# aconfigd_mainline process should manage them. Other processes should have zero access.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/aconfigd_mainline.te b/private/aconfigd_mainline.te
new file mode 100644
index 0000000..cd98d4b
--- /dev/null
+++ b/private/aconfigd_mainline.te
@@ -0,0 +1,38 @@
+# aconfigd_mainline -- manager for mainline aconfig flags
+type aconfigd_mainline, domain, coredomain, mlstrustedsubject;
+type aconfigd_mainline_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(aconfigd_mainline)
+
+# allow aconfigd_mainline to search /metadata dir as it needs to access files under
+# /metadata/aconfig dir
+allow aconfigd_mainline metadata_file:dir search;
+
+# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+# allow aconfigd_mainline to log to the kernel.
+allow aconfigd_mainline kmsg_device:chr_file write;
+
+# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all
+# dirs under /apex to find all currently mounted mainline modules and get their
+# storage files
+allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms;
+allow aconfigd_mainline apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd_mainline apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd_mainline domain
+neverallow { domain -init } aconfigd_mainline:process transition;
+neverallow * aconfigd_mainline:process dyntransition;
diff --git a/private/adbd.te b/private/adbd.te
index 16329f9..b87b319 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -44,18 +44,8 @@
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
-# adbd probes for vsock support. Do not generate denials when
-# this occurs. (b/123569840)
-dontaudit adbd self:{ socket vsock_socket } create;
-
-# Allow adbd inside vm to forward vm's vsock.
-allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
# Create and use network sockets.
net_domain(adbd)
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(adbd, mdnsd, mdnsd)
-
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
@@ -64,13 +54,6 @@
FUNCTIONFS_CLEAR_HALT
};
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
# adb pull /data/local/traces/*
allow adbd trace_data_file:dir r_dir_perms;
allow adbd trace_data_file:file r_file_perms;
@@ -101,25 +84,9 @@
set_prop(adbd, ffs_control_prop)
set_prop(adbd, adbd_tradeinmode_prop)
-# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
-
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
-
-# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
-
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
@@ -225,8 +192,7 @@
allow adbd shell_data_file:file create_file_perms;
# Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
+r_dir_file(adbd, vendor_apex_file)
# Allow adb pull of updated apex files in /data/apex/active.
allow adbd apex_data_file:dir search;
diff --git a/private/adbd_common.te b/private/adbd_common.te
index 8594b9e..c24b029 100644
--- a/private/adbd_common.te
+++ b/private/adbd_common.te
@@ -28,4 +28,4 @@
set_prop(adbd_common, adbd_config_prop)
# Read device's serial number from system properties
-get_prop(adbd_common, serialno_prop)
\ No newline at end of file
+get_prop(adbd_common, serialno_prop)
diff --git a/private/adbd_tradeinmode.te b/private/adbd_tradeinmode.te
index 2eae26a..42fdec4 100644
--- a/private/adbd_tradeinmode.te
+++ b/private/adbd_tradeinmode.te
@@ -4,6 +4,9 @@
# Create and use network sockets.
net_domain(adbd_tradeinmode)
+# Run /system/bin/tradeinmode
+domain_auto_trans(adbd_tradeinmode, tradeinmode_exec, tradeinmode)
+
# Baseline rules to make adbd work after setcon().
allow adbd_tradeinmode adbd:unix_stream_socket {
rw_socket_perms_no_ioctl
diff --git a/private/apexd.te b/private/apexd.te
index c87c5ef..3205b02 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -191,6 +191,9 @@
# Allow apexd to write to statsd.
unix_socket_send(apexd, statsdw, statsd)
+# Allow apexd to call
+allow apexd statsbootstrap_service:service_manager find;
+binder_call(apexd, system_server) # system_server serves statsbootstrap_service
###
### Neverallow rules
@@ -223,7 +226,11 @@
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
+# and make binder calls to apexd.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -keystore -system_server -update_engine -update_provider } apex_service:service_manager find;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -keystore -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/app.te b/private/app.te
index 1dd7fda..b9a6d85 100644
--- a/private/app.te
+++ b/private/app.te
@@ -159,7 +159,7 @@
control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info grant rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
@@ -167,6 +167,8 @@
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } persistent_data_block_service:service_manager find;
+
# For app fuse.
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
@@ -488,6 +490,8 @@
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
+get_prop(appdomain, high_barometer_quality_prop)
+
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow appdomain adbd:unix_stream_socket connectto;
@@ -639,12 +643,6 @@
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
-
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
neverallow { appdomain -shell } efs_file:dir_file_class_set read;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bf723c5..0e2b01c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -45,6 +45,10 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+# Do not allow untrusted apps to modify temporarily staged APKs.
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow all_untrusted_apps { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read map };
+
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
diff --git a/private/artd.te b/private/artd.te
index e6a6aaa..15d7969 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -4,6 +4,9 @@
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
+# All types of artd subprocesses, which artd can kill.
+attribute artd_subprocess_type;
+
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
@@ -37,6 +40,8 @@
allow artd mnt_expand_file:dir { getattr search };
allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
allow artd apk_data_file:file r_file_perms;
+allow artd apk_tmp_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_tmp_file:file r_file_perms;
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
@@ -131,7 +136,7 @@
domain_auto_trans(artd, dex2oat_exec, dex2oat)
# Allow sending sigkill to subprocesses.
-allow artd { profman dex2oat }:process sigkill;
+allow artd artd_subprocess_type:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
@@ -159,9 +164,6 @@
domain_auto_trans(artd, derive_classpath_exec, derive_classpath)
domain_auto_trans(artd, odrefresh_exec, odrefresh)
-# Allow sending sigkill to subprocesses.
-allow artd { derive_classpath odrefresh }:process sigkill;
-
# Allow accessing Pre-reboot Dexopt files.
allow artd pre_reboot_dexopt_file:dir { getattr search };
@@ -185,3 +187,15 @@
# Never allow running other binaries without a domain transition.
# The exception for art_exec_exec is explained above.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
+
+# Make sure artd_subprocess_type is complete, in a sense that it includes all
+# types of artd subprocesses.
+neverallow artd ~{artd_subprocess_type crash_dump}:process transition;
+
+# artd uses process groups to manage subprocesses and kill them. To ensure
+# successful kill, we need to prevent subprocesses from changing their
+# process groups or transitioning to other domains.
+# Transitioning crash_dump is allowed because it is transient and is only used
+# upon crashes.
+neverallow artd_subprocess_type self:process setpgid;
+neverallow artd_subprocess_type ~{artd_subprocess_type crash_dump}:process transition;
diff --git a/private/attributes b/private/attributes
index 2d6181d..13479c9 100644
--- a/private/attributes
+++ b/private/attributes
@@ -11,9 +11,23 @@
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
+# HALs
+until_board_api(202504, `
+ hal_attribute(mediaquality);
+')
+
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;
# Common to adbd and adbd_tradeinmode.
attribute adbd_common;
+
+# Provides access to platform update services.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+attribute update_provider;
+expandattribute update_provider false;
+
+until_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/private/bert_collector.te b/private/bert_collector.te
new file mode 100644
index 0000000..b11bd76
--- /dev/null
+++ b/private/bert_collector.te
@@ -0,0 +1,12 @@
+type bert_collector, domain, coredomain;
+type bert_collector_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(bert_collector)
+
+r_dir_file(bert_collector, sysfs_firmware_acpi_tables)
+
+binder_use(bert_collector)
+binder_call(bert_collector, system_server)
+
+allow bert_collector dropbox_service:service_manager find;
+allow bert_collector proc_version:file r_file_perms;
diff --git a/private/bootanim.te b/private/bootanim.te
index d9be72f..fd3a09b 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -64,3 +64,6 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Allow bootanim to send information to statsd socket.
+unix_socket_send(bootanim, statsdw, statsd)
\ No newline at end of file
diff --git a/private/bug_map b/private/bug_map
index 97d9713..a4873a7 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,3 +1,4 @@
+crash_dump keystore process b/376065666
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
diff --git a/private/cameraserver.te b/private/cameraserver.te
index b143f58..16c1f3d 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -14,7 +14,7 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
-
+allow cameraserver hal_camera_server:process signal;
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 869deb6..85eb601 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,5 +1,7 @@
;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
+(type virtual_fingerprint_hal_prop)
+(type otapreopt_chroot)
(type vendor_hidraw_device)
(typeattributeset dev_type (vendor_hidraw_device))
@@ -2722,8 +2724,8 @@
(typeattributeset virtual_camera_service_202404 (virtual_camera_service))
(typeattributeset virtual_device_native_service_202404 (virtual_device_native_service))
(typeattributeset virtual_device_service_202404 (virtual_device_service))
-(typeattributeset virtual_face_hal_prop_202404 (virtual_face_hal_prop))
-(typeattributeset virtual_fingerprint_hal_prop_202404 (virtual_fingerprint_hal_prop))
+(typeattributeset virtual_face_hal_prop_202404 (virtual_face_hal_prop virtual_face_prop))
+(typeattributeset virtual_fingerprint_hal_prop_202404 (virtual_fingerprint_hal_prop virtual_fingerprint_prop))
(typeattributeset virtual_touchpad_202404 (virtual_touchpad))
(typeattributeset virtual_touchpad_exec_202404 (virtual_touchpad_exec))
(typeattributeset virtual_touchpad_service_202404 (virtual_touchpad_service))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index efeeff7..2ddfec3 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -5,12 +5,27 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ bluetooth_finder_prop
profcollectd_etr_prop
- fs_bpf_lmkd_memevents_rb
- fs_bpf_lmkd_memevents_prog
fstype_prop
binderfs_logs_transactions
binderfs_logs_transaction_history
proc_compaction_proactiveness
proc_cgroups
+ ranging_service
+ supervision_service
+ app_function_service
+ virtual_fingerprint
+ virtual_fingerprint_exec
+ virtual_face
+ virtual_face_exec
+ hal_mediaquality_service
+ media_quality_service
+ advanced_protection_service
+ sysfs_firmware_acpi_tables
+ intrusion_detection_service
+ wifi_mainline_supplicant_service
+ crosvm
+ early_virtmgr
+ virtualizationmanager
))
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
index 53ee8ff..f102b02 100644
--- a/private/compat/33.0/33.0.compat.cil
+++ b/private/compat/33.0/33.0.compat.cil
@@ -1,3 +1,12 @@
;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
;; will be compiled along with other normal policy files, on 33.0 vendors.
;;
+
+;; This type may or may not already exist in vendor policy. The 202404 sepolicy
+;; (well, the 24Q1 release) added hidraw_device, but existing vendor policy
+;; may still label the relevant devices with the old label.
+(type vendor_hidraw_device)
+(typeattributeset dev_type (vendor_hidraw_device))
+
+(allow system_server vendor_hidraw_device (dir (open getattr read search ioctl lock watch watch_reads)))
+(allow system_server vendor_hidraw_device (chr_file (getattr open read ioctl lock map watch watch_reads append write)))
\ No newline at end of file
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 352aecf..a9a37a4 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -80,7 +80,9 @@
ublk_control_device
usb_uvc_enabled_prop
virtual_face_hal_prop
+ virtual_face_prop
virtual_fingerprint_hal_prop
+ virtual_fingerprint_prop
hal_gatekeeper_service
hal_broadcastradio_service
hal_confirmationui_service
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 455cbff..3f5cb68 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -19,6 +19,7 @@
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
+ hal_mediaquality_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
hidl_memory_prop
@@ -32,6 +33,7 @@
security_state_service
sensitive_content_protection_service
setupwizard_mode_prop
+ supervision_service
sysfs_sync_on_suspend
tv_ad_service
threadnetwork_service
@@ -51,4 +53,5 @@
aconfigd_socket
enable_16k_pages_prop
proc_cgroups
+ media_quality_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 6409892..23ad43a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -55,7 +55,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -73,7 +72,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -96,7 +94,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -117,7 +114,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -187,6 +183,7 @@
-shell
-system_server
-traceur_app
+ -prefetch
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 45d5722..a9a802c 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -19,13 +19,7 @@
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump {
- apexd
- keystore
- llkd
- logd
- vold
- }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
# Read ART APEX data directory
@@ -106,8 +100,15 @@
core_data_file_type
vendor_file_type
}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
+# Crash dump might try to read files that are mapped into the crashed process's
+# memory space to extract useful binary information such as the ELF header. See
+# system/core/debuggerd/libdebuggerd/tombstone_proto.cpp:dump_mappings.
+# Ignore these accesses.
+dontaudit crash_dump {
+ app_data_file_type
+ property_type
+ system_data_file
+}:{ lnk_file file } { read open };
get_prop(crash_dump, misctrl_prop)
@@ -128,7 +129,6 @@
init
kernel
keystore
- userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
diff --git a/private/crosvm.te b/private/crosvm.te
index 00978f3..a377e7a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -1,4 +1,7 @@
-type crosvm, domain, coredomain;
+until_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
@@ -20,10 +23,16 @@
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationmanager:fd use;
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fd use;
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
-allow crosvm virtualizationmanager:fifo_file write;
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -40,10 +49,14 @@
apex_virt_data_file
shell_data_file
vendor_microdroid_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
-allow crosvm virtualizationservice_data_file:dir search;
+allow crosvm {
+ virtualizationservice_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
+}:dir search;
# When running a VM as root we get spurious capability denials.
# Suppress them.
@@ -58,7 +71,10 @@
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
+allow crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:unix_stream_socket { accept read write getattr getopt };
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
@@ -74,6 +90,7 @@
privapp_data_file
apex_compos_data_file
apex_virt_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
@@ -98,14 +115,18 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
- # Allow crosvm to mount Terminal app internal storage directory
- # to guest VM over virtiofs
- allow crosvm privapp_data_file:dir { getattr open read search };
- allow crosvm privapp_data_file:file { open };
-
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
+
+ # Allow crosvm to mount fuse path in guest VM through virtiofs
+ allow crosvm fuse:file create_file_perms;
+ allow crosvm fuse:dir create_dir_perms;
+ allow crosvm mnt_user_file:dir search;
+
+ # Allow crosvm to create unix socket for vhost-user-fs
+ allow crosvm virtualizationservice_data_file:dir { add_name write remove_name };
+ allow crosvm virtualizationservice_data_file:sock_file { create write unlink };
')
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
@@ -121,7 +142,10 @@
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
+dontaudit crosvm {
+ virtualizationmanager
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
+}:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -134,7 +158,6 @@
allow crosvm vfio_device:dir r_dir_perms;
# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
-allow crosvm virtualizationmanager:fd use;
allow crosvm virtualizationservice_data_file:file read;
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
@@ -146,20 +169,22 @@
allow crosvm vmnic:fd use;
')
+# Early VMs may print messages to kmsg_debug_device.
+allow crosvm kmsg_debug_device:chr_file w_file_perms;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
-#
-# crosvm requires access to terminal app internal storage; the directory
-# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
}:file open;
@@ -192,8 +217,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
+
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
deleted file mode 100644
index c14f5e0..0000000
--- a/private/custom_vm_setup.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type custom_vm_setup, domain, coredomain;
-type custom_vm_setup_exec, system_file_type, exec_type, file_type;
-
-is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- init_daemon_domain(custom_vm_setup)
-')
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 8dd6572..d7c29c2 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -1,6 +1,6 @@
# Domain for derive_classpath
-type derive_classpath, domain, coredomain;
+type derive_classpath, domain, coredomain, artd_subprocess_type;
type derive_classpath_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_classpath)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 18600d8..3a841ce 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, coredomain;
+type dex2oat, domain, coredomain, artd_subprocess_type;
type dex2oat_exec, system_file_type, exec_type, file_type;
userfaultfd_use(dex2oat)
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index 4a964fd..9e98bae 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -74,6 +74,7 @@
system_data_file
system_data_root_file
system_file
+ system_lib_file
tmpfs
vendor_file
}:dir mounton;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index ca715c1..4c87f99 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,60 +1,3 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+# Deprecated file type for the legacy dexoptanalyzer binary, used by Android T-. We need to keep it
+# for compatibility because the file type is burnt into the apex image.
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
-type dexoptanalyzer_tmpfs, file_type;
-
-r_dir_file(dexoptanalyzer, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dexoptanalyzer, vendor_app_file)
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-# processes.
-tmpfs_domain(dexoptanalyzer)
-
-userfaultfd_use(dexoptanalyzer)
-
-# Allow dexoptanalyzer to read files in the dalvik cache.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-# Allow dexoptanalyzer to read files in the ART APEX data directory.
-allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
-allow dexoptanalyzer apex_art_data_file:file r_file_perms;
-
-# Allow dexoptanalyzer to use file descriptors from odrefresh.
-allow dexoptanalyzer odrefresh:fd use;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow dexoptanalyzer odsign:fd use;
-allow dexoptanalyzer odsign_devpts:chr_file { read write };
-
-allow dexoptanalyzer installd:fd use;
-allow dexoptanalyzer installd:fifo_file { getattr write };
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dexoptanalyzer system_file:file lock;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-
-# dexoptanalyzer checks the DM files next to dex files. We don't need this check
-# for secondary dex files, but it's not harmful. Just deny it and ignore it.
-dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
-
-# Allow query ART device config properties
-get_prop(dexoptanalyzer, device_config_runtime_native_prop)
-get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
-
-# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 6b9b6c9..684cc9e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -15,12 +15,12 @@
setsched
getsession
getpgid
- setpgid
getcap
setcap
getattr
setrlimit
};
+allow { domain -artd_subprocess_type } self:process setpgid;
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net_type:dir search;
@@ -84,6 +84,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
+# Checking for the existance of the hwservicemanager binary is done in the client API
+# isHwServiceManagerInstalled
+dontaudit domain hwservicemanager_exec:file r_file_perms;
+
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -342,6 +346,10 @@
allow domain sysfs_pgsize_migration:dir search;
allow domain sysfs_pgsize_migration:file r_file_perms;
+# Linker is executed from the context of the process requesting the dynamic linking,
+# so this prop must be "world-readable".
+get_prop(domain, bionic_linker_16kb_app_compat_prop)
+
# Allow everyone to read media server-configurable flags, so that libstagefright can be
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
@@ -417,11 +425,9 @@
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
allow domain cgroup_desc_file:file r_file_perms;
-allow domain cgroup_desc_api_file:file r_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_cgroup_desc_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
@@ -496,7 +502,7 @@
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, timezone_prop)
-get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app }, userdebug_or_eng_prop)
+get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app -app_zygote }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -578,7 +584,6 @@
# all processes need access to the underlying files.
is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, `
r_dir_file(domain, aconfig_storage_metadata_file);
- r_dir_file(domain, aconfig_test_mission_files);
')
r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
@@ -857,6 +862,7 @@
userdebug_or_eng(`-fsck')
userdebug_or_eng(`-init')
-recovery
+ userdebug_or_eng(`-remount')
-update_engine
} system_block_device:blk_file { write append };
@@ -1156,6 +1162,7 @@
} {
system_file_type
-system_lib_file
+ -system_bootstrap_lib_file
-system_linker_exec
-crash_dump_exec
-netutils_wrapper_exec
@@ -1163,6 +1170,8 @@
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file { entrypoint execute execute_no_trans };
')
@@ -1227,7 +1236,6 @@
} {
system_file_type
-cgroup_desc_file
- -cgroup_desc_api_file
-crash_dump_exec
-file_contexts_file
-netutils_wrapper_exec
@@ -1235,6 +1243,7 @@
-system_event_log_tags_file
-system_group_file
-system_lib_file
+ -system_bootstrap_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
-system_linker_config_file
@@ -1242,12 +1251,13 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
- -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file *;
')
@@ -1361,10 +1371,17 @@
} shell:process { transition dyntransition };
# Only domains spawned from zygote, runas and simpleperf_app_runner may have
-# the appdomain attribute. simpleperf is excluded as a domain transitioned to
-# when running an app-scoped profiling session.
+# the appdomain attribute.
+#
+# simpleperf is excluded as a domain transitioned to when running an app-scoped
+# profiling session.
+#
+# tradeinmode is excluded; it is only run when adbd is in trade-in mode,
+# transitioned from the limited adbd_tradeinmode context. It is a wrapper
+# around "am" to avoid exposing the shell context when adbd is in trade-in
+# mode.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell -simpleperf userdebug_or_eng(`-su')
+ appdomain -shell -simpleperf userdebug_or_eng(`-su') -tradeinmode
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
@@ -1639,14 +1656,12 @@
-appdomain
-app_zygote
-artd # compile secondary dex files
- -dexoptanalyzer
-installd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
-zygote
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1712,7 +1727,6 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1753,6 +1767,7 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
+# The update_provider can also stage files before apexd processes them.
neverallow {
domain
-init
@@ -1761,6 +1776,7 @@
-installd
-priv_app
-virtualizationmanager
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:dir *;
neverallow {
domain
@@ -1775,10 +1791,13 @@
-shell
-virtualizationmanager
-crosvm
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:file *;
-neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -update_provider } staging_data_file:dir no_w_dir_perms;
# apexd needs the link/unlink/rename permissions
-neverallow { domain -init -system_server -installd -apexd } staging_data_file:file {
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -apexd -update_provider } staging_data_file:file {
no_w_file_perms no_x_file_perms
};
neverallow apexd staging_data_file:file {
@@ -1816,6 +1835,7 @@
file_type
-system_file_type
-system_lib_file
+ -system_bootstrap_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
@@ -2161,7 +2181,6 @@
-artd
-dumpstate
-installd
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -2209,7 +2228,6 @@
-installd
-simpleperf_app_runner
-system_server # why?
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
@@ -2240,10 +2258,6 @@
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
-# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
-
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 20341e4..5e3bce5 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -34,7 +34,6 @@
')
r_dir_file(dumpstate, aconfig_storage_metadata_file);
-r_dir_file(dumpstate, aconfig_test_mission_files);
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
@@ -537,6 +536,7 @@
linkerconfig_file
mirror_data_file
mnt_user_file
+ vm_data_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
new file mode 100644
index 0000000..d1579fe
--- /dev/null
+++ b/private/early_virtmgr.te
@@ -0,0 +1,75 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ until_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
+
+ use_bootstrap_libs(early_virtmgr)
+
+ # Let early_virtmgr create files and directories inside /mnt/vm/early.
+ allow early_virtmgr vm_data_file:dir create_dir_perms;
+ allow early_virtmgr vm_data_file:file create_file_perms;
+ allow early_virtmgr vm_data_file:sock_file create_file_perms;
+
+ # Allow early_virtmgr to communicate use, read and write over the adb connection.
+ allow early_virtmgr adbd:fd use;
+ allow early_virtmgr adbd:unix_stream_socket { getattr read write };
+
+ # Allow writing VM logs to the shell console
+ allow early_virtmgr devpts:chr_file { read write getattr ioctl };
+
+ # Let the early_virtmgr domain use Binder.
+ binder_use(early_virtmgr)
+
+ # When early_virtmgr execs a file with the crosvm_exec label, run it in the crosvm domain.
+ domain_auto_trans(early_virtmgr, crosvm_exec, crosvm)
+
+ # Let early_virtmgr kill crosvm.
+ allow early_virtmgr crosvm:process sigkill;
+
+ # Allow early_virtmgr to read apex-info-list.xml and access the APEX files listed there.
+ allow early_virtmgr apex_info_file:file r_file_perms;
+ allow early_virtmgr apex_data_file:dir search;
+
+ # Ignore harmless denials on /proc/self/fd
+ dontaudit early_virtmgr self:dir write;
+
+ # Let early_virtmgr to accept vsock connection from the guest VMs
+ allow early_virtmgr self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Allow early_virtmgr to inspect all hypervisor capabilities.
+ get_prop(early_virtmgr, hypervisor_prop)
+ get_prop(early_virtmgr, hypervisor_pvmfw_prop)
+ get_prop(early_virtmgr, hypervisor_restricted_prop)
+ get_prop(early_virtmgr, hypervisor_virtualizationmanager_prop)
+
+ # Allow early_virtmgr to read file system DT for VM reference DT and AVF debug policy
+ r_dir_file(early_virtmgr, proc_dt_avf)
+ r_dir_file(early_virtmgr, sysfs_dt_avf)
+
+ # early_virtmgr to be client of secretkeeper HAL. It ferries SecretManagement messages from pVM
+ # to HAL.
+ hal_client_domain(early_virtmgr, hal_secretkeeper);
+
+ # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+ r_dir_file(early_virtmgr, crosvm);
+
+ # Allow early_virtmgr to:
+ # 1) bind to a vsock port less than 1024, because early VMs use static CIDs less than 1024
+ # 2) call RLIMIT_MEMLOCK for itself
+ allow early_virtmgr self:global_capability_class_set { net_bind_service ipc_lock sys_resource };
+
+ # early_virtmgr may print messages to kmsg_debug_device.
+ allow early_virtmgr kmsg_debug_device:chr_file w_file_perms;
+
+ ###
+ ### Neverallow rules
+ ###
+
+ # Only crosvm and early_virtmgr can access vm_data_file
+ neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms;
+ neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms;
+
+ # No other domains can accept vsock connection from the guest VMs
+ neverallow { domain -early_virtmgr } early_virtmgr:vsock_socket { accept bind create connect listen };
+')
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 66dd2b1..a62cc47 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -159,6 +159,9 @@
allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
+
+ # Fastbootd uses liblogwrap to write mke2fs logs to kmsg, liblogwrap requires devpts.
+ allow fastbootd devpts:chr_file rw_file_perms;
')
# This capability allows fastbootd to circumvent memlock rlimits while using
diff --git a/private/ferrochrome_app.te b/private/ferrochrome_app.te
deleted file mode 100644
index e12c84c..0000000
--- a/private/ferrochrome_app.te
+++ /dev/null
@@ -1,11 +0,0 @@
-type ferrochrome_app, domain;
-typeattribute ferrochrome_app coredomain;
-
-app_domain(ferrochrome_app)
-
-allow ferrochrome_app app_api_service:service_manager find;
-allow ferrochrome_app system_api_service:service_manager find;
-
-# TODO(b/348113995): after remove sysprop usage, we can use just (priv_)app.te
-set_prop(ferrochrome_app, debug_prop);
-get_prop(ferrochrome_app, debug_prop);
diff --git a/private/file.te b/private/file.te
index d30465b..189fb47 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,6 +9,7 @@
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
type fs_bpf_uprobestats, fs_type, bpffs_type;
+type fs_bpf_memevents, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -117,6 +118,9 @@
# virtualizationmanager, which runs at a more constrained MLS level.
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /mnt/vm
+type vm_data_file, file_type, core_data_file_type;
+
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -152,7 +156,10 @@
type sysfs_uprobe, fs_type, sysfs_type;
# Type for aconfig daemon socket
-type aconfigd_socket, file_type, coredomain_socket;
+type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
+
+# Type for aconfig mainline daemon socket
+type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
@@ -160,11 +167,12 @@
# Type for /vendor/etc/aconfig
type vendor_aconfig_storage_file, vendor_file_type, file_type;
-type aconfig_test_mission_files, file_type;
-
# /data/misc/connectivityblobdb
type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/wifi/mainline_supplicant
+type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type;
+
# Type for /mnt/pre_reboot_dexopt
type pre_reboot_dexopt_file, file_type;
@@ -178,6 +186,9 @@
# Type for /sys/kernel/mm/pgsize_migration/enabled
type sysfs_pgsize_migration, fs_type, sysfs_type;
+# /sys/firmware/acpi/tables
+type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
@@ -210,3 +221,40 @@
# /data/misc_ce/userId/storage_area_keys
type storage_area_key_file, file_type, data_file_type, core_data_file_type;
+
+# /metadata/tradeinmode files
+type tradeinmode_metadata_file, file_type;
+
+# /metadata/prefetch files
+type prefetch_metadata_file, file_type;
+
+# Types added in 202504 in public/file.te
+until_board_api(202504, `
+ type binderfs_logs_transactions, fs_type;
+ type binderfs_logs_transaction_history, fs_type;
+')
+
+until_board_api(202504, `
+ type proc_cgroups, fs_type, proc_type;
+')
+
+until_board_api(202504, `
+ type sysfs_udc, fs_type, sysfs_type;
+')
+
+until_board_api(202504, `
+ type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+ type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
+')
+
+until_board_api(202504, `
+ # boot otas for 16KB developer option
+ type vendor_boot_ota_file, vendor_file_type, file_type;
+')
+
+until_board_api(202504, `
+ type tee_service_contexts_file, system_file_type, file_type;
+')
+
+## END Types added in 202504 in public/file.te
+
diff --git a/private/file_contexts b/private/file_contexts
index 76f412a..d6f7113 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -24,7 +24,7 @@
/ u:object_r:rootfs:s0
# Data files
-/adb_keys u:object_r:adb_keys_file:s0
+/adb_keys u:object_r:system_file:s0
/build\.prop u:object_r:rootfs:s0
/default\.prop u:object_r:rootfs:s0
/fstab\..* u:object_r:rootfs:s0
@@ -83,6 +83,7 @@
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
+/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -155,7 +156,8 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/aconfigd u:object_r:aconfigd_socket:s0
+/dev/socket/aconfigd_mainline u:object_r:aconfigd_mainline_socket:s0
+/dev/socket/aconfigd_system u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
@@ -327,6 +329,7 @@
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/mmd u:object_r:mmd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
@@ -362,9 +365,9 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
-/(system|system_ext|product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/font_fallback.xml u:object_r:system_font_fallback_file:s0
/system/etc/group u:object_r:system_group_file:s0
@@ -376,6 +379,7 @@
/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -384,7 +388,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
@@ -393,7 +397,7 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
-/system/bin/aconfigd u:object_r:aconfigd_exec:s0
+/system/bin/aconfigd-system u:object_r:aconfigd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
@@ -407,6 +411,10 @@
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
+/system/bin/bert_collector u:object_r:bert_collector_exec:s0
+/system/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
+/system/bin/tradeinmode u:object_r:tradeinmode_exec:s0
+/system/bin/prefetch u:object_r:prefetch_exec:s0
#############################
# Vendor files
@@ -432,7 +440,6 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
@@ -462,10 +469,15 @@
# secure-element service: vendor uuid mapping config file
/(odm|vendor/odm|vendor|system/vendor)/etc/hal_uuid_map_(.*)?\.xml u:object_r:vendor_uuid_mapping_config_file:s0
+# APEX packages
+/(odm|vendor/odm|vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
# Input configuration
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)? u:object_r:vendor_keychars_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)? u:object_r:vendor_idc_file:s0
/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
@@ -487,6 +499,7 @@
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_tee_service_contexts u:object_r:tee_service_contexts_file:s0
#############################
# Product files
@@ -503,9 +516,13 @@
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/etc/selinux/product_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/(product|system/product)/etc/security/adb_keys u:object_r:adb_keys_file:s0
+/(product|system/product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+
#############################
# SystemExt files
#
@@ -529,13 +546,15 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-
-/(system_ext|system/system_ext)/bin/custom_vm_setup u:object_r:custom_vm_setup_exec:s0
+/(system_ext|system/system_ext)/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/(system_ext|system/system_ext)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_tee_service_contexts u:object_r:tee_service_contexts_file:s0
+
#############################
# VendorDlkm files
# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
@@ -701,6 +720,7 @@
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/mainline_supplicant(/.*)? u:object_r:mainline_supplicant_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
@@ -876,12 +896,18 @@
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
-/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
-/metadata/aconfig_test_missions(/.*)? u:object_r:aconfig_test_mission_files:s0
+/metadata/tradeinmode(/.*)? u:object_r:tradeinmode_metadata_file:s0
+/metadata/prefetch(/.*)? u:object_r:prefetch_metadata_file:s0
+
+############################
+# mount point for ota metadata
+/mnt/scratch_ota_metadata_super(/.*)? u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota(/.*)? u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota/snapshots(/.*)? u:object_r:ota_metadata_file:s0
#############################
# asec containers
@@ -921,3 +947,7 @@
# dexopt_chroot_setup inside chroot, in addition to the files and directories
# matching the pattern below.
/mnt/pre_reboot_dexopt(/.*)? u:object_r:pre_reboot_dexopt_file:s0
+
+#############################
+# For early boot VM
+/mnt/vm u:object_r:vm_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index c6785dd..db7f08f 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -34,6 +34,7 @@
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, device_config_mmd_native_prop)
set_prop(flags_health_check, next_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/private/fsck.te b/private/fsck.te
index 5eeb39f..90f7e51 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -2,6 +2,9 @@
init_daemon_domain(fsck)
+# fsck can run before apex is ready.
+use_bootstrap_libs(fsck)
+
allow fsck metadata_block_device:blk_file rw_file_perms;
# /dev/__null__ created by init prior to policy load,
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 682831f..4b55a57 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1,5 +1,7 @@
typeattribute fsck_untrusted coredomain;
+use_bootstrap_libs(fsck)
+
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ac59c9a..3ff1012 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -94,7 +94,6 @@
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
-genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -149,6 +148,7 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/acpi/tables u:object_r:sysfs_firmware_acpi_tables:s0
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
@@ -175,6 +175,7 @@
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
+genfscon sysfs /module/dm_bufio/parameters/max_age_seconds u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
@@ -330,13 +331,11 @@
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
-genfscon bpf /map_bpfMemEvents_lmkd_rb u:object_r:fs_bpf_lmkd_memevents_rb:s0
+genfscon bpf /memevents u:object_r:fs_bpf_memevents:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
-genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_begin_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
-genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_end_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index f938ad5..148cb7e 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -112,11 +112,6 @@
allow gmscore_app recovery_service:service_manager find;
allow gmscore_app stats_service:service_manager find;
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
# Write to /cache.
allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
@@ -137,8 +132,10 @@
allow gmscore_app shell_data_file:dir r_dir_perms;
# allow gms core app write to aconfigd socket
-allow gmscore_app aconfigd_socket:sock_file {read write};
-allow gmscore_app aconfigd:unix_stream_socket connectto;
+unix_socket_connect(gmscore_app, aconfigd, aconfigd);
+
+# allow gms core app write to aconfigd_mainline socket
+unix_socket_connect(gmscore_app, aconfigd_mainline, aconfigd_mainline);
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
@@ -161,6 +158,9 @@
get_prop(gmscore_app, quick_start_prop)
neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file no_rw_file_perms;
+# Allow GmsCore to read Bluetotoh Power Off Finder property
+get_prop(gmscore_app, bluetooth_finder_prop)
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/private/hal_bluetooth.te b/private/hal_bluetooth.te
index 53bbef2..2e03ea2 100644
--- a/private/hal_bluetooth.te
+++ b/private/hal_bluetooth.te
@@ -24,6 +24,7 @@
# Allow write access to bluetooth-specific properties
set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
+set_prop(hal_bluetooth, bluetooth_finder_prop)
set_prop(hal_bluetooth, bluetooth_prop)
set_prop(hal_bluetooth, exported_bluetooth_prop)
diff --git a/private/hal_face.te b/private/hal_face.te
index e14666a..5e43953 100644
--- a/private/hal_face.te
+++ b/private/hal_face.te
@@ -11,5 +11,5 @@
allow hal_face ion_device:chr_file r_file_perms;
# Allow read/write access to the face template directory.
-allow hal_face face_vendor_data_file:file create_file_perms;
-allow hal_face face_vendor_data_file:dir rw_dir_perms;
+allow {hal_face -coredomain} face_vendor_data_file:file create_file_perms;
+allow {hal_face -coredomain} face_vendor_data_file:dir rw_dir_perms;
diff --git a/private/hal_fingerprint.te b/private/hal_fingerprint.te
index 29abe4f..3295cc7 100644
--- a/private/hal_fingerprint.te
+++ b/private/hal_fingerprint.te
@@ -10,11 +10,11 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
-allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+allow { hal_fingerprint -coredomain } fingerprint_vendor_data_file:file { create_file_perms };
+allow { hal_fingerprint -coredomain } fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, cgroup_v2)
-r_dir_file(hal_fingerprint, sysfs)
+r_dir_file({hal_fingerprint -coredomain}, sysfs)
diff --git a/private/hal_keymint.te b/private/hal_keymint.te
index ba29956..6c7b577 100644
--- a/private/hal_keymint.te
+++ b/private/hal_keymint.te
@@ -4,5 +4,5 @@
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
-allow hal_keymint_server tee_device:chr_file rw_file_perms;
-allow hal_keymint_server ion_device:chr_file r_file_perms;
+allow { hal_keymint_server -coredomain } tee_device:chr_file rw_file_perms;
+allow { hal_keymint_server -coredomain } ion_device:chr_file r_file_perms;
diff --git a/private/hal_keymint_system.te b/private/hal_keymint_system.te
new file mode 100644
index 0000000..0a20870
--- /dev/null
+++ b/private/hal_keymint_system.te
@@ -0,0 +1,7 @@
+type hal_keymint_system, domain, coredomain;
+hal_server_domain(hal_keymint_system, hal_keymint)
+
+type hal_keymint_system_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(hal_keymint_system)
+
+allow hal_keymint_system self:vsock_socket { create_socket_perms_no_ioctl };
diff --git a/private/hal_mediaquality.te b/private/hal_mediaquality.te
new file mode 100644
index 0000000..5bcdbbc
--- /dev/null
+++ b/private/hal_mediaquality.te
@@ -0,0 +1,9 @@
+starting_at_board_api(202504, `
+ binder_call(hal_mediaquality_client, hal_mediaquality_server)
+ binder_call(hal_mediaquality_server, hal_mediaquality_client)
+
+ hal_attribute_service(hal_mediaquality, hal_mediaquality_service)
+
+ binder_call(hal_mediaquality_server, servicemanager)
+ binder_call(hal_mediaquality_client, servicemanager)
+')
diff --git a/private/init.te b/private/init.te
index e4bafd8..012ef0b 100644
--- a/private/init.te
+++ b/private/init.te
@@ -82,6 +82,14 @@
set_prop(init, init_perf_lsm_hooks_prop)
set_prop(init, vts_status_prop)
+# Allow init to set 16kb app compatibility props
+set_prop(init, bionic_linker_16kb_app_compat_prop)
+set_prop(init, pm_16kb_app_compat_prop)
+
+
+# Allow init to set/get prefetch boot prop to initiate record/replay
+set_prop(init, ctl_prefetch_prop);
+
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
@@ -115,6 +123,8 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
+# /mnt/vm, also permissions to mkdir / mount / chmod / chown
+allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton };
# allow init to mount and unmount debugfs in debug builds
userdebug_or_eng(`
@@ -232,7 +242,6 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
@@ -305,6 +314,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-misc_logd_file
@@ -324,6 +334,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-credstore_data_file
-exec_type
@@ -351,6 +362,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -383,6 +395,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -408,6 +421,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -439,6 +453,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-privapp_data_file
}:dir_file_class_set relabelto;
@@ -454,6 +469,7 @@
allow init debugfs_tracing_instances:dir create_dir_perms;
allow init debugfs_tracing_instances:file w_file_perms;
allow init debugfs_wifi_tracing:file w_file_perms;
+allow init debugfs_wifi_tracing:dir create_dir_perms;
# chown/chmod on pseudo files.
allow init {
@@ -605,6 +621,7 @@
allow init {
sysfs_android_usb
sysfs_devices_system_cpu
+ sysfs_firmware_acpi_tables
sysfs_ipv4
sysfs_leds
sysfs_lowmemorykiller
@@ -706,6 +723,8 @@
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
+# Allow to change group owner and permissions for new swap setup in mmd
+allow init swap_block_device:blk_file setattr;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
diff --git a/private/installd.te b/private/installd.te
index 742c897..50c378a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -9,9 +9,6 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
@@ -44,11 +41,6 @@
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read add_name remove_name rename rmdir search write getattr };
-allow installd { dex2oat dexoptanalyzer }:process signal;
-
-# installd kills subprocesses if they time out.
-allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
-
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
@@ -234,6 +226,13 @@
allow installd storage_area_key_file:file unlink;
')
+# Allow installd to delete the terminal app's data file.
+# `virtualizationservice_data_file` was used for a while, but it needs to be
+# deleted when terminal feature is disabled.
+# TODO(b/383026786): Remove this rule once the there is no
+# `virtualizationservice_data_file` in terminal app anymore..
+allow installd virtualizationservice_data_file:file unlink;
+
###
### Neverallow rules
###
diff --git a/private/keystore.te b/private/keystore.te
index 53e5dd3..014903e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,9 @@
# Allow keystore to check if the system is rkp only.
get_prop(keystore, remote_prov_prop)
+# Allow keystore to check whether to post-process RKP certificates
+get_prop(keystore, remote_prov_cert_prop)
+
# Allow keystore to check rkpd feature flags
get_prop(keystore, device_config_remote_key_provisioning_native_prop)
@@ -38,6 +41,9 @@
set_prop(keystore, keystore_crash_prop)
+# Allow keystore to monitor the `apexd.status` property.
+get_prop(keystore, apexd_prop)
+
# keystore is using apex_info via libvintf
use_apex_info(keystore)
@@ -45,6 +51,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, remote_provisioning_service_server)
+binder_call(keystore, rkp_cert_processor)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
@@ -54,8 +61,13 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
-allow keystore dropbox_service:service_manager find;
allow keystore remote_provisioning_service:service_manager find;
+allow keystore rkp_cert_processor_service:service_manager find;
+
+# Allow keystore to communicate to apexd
+allow keystore apex_service:service_manager find;
+allow keystore apexd:binder call;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
@@ -88,8 +100,7 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+neverallow * keystore:process ptrace;
# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
# system property, an exception is added for init as well.
diff --git a/private/linux_vm_setup.te b/private/linux_vm_setup.te
new file mode 100644
index 0000000..ba483e8
--- /dev/null
+++ b/private/linux_vm_setup.te
@@ -0,0 +1,6 @@
+type linux_vm_setup, domain, coredomain;
+type linux_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ init_daemon_domain(linux_vm_setup)
+')
diff --git a/private/lmkd.te b/private/lmkd.te
index 5369c79..97dc398 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -19,9 +19,9 @@
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf { map_read map_write prog_run };
-# Needed for polling directly from the bpf ring buffer's fd
-allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
-allow lmkd fs_bpf_lmkd_memevents_prog:file read;
+# Needed to interact with memevents-eBPF and receive notifications for memory events
+allow lmkd fs_bpf_memevents:file { read write };
+allow lmkd fs_bpf_memevents:dir search;
allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
@@ -86,9 +86,6 @@
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
-# Allow lmkd to create io_uring
-allow lmkd self:anon_inode { create map read write };
-
### neverallow rules
# never honor LD_PRELOAD
diff --git a/private/microfuchsiad.te b/private/microfuchsiad.te
new file mode 100644
index 0000000..f02acaf
--- /dev/null
+++ b/private/microfuchsiad.te
@@ -0,0 +1,18 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ type microfuchsiad, domain, coredomain;
+ type microfuchsiad_exec, system_file_type, exec_type, file_type;
+
+ # Host dynamic AIDL services
+ init_daemon_domain(microfuchsiad)
+ binder_use(microfuchsiad)
+ add_service(microfuchsiad, microfuchsia_service)
+
+ # Call back into system server
+ binder_call(microfuchsiad, system_server)
+
+ # Start a VM
+ virtualizationservice_use(microfuchsiad)
+
+ # Create pty devices
+ allow microfuchsiad devpts:chr_file { read write open getattr ioctl };
+')
diff --git a/private/mmd.te b/private/mmd.te
new file mode 100644
index 0000000..90510f1
--- /dev/null
+++ b/private/mmd.te
@@ -0,0 +1,31 @@
+# mmd memory management daemon
+type mmd, domain;
+typeattribute mmd coredomain;
+type mmd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mmd)
+
+# Set mmd.enabled_aconfig properties.
+set_prop(mmd, mmd_prop)
+get_prop(mmd, device_config_mmd_native_prop)
+
+# mmd binder setup
+add_service(mmd, mmd_service)
+binder_use(mmd)
+
+# Read /proc/swaps
+allow mmd proc_swaps:file r_file_perms;
+
+# zram sysfs access
+allow mmd sysfs_zram:dir search;
+allow mmd sysfs_zram:file rw_file_perms;
+
+# procfs
+allow mmd proc_meminfo:file r_file_perms;
+
+# mkswap /dev/block/zram command
+allow mmd block_device:dir search;
+allow mmd swap_block_device:blk_file rw_file_perms;
+
+# swapon syscall
+allow mmd self:capability sys_admin;
diff --git a/private/netd.te b/private/netd.te
index 37581a6..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -79,13 +79,6 @@
allow netd system_file:file lock;
dontaudit netd system_file:dir write;
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
r_dir_file(netd, proc_net_type)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net_type:file rw_file_perms;
diff --git a/private/nfc.te b/private/nfc.te
index f1a08f7..7050d5a 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -33,3 +33,6 @@
# the nfc process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow nfc shell_data_file:file read;
+
+# Allow to check whether security logging is enabled.
+get_prop(nfc, device_logging_prop)
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 899b0d9..97205c2 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -1,5 +1,5 @@
# odrefresh
-type odrefresh, domain, coredomain;
+type odrefresh, domain, coredomain, artd_subprocess_type;
type odrefresh_exec, system_file_type, exec_type, file_type;
# Allow odrefresh to create files and directories for on device signing.
@@ -24,12 +24,6 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Allow odrefresh to kill dexoptanalyzer if analysis times out.
-allow odrefresh dexoptanalyzer:process sigkill;
-
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 2fc74b5..04cb70f 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -26,6 +26,9 @@
# Allow OT daemon to read/write on the socket created by System Server
allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;
+# Allow OT daemon to read/write on the UDP sockets created by system server
+allow ot_daemon system_server:udp_socket rw_socket_perms;
+
hal_client_domain(ot_daemon, hal_threadnetwork)
# Only ot_daemon can publish the binder service
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 73e170b..2aeab0b 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,5 @@
# otapreopt_chroot executable
+starting_at_board_api(202504, `type otapreopt_chroot, domain;')
typeattribute otapreopt_chroot coredomain;
type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
diff --git a/private/platform_app.te b/private/platform_app.te
index eb1a7c7..e60dcdd 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -51,6 +51,7 @@
userdebug_or_eng(`
set_prop(platform_app, persist_sysui_ranking_update_prop)
')
+set_prop(platform_app, debug_tracing_desktop_mode_visible_tasks_prop)
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
@@ -98,6 +99,7 @@
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app tradeinmode_service:service_manager find;
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
diff --git a/private/prefetch.te b/private/prefetch.te
new file mode 100644
index 0000000..21287f3
--- /dev/null
+++ b/private/prefetch.te
@@ -0,0 +1,24 @@
+type prefetch, coredomain, domain;
+type prefetch_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(prefetch)
+
+# Allow prefetch to start recording by enabling tracing event under
+# /sys/kernel/tracing/events/filemap/mm_filemap_add_to_page_cache
+allow prefetch debugfs_tracing_instances:dir create_dir_perms;
+allow prefetch debugfs_tracing_instances:file rw_file_perms;
+
+# Allow to read/write/create/delete to storage prefetch record files
+allow prefetch metadata_file:dir search;
+allow prefetch prefetch_metadata_file:dir rw_dir_perms;
+allow prefetch prefetch_metadata_file:file create_file_perms;
+
+get_prop(prefetch, prefetch_boot_prop);
+set_prop(prefetch, prefetch_service_prop);
+
+# Disallow other domains controlling prefetch service.
+neverallow {
+ domain
+ -init
+ -shell
+} ctl_prefetch_prop:property_service set;
diff --git a/private/priv_app.te b/private/priv_app.te
index bb5da7c..1ef5be1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -136,6 +136,9 @@
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
+# Allow privileged apps to read trade in mode property
+get_prop(priv_app, adbd_tradeinmode_prop)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/profman.te b/private/profman.te
index af53646..d1ce926 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1,10 +1,12 @@
typeattribute profman coredomain;
+typeattribute profman artd_subprocess_type;
# Allow profman to read APKs and profile files next to them by FDs passed from
# other programs. In addition, allow profman to acquire flocks on those files.
allow profman {
system_file
apk_data_file
+ apk_tmp_file
vendor_app_file
}:file { getattr read map lock };
@@ -22,6 +24,7 @@
allow profman asec_apk_file:file { read map };
allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };
+allow profman apk_tmp_file:dir { getattr read search };
allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
diff --git a/private/property.te b/private/property.te
index 792d52a..92e244d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -3,10 +3,14 @@
system_internal_prop(adbd_tradeinmode_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(ctl_prefetch_prop)
+system_internal_prop(ctl_uprobestats_prop)
system_internal_prop(crashrecovery_prop)
+system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
+system_internal_prop(device_config_mmd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_remote_key_provisioning_native_prop)
system_internal_prop(device_config_statsd_native_prop)
@@ -32,6 +36,7 @@
system_internal_prop(localization_prop)
system_internal_prop(logd_auditrate_prop)
system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(mmd_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
@@ -40,9 +45,11 @@
system_internal_prop(misctrl_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
+system_internal_prop(prefetch_service_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(remote_prov_prop)
+system_internal_prop(remote_prov_cert_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapshotctl_prop)
@@ -68,18 +75,44 @@
system_internal_prop(hidl_memory_prop)
system_internal_prop(suspend_debug_prop)
system_internal_prop(system_service_enable_prop)
+system_internal_prop(ctl_artd_pre_reboot_prop)
+system_internal_prop(trusty_security_vm_sys_prop)
# Properties which can't be written outside system
+system_restricted_prop(bionic_linker_16kb_app_compat_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(fstype_prop)
system_restricted_prop(log_file_logger_prop)
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
system_restricted_prop(page_size_prop)
+system_restricted_prop(pm_16kb_app_compat_prop)
+
+
+# Properties with no restrictions
+until_board_api(202504, `
+ system_public_prop(bluetooth_finder_prop)
+ system_public_prop(virtual_fingerprint_prop)
+ system_public_prop(virtual_face_prop)
+')
+
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ system_restricted_prop(enable_16k_pages_prop)
+ system_restricted_prop(profcollectd_etr_prop)
+')
+
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
# Properties which should only be written by vendor_init
system_vendor_config_prop(avf_virtualizationservice_prop)
+system_vendor_config_prop(high_barometer_quality_prop)
+system_vendor_config_prop(prefetch_boot_prop)
+system_vendor_config_prop(widevine_sys_vendor_prop)
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
@@ -430,6 +463,14 @@
neverallow {
domain
-init
+ -vendor_init
+ } {
+ high_barometer_quality_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
-dumpstate
userdebug_or_eng(`-system_suspend')
} {
@@ -762,6 +803,11 @@
} remote_prov_prop:property_service set;
neverallow {
+ domain
+ -init
+} remote_prov_cert_prop:property_service set;
+
+neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
@@ -827,3 +873,17 @@
-init
-vendor_init
} pm_archiving_enabled_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -shell
+ userdebug_or_eng(`-su')
+} bionic_linker_16kb_app_compat_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -shell
+ userdebug_or_eng(`-su')
+} pm_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index f4d3ef2..ace1470 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -33,6 +33,7 @@
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
+debug.tracing.desktop_mode_visible_tasks u:object_r:debug_tracing_desktop_mode_visible_tasks_prop:s0 exact uint
dumpstate. u:object_r:dumpstate_prop:s0
dumpstate.options u:object_r:dumpstate_options_prop:s0
init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0
@@ -202,6 +203,21 @@
ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+# Restrict access to control prefetch
+ctl.start$prefetch u:object_r:ctl_prefetch_prop:s0
+ctl.stop$prefetch u:object_r:ctl_prefetch_prop:s0
+ctl.restart$prefetch u:object_r:ctl_prefetch_prop:s0
+
+# Restrict access to control uprobestats
+ctl.start$uprobestats u:object_r:ctl_uprobestats_prop:s0
+ctl.stop$uprobestats u:object_r:ctl_uprobestats_prop:s0
+ctl.restart$uprobestats u:object_r:ctl_uprobestats_prop:s0
+
+# Restrict access to starting/stopping artd_pre_reboot.
+ctl.start$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+ctl.stop$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+ctl.restart$artd_pre_reboot u:object_r:ctl_artd_pre_reboot_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -289,6 +305,7 @@
persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+persist.device_config.mmd_native. u:object_r:device_config_mmd_native_prop:s0
# Prop indicates the apex that bundles input configuration files (*.idc,*.kl,*.kcm)
input_device.config_file.apex u:object_r:input_device_config_prop:s0 exact string
@@ -314,6 +331,7 @@
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.loop_wait.attempts u:object_r:apexd_config_prop:s0 exact uint
apexd.config.boot_activation.threads u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.loopback.readahead u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
@@ -343,6 +361,17 @@
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
ro.product.charger.unplugged_shutdown_time u:object_r:charger_config_prop:s0 exact int
+# Prefetch boot properties which are tunables
+ro.prefetch_boot.enabled u:object_r:prefetch_boot_prop:s0 exact bool
+ro.prefetch_boot.trace_buffer_size_kib u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.duration_s u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.io_depth u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.max_fds u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.record_stop u:object_r:prefetch_boot_prop:s0 exact bool
+# Prefetch property to start and stop the record/replay
+prefetch_boot.record u:object_r:prefetch_service_prop:s0 exact bool
+prefetch_boot.replay u:object_r:prefetch_service_prop:s0 exact bool
+
# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
@@ -362,7 +391,7 @@
ro.virtual_ab.num_merge_threads u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.num_verify_threads u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.cow_op_merge_size u:object_r:virtual_ab_prop:s0 exact int
-ro.virtual_ab.verify_threshold_block_size u:object_r:virtual_ab_prop:s0 exact int
+ro.virtual_ab.verify_threshold_size u:object_r:virtual_ab_prop:s0 exact int
ro.virtual_ab.verify_block_size u:object_r:virtual_ab_prop:s0 exact int
# OEMs can set this prop at build time to configure how many seconds to delay
@@ -409,6 +438,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# Timecheck configuration
+audio.timecheck.disabled u:object_r:audio_config_prop:s0 exact bool
+audio.timecheck.timeout_duration_ms u:object_r:audio_config_prop:s0 exact int
+audio.timecheck.second_chance_duration_ms u:object_r:audio_config_prop:s0 exact int
+
# spatializer tuning
audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
@@ -436,6 +470,10 @@
# to enable spatialization for stereo channel mask
ro.audio.stereo_spatialization_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioPolicyInterfaceImpl to configure whether
+# to disable usecase validator for game mode
+ro.audio.usecase_validator_enabled u:object_r:audio_config_prop:s0 exact bool
+
# Boolean property used in UsbAlsaManager to decide if only one or multiple
# USB devices can be connected to audio system at a certain time
ro.audio.multi_usb_mode u:object_r:audio_config_prop:s0 exact bool
@@ -445,6 +483,10 @@
# See b/323989070 for the discussion why this approach was chosen.
ro.audio.ihaladaptervendorextension_enabled u:object_r:system_audio_config_prop:s0 exact bool
+# String property used in audioparameterparser.example service to load
+# vendor implementation IHalAdapterVendorExtension
+ro.audio.ihaladaptervendorextension_libname u:object_r:system_audio_config_prop:s0 exact string
+
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
@@ -557,6 +599,7 @@
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
media.c2.hal.selection u:object_r:codec2_config_prop:s0 exact enum aidl hidl
+media.c2.remove_rendering_depth u:object_r:codec2_config_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
@@ -577,6 +620,7 @@
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.finder.supported u:object_r:bluetooth_finder_prop:s0 exact bool
persist.bluetooth.snooplogfilter.headers.enabled u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.snooplogfilter.profiles.a2dp.enabled u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.snooplogfilter.profiles.map u:object_r:bluetooth_prop:s0 exact enum empty disabled fullfilter header magic
@@ -585,12 +629,19 @@
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.leaudio.allow_list u:object_r:bluetooth_prop:s0 exact string
+bluetooth.a2dp.source.sbc_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.aac_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.aptx_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.aptx_hd_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.a2dp.source.ldac_priority.config u:object_r:bluetooth_config_prop:s0 exact int
+
bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.radio.le_tx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.wakeup_supported u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -648,6 +699,11 @@
bluetooth.core.le.min_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.max_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.aggressive_connection_threshold u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
@@ -661,6 +717,7 @@
bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.hfp.software_datapath.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.managed_by_audio u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.le.dsa_transport_preference u:object_r:bluetooth_config_prop:s0 exact string
@@ -714,6 +771,8 @@
pm.dexopt. u:object_r:future_pm_prop:s0 prefix
+pm.16kb.app_compat.disabled u:object_r:pm_16kb_app_compat_prop:s0 exact bool
+
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
@@ -762,6 +821,7 @@
hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+hypervisor.virtualizationmanager.dump_device_tree u:object_r:hypervisor_virtualizationmanager_prop:s0 exact bool
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
@@ -974,6 +1034,7 @@
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.serialconsole u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.public_key_digest u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
@@ -995,6 +1056,7 @@
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
ro.fstype.data u:object_r:fstype_prop:s0 exact string
+ro.build.backported_fixes.alias_bitset.long_list u:object_r:build_prop:s0 exact string
ro.build.characteristics u:object_r:build_prop:s0 exact string
ro.build.date u:object_r:build_prop:s0 exact string
ro.build.date.utc u:object_r:build_prop:s0 exact int
@@ -1262,6 +1324,8 @@
ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+bionic.linker.16kb.app_compat.enabled u:object_r:bionic_linker_16kb_app_compat_prop:s0 exact bool
+
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
@@ -1271,6 +1335,13 @@
ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+# Vendor configurable property to be used specifically to assign industrial
+# design ID or vendor hardware identifier that encodes on device components.
+# This property should not be assigned a generic device name or identifier and
+# should not be redundant to properties like ro.boot.hardware. ro.product.name
+# etc.
+ro.boot.product.hardware.id u:object_r:exported_default_prop:s0 exact string
+
ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
# Update related props
@@ -1524,6 +1595,9 @@
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+# Support for post-processing RKP certificates
+remote_provisioning.use_cert_processor u:object_r:remote_prov_cert_prop:s0 exact bool
+
# Connection Timeout for remote provisioning step
remote_provisioning.connect_timeout_millis u:object_r:remote_prov_prop:s0 exact int
@@ -1597,6 +1671,7 @@
# bootanimation properties
ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
+ro.product.bootanim.file u:object_r:bootanim_config_prop:s0 exact string
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
@@ -1610,56 +1685,56 @@
composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
# properties for the virtual Face HAL
-persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
-persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_hal_prop:s0 exact bool
-persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_hal_prop:s0 exact bool
-persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_hal_prop:s0 exact int
-persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_hal_prop:s0 exact int
-persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.lockout u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact string
-vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.type u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.strength u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.enrollments u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.features u:object_r:virtual_face_prop:s0 exact string
+persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_prop:s0 exact int
+persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_prop:s0 exact int
+persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.enrollment_hit u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.next_enrollment u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.authenticator_id u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.challenge u:object_r:virtual_face_prop:s0 exact int
+vendor.face.virtual.lockout u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_prop:s0 exact string
+vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_prop:s0 exact int
# properties for the virtual Fingerprint HAL
-persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-persist.vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-persist.vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-persist.vendor.fingerprint.virtual.sensor_location u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-persist.vendor.fingerprint.virtual.lockout_enable u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-persist.vendor.fingerprint.virtual.lockout_timed_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-persist.vendor.fingerprint.virtual.lockout_timed_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-persist.vendor.fingerprint.virtual.lockout_permanent_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
-vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
-vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
-vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_prop:s0 exact string
+persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_prop:s0 exact string
+persist.vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_location u:object_r:virtual_fingerprint_prop:s0 exact string
+persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_prop:s0 exact int
+persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_prop:s0 exact int
+persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_enable u:object_r:virtual_fingerprint_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_timed_threshold u:object_r:virtual_fingerprint_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_timed_duration u:object_r:virtual_fingerprint_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_permanent_threshold u:object_r:virtual_fingerprint_prop:s0 exact int
+vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_prop:s0 exact int
+vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_prop:s0 exact string
+vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_prop:s0 exact string
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_prop:s0 exact string
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_prop:s0 exact string
+vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_prop:s0 exact int
# properties for tuner
ro.tuner.lazyhal u:object_r:tuner_config_prop:s0 exact bool
@@ -1682,6 +1757,10 @@
# Properties for sensor service
sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
+# Whether the device has a high quality barometer as defined on the CDD.
+# Set by OEMs, read for xTS verifier tests
+sensor.barometer.high_quality.implemented u:object_r:high_barometer_quality_prop:s0 exact bool
+
# Properties for game manager service
persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
@@ -1706,3 +1785,22 @@
# Properties for enabling/disabling system services
ro.system_settings.service.odp_enabled u:object_r:system_service_enable_prop:s0 exact bool
ro.system_settings.service.backgound_install_control_enabled u:object_r:system_service_enable_prop:s0 exact bool
+
+# Properties related to Trusty VMs
+trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
+trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
+
+# Properties that allows vendors to enable Trusty security VM features
+trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+
+# Properties that allows vendors to enable Trusty widevine VM features
+# Enable Widevine VM
+trusty.widevine_vm.enabled u:object_r:widevine_sys_vendor_prop:s0 exact bool
+# Sets the path used by Widevine HALs to find correct library for the widevine
+# service provider location
+widevine.liboemcrypto.path u:object_r:widevine_sys_vendor_prop:s0 exact string
+
+# Properties for mmd
+mmd. u:object_r:mmd_prop:s0
+mmd.enabled_aconfig u:object_r:mmd_prop:s0 exact bool
diff --git a/private/rkp_cert_processor.te b/private/rkp_cert_processor.te
new file mode 100644
index 0000000..e5c9d07
--- /dev/null
+++ b/private/rkp_cert_processor.te
@@ -0,0 +1,15 @@
+# Cert processor service
+type rkp_cert_processor, domain, coredomain;
+type rkp_cert_processor_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(rkp_cert_processor)
+net_domain(rkp_cert_processor)
+
+binder_use(rkp_cert_processor)
+binder_call(rkp_cert_processor, system_server)
+
+add_service(rkp_cert_processor, rkp_cert_processor_service)
+
+use_bootstrap_libs(rkp_cert_processor)
+
+allow rkp_cert_processor package_native_service:service_manager find;
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index b4c655b..41b2799 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -124,3 +124,25 @@
# Only dirs should be created at sdk_sandbox_all_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+# Restrict unix stream sockets for IPC.
+neverallow sdk_sandbox_all {
+ domain
+ -sdk_sandbox_all
+ -netd
+ -logd
+ -adbd
+ userdebug_or_eng(`-su')
+ # needed for profiling
+ -traced
+ -traced_perf
+ -heapprofd
+ # fallback crash handling for processes that can't exec crash_dump.
+ -tombstoned
+ # needed to connect to PRNG seeder daemon.
+ -prng_seeder
+}:unix_stream_socket connectto;
+neverallow {
+ domain
+ -adbd
+ -sdk_sandbox_all
+} sdk_sandbox_all:unix_stream_socket connectto;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 907861c..25ed1ba 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -223,4 +223,4 @@
user=_app fromRunAs=true domain=runas_app levelFrom=user
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.virtualization.ferrochrome domain=ferrochrome_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/security_classes b/private/security_classes
index 1d13d9f..0537214 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -172,3 +172,6 @@
class drmservice # userspace
# FLASK
+
+# Permissions for VMs to access SMC services
+class tee_service # userspace
diff --git a/private/service.te b/private/service.te
index 366f5e3..a90b3ba 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,26 +1,48 @@
-type ambient_context_service, app_api_service, system_server_service, service_manager_type;
-type attention_service, system_server_service, service_manager_type;
-type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
-type compos_service, service_manager_type;
-type communal_service, app_api_service, system_server_service, service_manager_type;
-type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
-type feature_flags_service, app_api_service, system_server_service, service_manager_type;
-type gsi_service, service_manager_type;
-type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type logcat_service, system_server_service, service_manager_type;
-type logd_service, service_manager_type;
-type mediatuner_service, app_api_service, service_manager_type;
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
+type authentication_policy_service, system_api_service, system_server_service, service_manager_type;
+
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ type app_function_service, app_api_service, system_server_service, service_manager_type;
+')
+type attention_service, system_server_service, service_manager_type;
+type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
+type communal_service, app_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type feature_flags_service, app_api_service, system_server_service, service_manager_type;
+type fwk_devicestate_service, system_server_service, service_manager_type;
+type gsi_service, service_manager_type;
+type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
+type mmd_service, service_manager_type;
type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
-type profcollectd_service, service_manager_type;
-type resolver_service, system_server_service, service_manager_type;
-type rkpd_registrar_service, service_manager_type;
-type rkpd_refresh_service, service_manager_type;
-type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type stats_service, service_manager_type;
-type statsbootstrap_service, system_server_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
-type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+type profcollectd_service, service_manager_type;
+type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type resolver_service, system_server_service, service_manager_type;
+type rkpd_registrar_service, service_manager_type;
+type rkpd_refresh_service, service_manager_type;
+type rkp_cert_processor_service, service_manager_type;
+type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type stats_service, service_manager_type;
+type statsbootstrap_service, system_server_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
+type statsmanager_service, system_api_service, system_server_service, service_manager_type;
+until_board_api(202504, `
+ type media_quality_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
+
+until_board_api(202504, `
+ type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
+')
+
+is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
+ type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
type tracingproxy_service, system_server_service, service_manager_type;
+type tradeinmode_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
@@ -33,9 +55,18 @@
type vm_tethering_service, system_server_service, service_manager_type;
type vmnic_service, service_manager_type;
')
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ type microfuchsia_service, service_manager_type;
+')
-type uce_service, service_manager_type;
-type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
+type uce_service, service_manager_type;
+type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
+type wifi_mainline_supplicant_service, service_manager_type;
+type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+
+is_flag_enabled(RELEASE_RANGING_STACK, `
+ type ranging_service, app_api_service, system_server_service, service_manager_type;
+')
###
### Neverallow rules
diff --git a/private/service_contexts b/private/service_contexts
index 3442b78..2e050eb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,6 +3,7 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.frameworks.vibrator.IVibratorControlService/default u:object_r:fwk_vibrator_control_service:s0
+android.frameworks.devicestate.IDeviceStateService/default u:object_r:fwk_devicestate_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
@@ -26,8 +27,10 @@
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.face.IFace/virtual u:object_r:hal_face_service:s0
+android.hardware.biometrics.face.virtualhal.IVirtualHal/virtual u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
@@ -35,6 +38,7 @@
')
android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+android.hardware.bluetooth.socket.IBluetoothSocket/default u:object_r:hal_bluetooth_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
@@ -113,6 +117,7 @@
android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
+android.hardware.tv.mediaquality.IMediaQuality/default u:object_r:hal_mediaquality_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
@@ -143,6 +148,9 @@
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
adservices_manager u:object_r:adservices_manager_service:s0
+starting_at_board_api(202504, `
+ advanced_protection u:object_r:advanced_protection_service:s0
+')
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_quit u:object_r:aidl_lazy_test_service:s0
@@ -173,9 +181,14 @@
android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
android.system.vmtethering.IVmTethering u:object_r:vm_tethering_service:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_MICROFUCHSIA, `
+ android.system.microfuchsiad u:object_r:microfuchsia_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
+app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
+dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
@@ -192,6 +205,7 @@
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
auth u:object_r:auth_service:s0
+authentication_policy u:object_r:authentication_policy_service:s0
autofill u:object_r:autofill_service:s0
background_install_control u:object_r:bg_install_control_service:s0
backup u:object_r:backup_service:s0
@@ -264,6 +278,9 @@
file_integrity u:object_r:file_integrity_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
+starting_at_board_api(202504, `
+ forensic u:object_r:forensic_service:s0
+')
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
@@ -283,6 +300,9 @@
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
+starting_at_board_api(202504, `
+ intrusion_detection u:object_r:intrusion_detection_service:s0
+')
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
@@ -327,12 +347,14 @@
media_communication u:object_r:media_communication_service:s0
media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
+media_quality u:object_r:media_quality_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
meminfo u:object_r:meminfo_service:s0
memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
+mmd u:object_r:mmd_service:s0
mount u:object_r:mount_service:s0
music_recognition u:object_r:music_recognition_service:s0
nearby u:object_r:nearby_service:s0
@@ -368,6 +390,7 @@
powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
profiling_service u:object_r:profiling_service:s0
+protolog_configuration u:object_r:protolog_configuration_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
@@ -375,6 +398,9 @@
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
+is_flag_enabled(RELEASE_RANGING_STACK, `
+ ranging u:object_r:ranging_service:s0
+')
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
@@ -385,6 +411,7 @@
restrictions u:object_r:restrictions_service:s0
rkpd.registrar u:object_r:rkpd_registrar_service:s0
rkpd.refresh u:object_r:rkpd_refresh_service:s0
+rkp_cert_processor.service u:object_r:rkp_cert_processor_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
@@ -425,6 +452,10 @@
storagestats u:object_r:storagestats_service:s0
# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
+
+is_flag_enabled(RELEASE_SUPERVISION_SERVICE, `
+ supervision u:object_r:supervision_service:s0
+')
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
@@ -447,6 +478,7 @@
thermalservice u:object_r:thermal_service:s0
thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
+tradeinmode u:object_r:tradeinmode_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
@@ -483,5 +515,9 @@
wifinl80211 u:object_r:wifinl80211_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
+starting_at_board_api(202504, `
+ wifi_usd u:object_r:wifi_usd_service:s0
+')
+wifi_mainline_supplicant u:object_r:wifi_mainline_supplicant_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/shell.te b/private/shell.te
index 6d6e06f..890d6f4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -42,6 +42,9 @@
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+# Allow shell to execute tradeinmode for testing.
+domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
+
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
@@ -108,6 +111,12 @@
# Allow shell to set RKP properties for testing purposes
set_prop(shell, remote_prov_prop)
+# Allow shell to enable 16 KB backcompat globally.
+set_prop(shell, bionic_linker_16kb_app_compat_prop)
+
+# Allow shell to disable compat in package manager
+set_prop(shell, pm_16kb_app_compat_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
@@ -177,6 +186,8 @@
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
set_prop(shell, ctl_snapuserd_prop)
+# Allow shell to start/stop prefetch
+set_prop(shell, ctl_prefetch_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
@@ -198,6 +209,14 @@
# Allow shell to execute the remote key provisioning factory tool
binder_call(shell, hal_keymint)
+# Allow shell to run the AVF RKP HAL during the execution of the remote key
+# provisioning factory tool.
+# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
+# a separate process.
+binder_call(shell, virtualizationservice)
+# Allow the shell to inspect whether AVF remote attestation is supported
+# through the system property.
+get_prop(shell, avf_virtualizationservice_prop)
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
@@ -265,12 +284,6 @@
# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;
-# Allow shell access to socket for test
-userdebug_or_eng(`
- allow shell aconfigd_socket:sock_file write;
- allow shell aconfigd:unix_stream_socket connectto;
-')
-
# Create and use network sockets.
net_domain(shell)
@@ -360,6 +373,7 @@
-virtual_touchpad_service
-vold_service
-default_android_service
+ -virtualization_service
}:service_manager find;
allow shell dumpstate:binder call;
@@ -394,7 +408,6 @@
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
@@ -470,9 +483,12 @@
allow shell vendor_shell_exec:file rx_file_perms;
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
- allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+ allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')
+allow shell tee_service_contexts_file:file r_file_perms;
+allow shell test_pkvm_tee_service:tee_service use;
+
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
@@ -489,6 +505,7 @@
hal_keymint_service
hal_secureclock_service
hal_sharedsecret_service
+ virtualization_service
}:service_manager find;
# Do not allow shell to hard link to any files.
diff --git a/private/statsd.te b/private/statsd.te
index b932bc6..3db5c60 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -41,6 +41,12 @@
# Allow statsd to trigger uprobestats via property.
set_prop(statsd, uprobestats_start_with_config_prop);
+
+# Allow statsd to use io_uring
+io_uring_use(statsd)
+
+# Allow statsd to start the uprobestats service.
+set_prop(statsd, ctl_uprobestats_prop)
binder_use(statsd)
# Allow statsd to scan through /proc/pid for all processes.
diff --git a/private/su.te b/private/su.te
index 2d4b0c6..1e2adef 100644
--- a/private/su.te
+++ b/private/su.te
@@ -106,6 +106,7 @@
typeattribute su hal_ir_client;
typeattribute su hal_keymaster_client;
typeattribute su hal_light_client;
+ typeattribute su hal_mediaquality_client;
typeattribute su hal_memtrack_client;
typeattribute su hal_neuralnetworks_client;
typeattribute su hal_nfc_client;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 91e9aba..1e0e1ef 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -85,6 +85,15 @@
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+# Allow reading and writing to sockets used for BLAST buffer releases.
+# SurfaceFlinger never reads from these sockets but needs read permissions in order to receive
+# the file descriptors over binder. There's no mechanism to mark a socket as write-only.
+# shutdown is used to close the read-end of the sockets that are sent to SurfaceFlinger. See
+# b/353597444
+allow surfaceflinger { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:unix_stream_socket { read write };
+allow surfaceflinger bootanim:unix_stream_socket { read write };
+allow surfaceflinger automotive_display_service:unix_stream_socket { read write };
+
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
@@ -131,6 +140,8 @@
allow surfaceflinger statsmanager_service:service_manager find;
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow pushing atoms to the stats bootstrap atom service
+allow surfaceflinger statsbootstrap_service:service_manager find;
# Allow to use files supplied by hal_evs
allow surfaceflinger hal_evs:fd use;
@@ -138,10 +149,6 @@
# Allow to use release fence fds supplied by hal_camera
allow surfaceflinger hal_camera:fd use;
-# Allow pushing jank event atoms to statsd
-userdebug_or_eng(`
- unix_socket_send(surfaceflinger, statsdw, statsd)
-')
# Surfaceflinger should not be reading default vendor-defined properties.
dontaudit surfaceflinger vendor_default_prop:file read;
diff --git a/private/system_app.te b/private/system_app.te
index e0ed8c3..93be46f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -151,7 +151,7 @@
proc_version
}:file r_file_perms;
-# Settings app writes to /dev/stune/foreground/tasks.
+# Allow system apps to modify cgroup attributes and migrate processes
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
allow system_app cgroup_v2:dir w_dir_perms;
@@ -199,3 +199,7 @@
allow system_app vendor_boot_ota_file:dir { r_dir_perms };
allow system_app vendor_boot_ota_file:file { r_file_perms };
+
+# allow system_app to read system_dlkm_file for /system_dlkm/etc/NOTICE.xml.gz
+allow system_app system_dlkm_file:dir search;
+allow system_app system_dlkm_file:file { getattr open read };
diff --git a/private/system_server.te b/private/system_server.te
index 46b0109..01097f2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -198,6 +198,8 @@
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
+# Set scheduling info for VMs (b/375058190)
+allow system_server { virtualizationmanager crosvm }:process { getsched setsched };
# Set scheduling info for psi monitor thread.
# TODO: delete this line b/131761776
@@ -291,6 +293,7 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
+binder_call(system_server, mmd)
binder_call(system_server, netd)
binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
@@ -302,6 +305,7 @@
binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, uprobestats)
+binder_call(system_server, wifi_mainline_supplicant)
binder_service(system_server)
# Use HALs
@@ -324,6 +328,7 @@
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_keymint)
hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_mediaquality)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
@@ -389,6 +394,7 @@
mediaswcodec
mediatranscoding
mediatuner
+ mmd
netd
sdcardd
servicemanager
@@ -774,6 +780,7 @@
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
set_prop(system_server, ctl_gsid_prop)
+set_prop(system_server, ctl_artd_pre_reboot_prop)
# cppreopt property
set_prop(system_server, cppreopt_prop)
@@ -809,12 +816,16 @@
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, device_config_tethering_u_or_later_native_prop)
+set_prop(system_server, device_config_mmd_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
# staged flag properties
set_prop(system_server, next_boot_prop)
+# Allow system server to read pm.16kb.app_compat.disabled
+get_prop(system_server, pm_16kb_app_compat_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -1001,6 +1012,7 @@
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server mediatuner_service:service_manager find;
+allow system_server mmd_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server ot_daemon_service:service_manager find;
@@ -1019,6 +1031,7 @@
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')
+allow system_server wifi_mainline_supplicant_service:service_manager find;
add_service(system_server, batteryproperties_service)
@@ -1143,6 +1156,9 @@
# Set persist.adb.tls_server.enable property
set_prop(system_server, system_adbd_prop)
+# Set service.adbd.tradeinmode from ITradeInService.
+set_prop(system_server, adbd_tradeinmode_prop)
+
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -1236,6 +1252,10 @@
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
dontaudit system_server self:key_socket getopt;
+# Needed to interact with memevents-eBPF and receive notifications for memory events
+allow system_server fs_bpf_memevents:dir search;
+allow system_server fs_bpf_memevents:file { read write };
+
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
allow system_server clatd:process { sigkill signal };
@@ -1264,6 +1284,11 @@
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
+# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks.
+starting_at_board_api(202504, `
+allow system_server sysfs_type:dir search;
+r_dir_file(system_server, sysfs_udc)
+')
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
@@ -1381,6 +1406,7 @@
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
device_config_tethering_u_or_later_native_prop
+ device_config_mmd_native_prop
next_boot_prop
}:property_service set;
@@ -1439,6 +1465,9 @@
# Allow system server to read /apex/apex-info-list.xml
allow system_server apex_info_file:file r_file_perms;
+# Allow system_server to communicate with tradeinmode.
+binder_call(system_server, tradeinmode)
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
@@ -1490,6 +1519,10 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow TradeInMode service rw access to /metadata/tradeinmode.
+allow system_server tradeinmode_metadata_file:dir rw_dir_perms;
+allow system_server tradeinmode_metadata_file:file create_file_perms;
+
allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
allow system_server userspace_reboot_metadata_file:file create_file_perms;
@@ -1500,15 +1533,11 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
-allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_metadata_file:dir search;
+# allow system_server write to aconfigd socket
+unix_socket_connect(system_server, aconfigd, aconfigd);
-allow system_server aconfigd_socket:sock_file {read write};
-allow system_server aconfigd:unix_stream_socket connectto;
-
-allow system_server aconfig_test_mission_files:dir create_dir_perms;
-allow system_server aconfig_test_mission_files:file create_file_perms;
+# allow system_server write to aconfigd_mainline socket
+unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline);
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1542,10 +1571,6 @@
# Read /proc/pressure/cpu and /proc/pressure/io
allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
# No ptracing others
neverallow system_server { domain -system_server }:process ptrace;
@@ -1562,14 +1587,6 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-# Only system_server/init should access /metadata/userspacereboot.
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-
-# Only system server should access /metadata/aconfig
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
-
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
@@ -1673,6 +1690,9 @@
neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
+# Do not allow anything other than system_server and init to touch /metadata/tradeinmode.
+neverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms;
+
neverallow {
domain
-init
diff --git a/private/tee_service_contexts b/private/tee_service_contexts
new file mode 100644
index 0000000..89eceae
--- /dev/null
+++ b/private/tee_service_contexts
@@ -0,0 +1,13 @@
+# Tee services contexts.
+#
+# This file defines all tee services available to VMs.
+# This file is read by virtmngr.
+#
+# Format:
+# <tee_service_name> <label>
+#
+# <tee_service_name> must be a string
+
+# Example tee service that can be used for end-to-end integration of
+# custom smcs filtering on devices with pkvm hypervisor.
+test_pkvm_tee_service u:object_r:test_pkvm_tee_service:s0
diff --git a/private/tee_services.te b/private/tee_services.te
new file mode 100644
index 0000000..320f8b7
--- /dev/null
+++ b/private/tee_services.te
@@ -0,0 +1,6 @@
+# Specify tee_services in this file.
+# Please keep the names in the alphabetical order and comment each new entry.
+
+# An example tee_service that can be used to test end-to-end integration of custom
+# smcs filtering feature on a device with pkvm hypervisor.
+type test_pkvm_tee_service, tee_service_type;
diff --git a/private/traced.te b/private/traced.te
index 796095f..8a29541 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -53,6 +53,9 @@
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
+# Allow traced to detect if a process is frozen (b/381089063).
+allow traced cgroup_v2:file r_file_perms;
+
# Allow setting debug properties which guard initialization of the Perfetto SDK
# in SurfaceFlinger and HWUI's copy of Skia.
# Required for the android.sdk_sysprop_guard data source.
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 003e992..6540420 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -111,6 +111,10 @@
binder_call(traced_probes, statsd)
allow traced_probes stats_service:service_manager find;
+# Allow reading the system property representing number of desktop windows to
+# set the initial value for the counter in traces.
+get_prop(traced_probes, debug_tracing_desktop_mode_visible_tasks_prop)
+
###
### Neverallow rules
###
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
new file mode 100644
index 0000000..99035f8
--- /dev/null
+++ b/private/tradeinmode.te
@@ -0,0 +1,32 @@
+### trade-in mode
+
+type tradeinmode, domain, coredomain;
+type tradeinmode_exec, exec_type, file_type, system_file_type;
+
+allow tradeinmode adbd_tradeinmode:fd use;
+allow tradeinmode adbd_tradeinmode:unix_stream_socket { read write ioctl };
+
+# Allow running from normal shell.
+allow tradeinmode { adbd shell }:fd use;
+allow tradeinmode adbd:unix_stream_socket { read write ioctl };
+
+allow tradeinmode devpts:chr_file rw_file_perms;
+
+# Allow executing am/content without a domain transition.
+allow tradeinmode system_file:file rx_file_perms;
+allow tradeinmode zygote_exec:file rx_file_perms;
+allow tradeinmode apex_info_file:file r_file_perms;
+
+allow tradeinmode activity_service:service_manager find;
+
+get_prop(tradeinmode, odsign_prop)
+get_prop(tradeinmode, build_attestation_prop)
+get_prop(tradeinmode, adbd_tradeinmode_prop)
+set_prop(tradeinmode, powerctl_prop)
+
+# Needed to start activities through "am".
+binder_call(tradeinmode, system_server)
+binder_call(tradeinmode, servicemanager)
+
+# Needed to run "content".
+binder_call(tradeinmode, platform_app)
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index 5bba84a..6de0292 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -107,5 +107,5 @@
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:dir { rw_dir_perms rmdir };
allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index 2c5711f..d778126 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,6 +24,7 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
+allow uprobestats dynamic_instrumentation_service:service_manager find;
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 72157ad..a50bc27 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -115,6 +115,7 @@
-userspace_reboot_metadata_file
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
+ -tradeinmode_metadata_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -221,9 +222,6 @@
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
-# Write to /proc/sys/vm/compaction_proactiveness
-allow vendor_init proc_compaction_proactiveness:file w_file_perms;
-
# Write to sysfs nodes.
allow vendor_init sysfs_type:dir r_dir_perms;
allow vendor_init sysfs_type:lnk_file read;
@@ -294,6 +292,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, graphics_config_writable_prop)
+set_prop(vendor_init, prefetch_boot_prop);
set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 633d8c0..31eadb2 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -28,8 +28,6 @@
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
-# Allow virtual_camera to use fd from surface flinger
-allow virtual_camera surfaceflinger:fd use;
binder_call(virtual_camera, surfaceflinger);
# Only allow virtual_camera to add a virtual_camera_service and no one else.
diff --git a/private/virtual_face.te b/private/virtual_face.te
new file mode 100644
index 0000000..9a805e8
--- /dev/null
+++ b/private/virtual_face.te
@@ -0,0 +1,7 @@
+# biometric virtual face sensor
+type virtual_face, domain;
+type virtual_face_exec, system_file_type, exec_type, file_type;
+hal_server_domain(virtual_face, hal_face)
+typeattribute virtual_face coredomain;
+init_daemon_domain(virtual_face)
+set_prop(virtual_face, virtual_face_prop)
diff --git a/private/virtual_fingerprint.te b/private/virtual_fingerprint.te
new file mode 100644
index 0000000..be20e24
--- /dev/null
+++ b/private/virtual_fingerprint.te
@@ -0,0 +1,7 @@
+# biometric virtual fingerprint sensor
+type virtual_fingerprint, domain;
+type virtual_fingerprint_exec, system_file_type, exec_type, file_type;
+hal_server_domain(virtual_fingerprint, hal_fingerprint)
+typeattribute virtual_fingerprint coredomain;
+init_daemon_domain(virtual_fingerprint)
+set_prop(virtual_fingerprint, virtual_fingerprint_prop)
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 9b3cfcf..259c402 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -1,7 +1,7 @@
-# Domain for a child process that manages virtual machines on behalf of its parent.
-
-type virtualizationmanager, domain, coredomain;
-type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+until_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
@@ -70,12 +70,24 @@
# Allow virtualizationmanager to be read custom pvmfw.img configuration
userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
-neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-virtualizationmanager')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, -early_virtmgr)
+} hypervisor_pvmfw_prop:file no_rw_file_perms;
# Allow virtualizationmanager to be read custom virtualizationmanager configuration
userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
-neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-virtualizationmanager')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, -early_virtmgr)
+} hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
@@ -123,3 +135,10 @@
allow virtualizationmanager tun_device:chr_file rw_file_perms;
allow virtualizationmanager vmnic:fd use;
')
+
+# virtualizationmanager reads tee_service_contexts_file to determine if VM is allowed
+# to access requested tee services
+allow virtualizationmanager tee_service_contexts_file:file r_file_perms;
+# virtualizationmanager uses libselinux to check if VM is allowed to access requested
+# tee services.
+selinux_check_access(virtualizationmanager)
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index f0f372b..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -2,6 +2,7 @@
typeattribute vmlauncher_app coredomain;
app_domain(vmlauncher_app)
+net_domain(vmlauncher_app)
allow vmlauncher_app app_api_service:service_manager find;
allow vmlauncher_app system_api_service:service_manager find;
@@ -10,6 +11,13 @@
allow vmlauncher_app shell_data_file:file { read open write };
virtualizationservice_use(vmlauncher_app)
+allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app crosvm:fd use;
+allow vmlauncher_app crosvm_tmpfs:file { map read write };
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
+
+allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };
+
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow vmlauncher_app virtualization_service:service_manager find;
@@ -17,9 +25,16 @@
allow vmlauncher_app crosvm:binder { call transfer };
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ allow vmlauncher_app self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+')
+
userdebug_or_eng(`
# Create pty/pts and connect it to the guest terminal.
create_pty(vmlauncher_app)
# Allow other processes to access the pts.
allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr;
')
+
+# TODO(b/372664601): Remove this when we don't need linux_vm_setup
+set_prop(vmlauncher_app, debug_prop);
diff --git a/private/vold.te b/private/vold.te
index 2c1fb8f..c242040 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -235,7 +235,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE BLKROSET BLKROGET };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
@@ -364,6 +364,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
+dontaudit vold self:capability sys_rawio;
+
# Allow ReadDefaultFstab().
read_fstab(vold)
diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
new file mode 100644
index 0000000..d6c7998
--- /dev/null
+++ b/private/wifi_mainline_supplicant.te
@@ -0,0 +1,31 @@
+type wifi_mainline_supplicant, domain, coredomain;
+type wifi_mainline_supplicant_exec, system_file_type, exec_type, file_type;
+
+binder_use(wifi_mainline_supplicant)
+init_daemon_domain(wifi_mainline_supplicant)
+add_service(wifi_mainline_supplicant, wifi_mainline_supplicant_service)
+
+allow wifi_mainline_supplicant self:global_capability_class_set { setuid setgid net_admin net_raw };
+allow wifi_mainline_supplicant proc_net:file rw_file_perms;
+allow wifi_mainline_supplicant sysfs_net:dir search;
+
+# Allow limited access to the parent directory /data/misc/wifi/
+allow wifi_mainline_supplicant wifi_data_file:dir { getattr search };
+
+# Create temporary socket files in /data/misc/wifi/mainline_supplicant/sockets
+allow wifi_mainline_supplicant mainline_supplicant_data_file:dir create_dir_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:file create_file_perms;
+allow wifi_mainline_supplicant mainline_supplicant_data_file:sock_file { create write setattr unlink };
+
+# UDP sockets
+allow wifi_mainline_supplicant self:udp_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:udp_socket ioctl { priv_sock_ioctls SIOCSIFFLAGS SIOCSIFHWADDR };
+
+# Packet sockets
+allow wifi_mainline_supplicant self:packet_socket create_socket_perms;
+allowxperm wifi_mainline_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+# Netlink sockets
+allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
+allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/public/attributes b/public/attributes
index 759b773..6e11b86 100644
--- a/public/attributes
+++ b/public/attributes
@@ -366,6 +366,9 @@
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(macsec);
+starting_at_board_api(202504, `
+ hal_attribute(mediaquality);
+')
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
@@ -449,3 +452,8 @@
# All types of ART properties.
attribute dalvik_config_prop_type;
+
+# All tee services that can be accessed by VMs
+starting_at_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/public/crosvm.te b/public/crosvm.te
new file mode 100644
index 0000000..174a8b2
--- /dev/null
+++ b/public/crosvm.te
@@ -0,0 +1,7 @@
+starting_at_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/early_virtmgr.te b/public/early_virtmgr.te
new file mode 100644
index 0000000..6caac18
--- /dev/null
+++ b/public/early_virtmgr.te
@@ -0,0 +1,12 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ # Domain for a child process that manages early VMs available before /data mount, on behalf of
+ # its parent.
+ starting_at_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/file.te b/public/file.te
index 9f75f05..94483a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -23,11 +23,6 @@
type proc_kpageflags, fs_type, proc_type;
type proc_watermark_boost_factor, fs_type, proc_type;
type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
-
-starting_at_board_api(202504, `
- type proc_compaction_proactiveness, fs_type, proc_type;
-')
-
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -152,12 +147,6 @@
type fs_bpf_tethering, fs_type, bpffs_type;
type fs_bpf_vendor, fs_type, bpffs_type;
-starting_at_board_api(202504, `
- type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
- type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
-')
-
-
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
@@ -232,16 +221,22 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
+# Cgroups description file under /system/etc/cgroups.json or
+# API file under /system/etc/task_profiles/cgroups_*.json
type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
+until_board_api(202504, `
+ # Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+ type cgroup_desc_api_file, system_file_type, file_type;
+')
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
+# Task profiles file under /system/etc/task_profiles.json or
+# API file under /system/etc/task_profiles/task_profiles_*.json
type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
+until_board_api(202504, `
+ # Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+ type task_profiles_api_file, system_file_type, file_type;
+')
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
@@ -652,6 +647,11 @@
# Deprecated in SDK version 28
type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+starting_at_board_api(202504, `
+ type sysfs_udc, fs_type, sysfs_type;
+ type tee_service_contexts_file, system_file_type, file_type;
+')
+
# system/sepolicy/public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 8a625f5..eb340c8 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -1,7 +1,7 @@
# otapreopt_chroot seclabel
# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
-type otapreopt_chroot, domain;
+until_board_api(202504, `type otapreopt_chroot, domain;')
# system/sepolicy/public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
diff --git a/public/property.te b/public/property.te
index 47a1bde..cb18741 100644
--- a/public/property.te
+++ b/public/property.te
@@ -206,12 +206,18 @@
system_vendor_config_prop(usb_uvc_enabled_prop)
system_vendor_config_prop(setupwizard_mode_prop)
system_vendor_config_prop(pm_archiving_enabled_prop)
+starting_at_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
# Properties with no restrictions
system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
+starting_at_board_api(202504, `
+ system_public_prop(bluetooth_finder_prop)
+')
system_public_prop(bluetooth_prop)
system_public_prop(bpf_progs_loaded_prop)
system_public_prop(charger_status_prop)
@@ -274,9 +280,15 @@
# Properties used in the default Face HAL implementations
vendor_internal_prop(virtual_face_hal_prop)
+starting_at_board_api(202504, `
+ system_public_prop(virtual_face_prop)
+')
# Properties used in the default Fingerprint HAL implementations
vendor_internal_prop(virtual_fingerprint_hal_prop)
+starting_at_board_api(202504, `
+ system_public_prop(virtual_fingerprint_prop)
+')
vendor_public_prop(persist_vendor_debug_wifi_prop)
diff --git a/public/service.te b/public/service.te
index 6ba1dcc..68f4ea0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -66,8 +66,14 @@
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_api_service, system_server_service, service_manager_type;
type adservices_manager_service, system_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type advanced_protection_service, app_api_service, system_server_service, service_manager_type;
+')
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type app_function_service, app_api_service, system_server_service, service_manager_type;
+')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
@@ -138,6 +144,9 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type forensic_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+')
type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
@@ -156,6 +165,9 @@
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type intrusion_detection_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+')
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -170,6 +182,9 @@
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type media_quality_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+')
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
@@ -195,7 +210,7 @@
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -277,6 +292,9 @@
type wifi_service, app_api_service, system_server_service, service_manager_type;
type wifinl80211_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type wifi_usd_service, app_api_service, system_server_service, service_manager_type;
+')
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -318,6 +336,9 @@
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
+starting_at_board_api(202504, `
+ type hal_mediaquality_service, protected_service, hal_service_type, service_manager_type;
+')
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 6d7533af..2ba15b3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -201,6 +201,38 @@
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
+# Allow virtualizationmanager to read the path of the client using /proc/{PID}/exe
+allow virtualizationmanager $1:dir search;
+allow virtualizationmanager $1:file read;
+allow virtualizationmanager $1:lnk_file read;
+')
+
+####################################
+# early_virtmgr_use(domain)
+# Allow domain to create and communicate with an early virtual machine using
+# early_virtmgr.
+define(`early_virtmgr_use', `
+# Transition to early_virtmgr when the client executes it.
+domain_auto_trans($1, early_virtmgr_exec, early_virtmgr)
+# Allow early_virtmgr to communicate over UDS with the client.
+allow { early_virtmgr crosvm } $1:unix_stream_socket { ioctl getattr read write };
+# Let the client pass file descriptors to early_virtmgr and on to crosvm.
+allow { early_virtmgr crosvm } $1:fd use;
+allow { early_virtmgr crosvm } $1_tmpfs:file rw_file_perms;
+# Let the client use file descriptors created by early_virtmgr.
+allow $1 early_virtmgr:fd use;
+# Allow piping console log to the client
+allow { early_virtmgr crosvm } $1:fifo_file { ioctl getattr read write };
+# Allow client to read/write vsock created by early_virtmgr to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 early_virtmgr:vsock_socket { getattr getopt read write };
+# Allow client to inspect hypervisor capabilities
+get_prop($1, hypervisor_prop)
+# Allow early_virtmgr to read the path of the client using /proc/{PID}/exe
+allow early_virtmgr $1:dir search;
+allow early_virtmgr $1:file read;
+allow early_virtmgr $1:lnk_file read;
')
#####################################
diff --git a/public/virtualizationmanager.te b/public/virtualizationmanager.te
new file mode 100644
index 0000000..555bc23
--- /dev/null
+++ b/public/virtualizationmanager.te
@@ -0,0 +1,9 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+starting_at_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/tests/Android.bp b/tests/Android.bp
index 3dda11a..81e7927 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -83,6 +83,8 @@
libs: ["pysepolwrap"],
data: [
":libsepolwrap",
+ ],
+ device_common_data: [
":precompiled_sepolicy",
],
}
@@ -96,6 +98,8 @@
libs: ["pysepolwrap"],
data: [
":libsepolwrap",
+ ],
+ device_common_data: [
":precompiled_sepolicy",
],
test_options: {
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 362de57..2791c53 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -44,6 +44,10 @@
"/system/product/vendor_overlay/",
"/system/system_ext/overlay/",
"/system_ext/overlay/",
+
+ # adb_keys_file hasn't been a system_file_type
+ "/product/etc/security/adb_keys",
+ "/system/product/etc/security/adb_keys",
]
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 051e24b..904f02f 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -304,6 +304,7 @@
}
char line[1024];
+ bool non_matching_entries = false;
while (fgets(line, sizeof(line), test_data)) {
char *path;
char *expected_type;
@@ -331,6 +332,7 @@
if (strcmp(found_type, expected_type)) {
fprintf(stderr, "Incorrect type for %s: resolved to %s, expected %s\n",
path, found_type, expected_type);
+ non_matching_entries = true;
}
free(found_context);
@@ -340,6 +342,10 @@
}
fclose(test_data);
+ if (non_matching_entries) {
+ exit(1);
+ }
+
// Prints the coverage of file_contexts on the test data. It includes
// warnings for rules that have not been hit by any test example.
union selinux_callback cb;
diff --git a/tools/finalize-vintf-resources.sh b/tools/finalize-vintf-resources.sh
index cdf82f1..3f3def6 100755
--- a/tools/finalize-vintf-resources.sh
+++ b/tools/finalize-vintf-resources.sh
@@ -30,6 +30,22 @@
cat > "$prebuilt_dir/Android.bp" <<EOF
// Automatically generated file, do not edit!
se_policy_conf {
+ name: "${ver}_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "${ver}",
+}
+
+se_policy_cil {
+ name: "${ver}_reqd_policy_mask.cil",
+ src: ":${ver}_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "${ver}_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
@@ -38,12 +54,13 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_plat_pub_policy.cil",
src: ":${ver}_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
@@ -59,16 +76,25 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_product_pub_policy.cil",
src: ":${ver}_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "${ver}_plat_pub_versioned.cil",
+ base: ":${ver}_product_pub_policy.cil",
+ target_policy: ":${ver}_product_pub_policy.cil",
+ version: "${ver}",
+ installable: false,
+}
+
se_policy_conf {
name: "${ver}_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
diff --git a/tools/fuzzer_bindings_check.py b/tools/fuzzer_bindings_check.py
index 55859ac..65b54de 100644
--- a/tools/fuzzer_bindings_check.py
+++ b/tools/fuzzer_bindings_check.py
@@ -50,8 +50,8 @@
if service_name not in bindings:
sys.exit("\nerror: Service '{0}' is being added, but we have no fuzzer on file for it. "
"Fuzzers are listed at $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
- "NOTE: automatic service fuzzers are currently not supported in Java (b/232439254) "
- "and Rust (b/164122727). In this case, please ignore this for now and add an entry for your"
+ "NOTE: automatic service fuzzers are currently not supported in Java (b/287102710.)"
+ "In this case, please ignore this for now and add an entry for your"
"new service in service_fuzzer_bindings.go \n\n"
"If you are writing a new service, it may be subject to attack from other "
"potentially malicious processes. A fuzzer can be written automatically "
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 745ab13..4b88206 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -382,7 +382,6 @@
char *p, *start;
int result;
- int non_comment_len = 0, cur_non_comment_len = 0;
char *cur_non_comment_text = calloc(1, (end - text) + 1);
char *non_comment_text = cur_non_comment_text;
if (!cur_non_comment_text)
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
deleted file mode 100644
index 2e9d68f..0000000
--- a/treble_sepolicy_tests_for_release.mk
+++ /dev/null
@@ -1,81 +0,0 @@
-version := $(version_under_treble_tests)
-
-include $(CLEAR_VARS)
-# For Treble builds run tests verifying that processes are properly labeled and
-# permissions granted do not violate the treble model. Also ensure that treble
-# compatibility guarantees are upheld between SELinux version bumps.
-LOCAL_MODULE := treble_sepolicy_tests_$(version)
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-IS_TREBLE_TEST_ENABLED_PARTNER := false
-ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
-IS_TREBLE_TEST_ENABLED_PARTNER := true
-endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
-endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# $(version)_plat - the platform policy shipped as part of the $(version) release. This is
-# built to enable us to determine the diff between the current policy and the
-# $(version) policy, which will be used in tests to make sure that compatibility has
-# been maintained by our mapping files.
-built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
-
-$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
-$(version)_mapping.ignore.cil := \
- $(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
-endif # (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR))
-ifneq (,$(BOARD_PRODUCT_PREBUILT_DIR))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
-endif # (,$(BOARD_PRODUCT_PREBUILT_DIR))
-endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-
-# $(version)_mapping.combined.cil - a combination of the mapping file used when
-# combining the current platform policy with nonplatform policy based on the
-# $(version) policy release and also a special ignored file that exists purely for
-# these tests.
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
-$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
-$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
- mkdir -p $(dir $@)
- cat $^ > $@
-
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-public_cil_files := $(base_product_pub_policy.cil)
-else
-public_cil_files := $(base_plat_pub_policy.cil)
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(public_cil_files) \
- $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD)
- $(hide) touch $@
-
-built_sepolicy_files :=
-public_cil_files :=
-$(version)_mapping.cil :=
-$(version)_mapping.combined.cil :=
-$(version)_mapping.ignore.cil :=
-built_$(version)_plat_sepolicy :=
-version :=
-version_under_treble_tests :=
diff --git a/treble_sepolicy_tests_for_release/Android.bp b/treble_sepolicy_tests_for_release/Android.bp
new file mode 100644
index 0000000..7756cbb
--- /dev/null
+++ b/treble_sepolicy_tests_for_release/Android.bp
@@ -0,0 +1,448 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: [
+ "Android-Apache-2.0",
+ "system_sepolicy_license",
+ ],
+}
+
+//////////////////////////////////
+// Tests for Treble compatibility of current platform policy and vendor policy of
+// given release version.
+//////////////////////////////////
+java_genrule {
+ name: "29.0_mapping.combined.cil",
+ srcs: [
+ ":plat_29.0.cil",
+ ":29.0.ignore.cil",
+ ],
+ out: ["29.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_29.0.cil) $(location :29.0.ignore.cil) > $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_29.0",
+ srcs: [
+ ":29.0_plat_policy.cil",
+ ":29.0_mapping.combined.cil",
+ ":29.0_plat_pub_policy.cil",
+ ],
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_29.0"],
+ cmd: "$(location treble_sepolicy_tests) " +
+ "-b $(location :29.0_plat_pub_policy.cil) " +
+ "-m $(location :29.0_mapping.combined.cil) " +
+ "-o $(location :29.0_plat_policy.cil) && " +
+ "touch $(out)",
+}
+
+java_genrule {
+ name: "30.0_mapping.combined.cil",
+ srcs: [
+ ":plat_30.0.cil",
+ ":30.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_30.0.cil",
+ ":system_ext_30.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_30.0.cil",
+ ":product_30.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["30.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_30.0.cil) " +
+ "$(location :30.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_30.0.cil) " +
+ "$(location :system_ext_30.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_30.0.cil) " +
+ "$(location :product_30.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_30.0",
+ srcs: [
+ ":30.0_plat_policy.cil",
+ ":30.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":30.0_plat_pub_policy.cil"],
+ (default, default): [":30.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_30.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :30.0_plat_pub_policy.cil) " +
+ "-m $(location :30.0_mapping.combined.cil) " +
+ "-o $(location :30.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :30.0_product_pub_policy.cil) " +
+ "-m $(location :30.0_mapping.combined.cil) " +
+ "-o $(location :30.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "31.0_mapping.combined.cil",
+ srcs: [
+ ":plat_31.0.cil",
+ ":31.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_31.0.cil",
+ ":system_ext_31.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_31.0.cil",
+ ":product_31.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["31.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_31.0.cil) " +
+ "$(location :31.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_31.0.cil) " +
+ "$(location :system_ext_31.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_31.0.cil) " +
+ "$(location :product_31.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_31.0",
+ srcs: [
+ ":31.0_plat_policy.cil",
+ ":31.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":31.0_plat_pub_policy.cil"],
+ (default, default): [":31.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_31.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :31.0_plat_pub_policy.cil) " +
+ "-m $(location :31.0_mapping.combined.cil) " +
+ "-o $(location :31.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :31.0_product_pub_policy.cil) " +
+ "-m $(location :31.0_mapping.combined.cil) " +
+ "-o $(location :31.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "32.0_mapping.combined.cil",
+ srcs: [
+ ":plat_32.0.cil",
+ ":32.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_32.0.cil",
+ ":system_ext_32.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_32.0.cil",
+ ":product_32.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["32.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_32.0.cil) " +
+ "$(location :32.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_32.0.cil) " +
+ "$(location :system_ext_32.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_32.0.cil) " +
+ "$(location :product_32.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_32.0",
+ srcs: [
+ ":32.0_plat_policy.cil",
+ ":32.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":32.0_plat_pub_policy.cil"],
+ (default, default): [":32.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_32.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :32.0_plat_pub_policy.cil) " +
+ "-m $(location :32.0_mapping.combined.cil) " +
+ "-o $(location :32.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :32.0_product_pub_policy.cil) " +
+ "-m $(location :32.0_mapping.combined.cil) " +
+ "-o $(location :32.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "33.0_mapping.combined.cil",
+ srcs: [
+ ":plat_33.0.cil",
+ ":33.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_33.0.cil",
+ ":system_ext_33.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_33.0.cil",
+ ":product_33.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["33.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_33.0.cil) " +
+ "$(location :33.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_33.0.cil) " +
+ "$(location :system_ext_33.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_33.0.cil) " +
+ "$(location :product_33.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_33.0",
+ srcs: [
+ ":33.0_plat_policy.cil",
+ ":33.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":33.0_plat_pub_policy.cil"],
+ (default, default): [":33.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_33.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :33.0_plat_pub_policy.cil) " +
+ "-m $(location :33.0_mapping.combined.cil) " +
+ "-o $(location :33.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :33.0_product_pub_policy.cil) " +
+ "-m $(location :33.0_mapping.combined.cil) " +
+ "-o $(location :33.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "34.0_mapping.combined.cil",
+ srcs: [
+ ":plat_34.0.cil",
+ ":34.0.ignore.cil",
+ ] + select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: [
+ ":system_ext_34.0.cil",
+ ":system_ext_34.0.ignore.cil",
+ ],
+ default: [],
+ }) + select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: [
+ ":product_34.0.cil",
+ ":product_34.0.ignore.cil",
+ ],
+ default: [],
+ }),
+ out: ["34.0_mapping.combined.cil"],
+ cmd: "cat $(location :plat_34.0.cil) " +
+ "$(location :34.0.ignore.cil) " +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"), {
+ true: "$(location :system_ext_34.0.cil) " +
+ "$(location :system_ext_34.0.ignore.cil) ",
+ default: "",
+ }) +
+ select(soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"), {
+ true: "$(location :product_34.0.cil) " +
+ "$(location :product_34.0.ignore.cil) ",
+ default: "",
+ }) +
+ "> $(out)",
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_34.0",
+ srcs: [
+ ":34.0_plat_policy.cil",
+ ":34.0_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":34.0_plat_pub_policy.cil"],
+ (default, default): [":34.0_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_34.0"],
+ cmd: select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :34.0_plat_pub_policy.cil) " +
+ "-m $(location :34.0_mapping.combined.cil) " +
+ "-o $(location :34.0_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :34.0_product_pub_policy.cil) " +
+ "-m $(location :34.0_mapping.combined.cil) " +
+ "-o $(location :34.0_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
+
+java_genrule {
+ name: "202404_mapping.combined.cil",
+ srcs: select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [
+ ],
+ default: [
+ ":plat_202404.cil",
+ ":202404.ignore.cil",
+ ],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ ), {
+ ("202404", true): [],
+ ("202404", default): [],
+ (default, true): [
+ ":system_ext_202404.cil",
+ ":system_ext_202404.ignore.cil",
+ ],
+ (default, default): [],
+ }) + select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ ("202404", true): [],
+ ("202404", default): [],
+ (default, true): [
+ ":product_202404.cil",
+ ":product_202404.ignore.cil",
+ ],
+ (default, default): [],
+ }),
+ out: ["202404_mapping.combined.cil"],
+ cmd: select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": "touch $(out)",
+ default: "cat $(in) > $(out)",
+ }),
+}
+
+java_genrule {
+ name: "treble_sepolicy_tests_202404",
+ srcs: [
+ ":202404_plat_policy.cil",
+ ":202404_mapping.combined.cil",
+ ] + select((
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ (false, false): [":202404_plat_pub_policy.cil"],
+ (default, default): [":202404_product_pub_policy.cil"],
+ }),
+ tools: ["treble_sepolicy_tests"],
+ out: ["treble_sepolicy_tests_202404"],
+ cmd: select((
+ soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"),
+ soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
+ soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
+ ), {
+ ("202404", false, false): "touch $(out)",
+ ("202404", default, default): "touch $(out)",
+ (default, false, false): "$(location treble_sepolicy_tests) " +
+ "-b $(location :202404_plat_pub_policy.cil) " +
+ "-m $(location :202404_mapping.combined.cil) " +
+ "-o $(location :202404_plat_policy.cil) && " +
+ "touch $(out)",
+ (default, default, default): "$(location treble_sepolicy_tests) " +
+ "-b $(location :202404_product_pub_policy.cil) " +
+ "-m $(location :202404_mapping.combined.cil) " +
+ "-o $(location :202404_plat_policy.cil) && " +
+ "touch $(out)",
+ }),
+}
diff --git a/vendor/file_contexts b/vendor/file_contexts
index edd1c71..220fbd2 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,7 +14,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[0-9]+-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
@@ -22,11 +22,13 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.lmp_event-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.socket-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.default u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.default u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
@@ -81,6 +83,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
+starting_at_board_api(202504, `
+ /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.mediaquality-service\.example u:object_r:hal_mediaquality_default_exec:s0
+')
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
@@ -164,7 +169,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.common-V2-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.common\.fmq-V1-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.allocator-V2-ndk\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V5-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V[0-9]+-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.1\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.2\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 3d608cd..b9815ec 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -8,7 +8,10 @@
allow hal_face_default fwk_sensor_service:service_manager find;
# virtual_face_hal_prop is only for debuggable builds
-userdebug_or_eng(`set_prop(hal_face_default, virtual_face_hal_prop)');
+starting_at_board_api(202504, `
+ set_prop(hal_face_default, virtual_face_prop)
+')
+
neverallow { domain -init -dumpstate userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:property_service set;
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index e380ebd..0bcc26d 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -7,7 +7,9 @@
# android.frameworks.sensorservice through libsensorndkbridge
allow hal_fingerprint_default fwk_sensor_service:service_manager find;
-set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
+starting_at_board_api(202504, `
+ set_prop(hal_fingerprint_default, virtual_fingerprint_prop)
+')
userdebug_or_eng(`
# Allow fingerprint hal to read app-created pipes (to respond shell commands from test apps)
diff --git a/vendor/hal_mediaquality_default.te b/vendor/hal_mediaquality_default.te
new file mode 100644
index 0000000..8f604c4
--- /dev/null
+++ b/vendor/hal_mediaquality_default.te
@@ -0,0 +1,7 @@
+starting_at_board_api(202504, `
+ type hal_mediaquality_default, domain;
+ hal_server_domain(hal_mediaquality_default, hal_mediaquality)
+
+ type hal_mediaquality_default_exec, exec_type, vendor_file_type, file_type;
+ init_daemon_domain(hal_mediaquality_default)
+')
\ No newline at end of file
