Merge "Allow files to be created /metadata/ota"
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index abf0085..7b81ab8 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@@ -4,3 +4,4 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index cc712ff..9c13bd5 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
/bin/fd_server u:object_r:fd_server_exec:s0
+/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4161bb3..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -456,6 +456,9 @@
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // List of domains that are allowed to be in permissive mode on user builds.
+ Permissive_domains_on_user_builds []string
}
type policyBinary struct {
@@ -512,11 +515,19 @@
// permissive check is performed only in user build (not debuggable).
if !ctx.Config().Debuggable() {
permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
- rule.Command().BuiltTool("sepolicy-analyze").
+ cmd := rule.Command().BuiltTool("sepolicy-analyze").
Input(bin).
- Text("permissive").
- Text(" > ").
- Output(permissiveDomains)
+ Text("permissive")
+ // Filter-out domains listed in permissive_domains_on_user_builds
+ allowedDomains := c.properties.Permissive_domains_on_user_builds
+ if len(allowedDomains) != 0 {
+ cmd.Text("| { grep -Fxv")
+ for _, d := range allowedDomains {
+ cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+ }
+ cmd.Text(" || true; }") // no match doesn't fail the cmd
+ }
+ cmd.Text(" > ").Output(permissiveDomains)
rule.Temporary(permissiveDomains)
msg := `==========\n` +
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 463a978..6a971da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -247,11 +247,21 @@
rule := android.NewRuleBuilder(pctx, ctx)
+ newlineFile := android.PathForModuleGen(ctx, "newline")
+
+ rule.Command().Text("echo").FlagWithOutput("> ", newlineFile)
+ rule.Temporary(newlineFile)
+
+ var inputsWithNewline android.Paths
+ for _, input := range inputs {
+ inputsWithNewline = append(inputsWithNewline, input, newlineFile)
+ }
+
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
- Inputs(inputs).
+ Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
if proptools.Bool(m.properties.Remove_comment) {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 1bb6eb6..f13c23c 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -25,10 +25,19 @@
ServiceFuzzerBindings = map[string][]string{
"android.hardware.audio.core.IConfig/default": EXCEPTION_NO_FUZZER,
"android.hardware.audio.core.IModule/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/a2dp": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/bluetooth": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/hearing_aid": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/msd": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/r_submix": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/stub": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.core.IModule/usb": EXCEPTION_NO_FUZZER,
"android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.sounddose.ISoundDoseFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
"android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.can.ICanController/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/1": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.remoteaccess.IRemoteAccess/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
@@ -39,6 +48,7 @@
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
"android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
@@ -80,13 +90,25 @@
"android.hardware.radio.network.IRadioNetwork/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.network.IRadioNetwork/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.network.IRadioNetwork/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.satellite.IRadioSatellite/slot3": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sap.ISap/slot3": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot3": EXCEPTION_NO_FUZZER,
"android.hardware.rebootescrow.IRebootEscrow/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE1": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE2": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/eSE3": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
+ "android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
@@ -95,8 +117,9 @@
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
"android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
- "android.hardware.tv.hdmi.IHdmi/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.input.ITvInput/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.tuner.ITuner/default": EXCEPTION_NO_FUZZER,
"android.hardware.usb.IUsb/default": EXCEPTION_NO_FUZZER,
@@ -108,6 +131,7 @@
"android.hardware.wifi.IWifi/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
@@ -230,6 +254,7 @@
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
"gnss_time_update_service": EXCEPTION_NO_FUZZER,
+ "grammatical_inflection": EXCEPTION_NO_FUZZER,
"graphicsstats": EXCEPTION_NO_FUZZER,
"gpu": EXCEPTION_NO_FUZZER,
"hardware": EXCEPTION_NO_FUZZER,
@@ -335,6 +360,7 @@
"rcs": EXCEPTION_NO_FUZZER,
"reboot_readiness": EXCEPTION_NO_FUZZER,
"recovery": EXCEPTION_NO_FUZZER,
+ "remote_provisioning": EXCEPTION_NO_FUZZER,
"resolver": EXCEPTION_NO_FUZZER,
"resources": EXCEPTION_NO_FUZZER,
"restrictions": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index d1dcff0..12bb8f7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -241,6 +241,11 @@
":microdroid_vendor_sepolicy.cil",
],
installable: false,
+
+ // b/259729287. In Microdroid, su is allowed to be in permissive mode.
+ // This is to support fully debuggable VMs on user builds. This is safe
+ // because we don't start adbd at all on non-debuggable VMs.
+ permissive_domains_on_user_builds: ["su"],
}
genrule {
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index ed74ddd..9a50f67 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -4,10 +4,12 @@
domain_auto_trans(adbd, shell_exec, shell)
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
+# Allow adbd to transition to su. In Android, this is disallowed in user builds.
+# However, Microdroid allows it even in user builds because apps should be able
+# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
+# non debuggable VMs are done by not starting adbd at all using sysprops.
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
@@ -55,3 +57,6 @@
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
+
+# only adbd can transition to su.
+neverallow {domain -adbd} su:process { transition dyntransition };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 04a9859..13e359a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -233,6 +233,9 @@
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;
@@ -323,6 +326,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
@@ -383,9 +387,9 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+neverallow * { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set
{ create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
+neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set { write unlink };
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
@@ -418,11 +422,6 @@
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
neverallow { domain -init } proc:{ file dir } mounton;
# Ensure that all types assigned to processes are included
@@ -555,3 +554,6 @@
# These domains must not be crash dumped
neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
+
+# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
+neverallow domain encryptedstore_file:file no_x_file_perms;
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 522f090..5fa2e3a 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -31,11 +31,12 @@
allow encryptedstore sysfs_fs_ext4_features:dir search;
allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
-# encryptedstore to mount on /mnt/ directory
+# encryptedstore to mount on tmpfs bases directory (/mnt/)
allow encryptedstore tmpfs:dir { add_name create mounton write };
-# Unmount and mount filesystem
-allow encryptedstore labeledfs:filesystem { mount unmount };
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+allow encryptedstore labeledfs:filesystem { relabelfrom };
+allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index b94571d..6f037a3 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
+allow encryptedstore_file encryptedstore_fs:filesystem associate;
allow extra_apk_file zipfusefs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
@@ -20,3 +21,9 @@
# /system/bin/mke2fs - used to format encryptedstore block device
type e2fs_exec, system_file_type, exec_type, file_type;
+
+type encryptedstore_file, file_type;
+type encryptedstore_fs, fs_type, contextmount_type;
+
+# Filesystem entry for for PRNG seeder socket.
+type prng_seeder_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index ae9b095..8d9ad85 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -66,6 +66,7 @@
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
@@ -120,6 +121,7 @@
/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -167,3 +169,7 @@
#############################
# Directory for extra apks
/mnt/extra-apk u:object_r:extra_apk_file:s0
+
+#############################
+# Directory for encrypted storage (persistent across boot)
+/mnt/encryptedstore u:object_r:encryptedstore_file:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 40decfe..ce28471 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -42,7 +42,6 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 283775e..5ad30e5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,6 @@
set_prop(init, property_type)
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 8765f75..a5b71f0 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -31,6 +31,9 @@
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
allow microdroid_manager self:global_capability_class_set sys_admin;
+# Allow microdroid_manager to remove capabilities from it's capability bounding set.
+allow microdroid_manager self:global_capability_class_set setpcap;
+
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
@@ -82,6 +85,12 @@
# Allow microdroid_manager to pass the roothash to apkdmverity
set_prop(microdroid_manager, microdroid_manager_roothash_prop)
+# Allow microdroid_manager to set sysprops calculated from the payload config
+set_prop(microdroid_manager, microdroid_config_prop)
+
+# Allow microdroid_manager to set sysprops related to microdroid_lifecycle (ex. init_done)
+set_prop(microdroid_manager, microdroid_lifecycle_prop)
+
# Allow microdroid_manager to shutdown the device when verification fails
set_prop(microdroid_manager, powerctl_prop)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 309210c..c1974c7 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -36,7 +36,6 @@
create listen accept read getattr write setattr lock append bind
getopt setopt shutdown map
};
-neverallow microdroid_payload self:vsock_socket connect;
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
@@ -56,3 +55,10 @@
# Allow payload to communicate with microdroid manager
unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
+
+# Payload can read, write into encrypted storage directory
+allow microdroid_payload encryptedstore_file:dir create_dir_perms;
+allow microdroid_payload encryptedstore_file:file create_file_perms;
+
+# Never allow microdroid_payload to connect to vsock
+neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
type node, node_type;
type netif, netif_type;
type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/prng_seeder.te b/microdroid/system/private/prng_seeder.te
new file mode 100644
index 0000000..ab4e275
--- /dev/null
+++ b/microdroid/system/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+type prng_seeder, domain, coredomain;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# prng_seeder is using bootstrap bionic
+use_bootstrap_libs(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index a02a7f2..d983775 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -39,3 +39,16 @@
domain
-init
} apexd_payload_metadata_prop:property_service set;
+
+# Only microdroid_manager and init can set the microdroid_config_prop sysprops
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
+
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c8d3c01..0d5786c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,7 +1,6 @@
# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed as
-# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
-# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
+# microdroid uses far fewer properties than normal Android, so almost
+# every property is listed as an exact entry.
debug. u:object_r:debug_prop:s0 prefix
persist.debug. u:object_r:debug_prop:s0 prefix
@@ -85,7 +84,6 @@
ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
@@ -120,6 +118,12 @@
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
+microdroid_manager.extra_apk.mounted. u:object_r:microdroid_manager_zipfuse_prop:s0 prefix bool
+
+microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
+
+microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 1196262..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,9 +1,4 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
+typeattribute su coredomain;
- domain_auto_trans(shell, su_exec, su)
-
- # su is also permissive to permit setenforce.
- permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 419caa1..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -120,9 +120,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# All domains used for apps with network access.
-attribute netdomain;
-
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5616160..fe269d7 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -89,7 +89,6 @@
type proc_drop_caches, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 5008bc7..a2c3b77 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -40,6 +40,8 @@
type log_tag_prop, property_type;
type microdroid_manager_roothash_prop, property_type;
type microdroid_manager_zipfuse_prop, property_type;
+type microdroid_config_prop, property_type;
+type microdroid_lifecycle_prop, property_type;
type property_service_version_prop, property_type;
type shell_prop, property_type;
type timezone_prop, property_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index bde9cd9..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,9 +2,6 @@
type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
-# Create and use network sockets.
-net_domain(shell)
-
# Root fs.
allow shell rootfs:dir r_dir_perms;
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index dbb3158..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -2,43 +2,36 @@
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
+# that adb root works on debuggable VMs even for user builds.
type su, domain;
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # Add su to various domains
- net_domain(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
- dontaudit su kernel:security *;
- dontaudit su { kernel file_type }:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:{ process process2 } *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su domain:bpf *;
- dontaudit su unlabeled:vsock_socket *;
- dontaudit su self:perf_event *;
-')
+# Add su to various domains
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index b5aa501..767bfe3 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
prng_seeder
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 4eda4a1..db71be4 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -347,6 +347,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# spatializer tuning
+audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 8a7947d..6d3bc78 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -396,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 8d3e556..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,9 +113,6 @@
sysfs_zram
}:file r_file_perms;
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_audio.te b/prebuilts/api/33.0/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/prebuilts/api/33.0/public/hal_audio.te
+++ b/prebuilts/api/33.0/public/hal_audio.te
@@ -23,6 +23,9 @@
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
# allow hal audio to use vnbinder
vndbinder_use(hal_audio)
diff --git a/private/app.te b/private/app.te
index ae8b206..8838782 100644
--- a/private/app.te
+++ b/private/app.te
@@ -95,8 +95,9 @@
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
+# Exception for virtualizationmanager to allow running VMs as child processes.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs }:process { transition };
+ { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
diff --git a/private/artd.te b/private/artd.te
index 63045af..c887258 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -29,12 +29,21 @@
# Allow testing userfaultfd support.
userfaultfd_use(artd)
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
r_dir_file(artd, apk_data_file)
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
@@ -62,8 +71,9 @@
# profile files to the system or apps.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
-# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
-allow artd user_profile_root_file:dir { getattr search };
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
+# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
+allow artd user_profile_root_file:dir r_dir_perms;
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
@@ -73,6 +83,38 @@
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+# Allow symlinks for secondary dex files. This has be to restricted because
+# symlinks can cause various security issues. We allow "privapp_data_file" just
+# for GMS because so far we only see GMS using symlinks.
+allow artd privapp_data_file:lnk_file { getattr read };
+
+# Read access to SELinux context files, for restorecon.
+allow artd file_contexts_file:file r_file_perms;
+allow artd seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(artd)
+
+# Allow scanning /, for cleaning up obsolete managed files.
+allow artd rootfs:dir r_dir_perms;
+
+# Allow scanning /data, for cleaning up obsolete managed files.
+allow artd system_data_root_file:dir r_dir_perms;
+
+# Allow scanning /mnt, for cleaning up obsolete managed files.
+allow artd tmpfs:dir r_dir_perms;
+
+# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
+allow artd mnt_expand_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
+# up obsolete managed files.
+allow artd system_userdir_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
+# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
+allow artd system_data_file:dir r_dir_perms;
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c009ec..6bdc259 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,6 +18,8 @@
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
+allow bpfloader proc_bpf:file w_file_perms;
+
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
@@ -26,28 +28,30 @@
### Neverallow rules
###
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+# Note: we don't care about getattr/mounton/search
+neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
-neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
+neverallow { domain -bpfloader } fs_bpf_loader:file read;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file *;
+
neverallow {
domain
-bpfloader
@@ -62,13 +66,11 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
-# this should perhaps be moved to the bpfloader binary itself. Allow both.
-neverallow { domain -bpfloader -init } proc_bpf:file write;
+neverallow { domain -bpfloader } proc_bpf:file write;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 9ba60ac..5673ccd 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -5,3 +5,6 @@
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
hal_client_domain(canhalconfigurator, hal_can_controller)
+
+binder_use(canhalconfigurator)
+binder_call(hal_can_controller, canhalconfigurator)
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 50e3be7..d810e0a 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
mdns_service
nearby_service
persist_wm_debug_prop
+ prng_seeder
proc_watermark_boost_factor
remotelyprovisionedkeypool_service
resources_manager_service
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 849be82..2f8887b 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2116,7 +2116,7 @@
(typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
(typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
(typeattributeset proc_filesystems_33_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_fs_verity_33_0 (proc))
(typeattributeset proc_hostname_33_0 (proc_hostname))
(typeattributeset proc_hung_task_33_0 (proc_hung_task))
(typeattributeset proc_interrupts_33_0 (proc_interrupts))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3750e7d..11bff79 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -9,18 +9,24 @@
apex_ready_prop
artd
credential_service
+ device_config_camera_native_prop
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
devicelock_service
+ fwk_camera_service
fwk_sensor_service
+ grammatical_inflection_service
+ hal_bluetooth_service
hal_bootctl_service
hal_cas_service
hal_remoteaccess_service
+ hal_secure_element_service
hal_thermal_service
hal_usb_gadget_service
hal_tv_input_service
- hal_tv_hdmi_service
hal_tv_hdmi_cec_service
+ hal_tv_hdmi_connection_service
+ hal_tv_hdmi_earc_service
hal_wifi_service
healthconnect_service
hypervisor_restricted_prop
@@ -28,6 +34,7 @@
ntfs
permissive_mte_prop
prng_seeder
+ remote_provisioning_service
rkpdapp
servicemanager_prop
system_net_netd_service
@@ -40,4 +47,5 @@
hal_broadcastradio_service
hal_confirmationui_service
hal_fastboot_service
+ hal_can_controller_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index c041ca3..55f715d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -92,6 +92,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
@@ -110,6 +111,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
diff --git a/private/crosvm.te b/private/crosvm.te
index 9c45131..c682bb5 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,10 +14,10 @@
tmpfs_domain(crosvm)
# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
+allow crosvm virtualizationmanager:fd use;
# Allow sending VirtualizationService the failure reason from the VM via pipe.
-allow crosvm virtualizationservice:fifo_file write;
+allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -36,11 +36,20 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
+# Allow crosvm to mlock guest memory.
+allow crosvm self:capability ipc_lock;
+
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
+
+# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
+userdebug_or_eng(`
+ allow crosvm shell_data_file:dir search;
+ allow crosvm shell_data_file:file open;
+')
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
@@ -104,9 +113,9 @@
-shell_data_file
}:file read;
-# Only virtualizationservice can run crosvm
+# Only virtualizationmanager can run crosvm
neverallow {
domain
-crosvm
- -virtualizationservice
+ -virtualizationmanager
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 9de23ba..e0ba975 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,7 +2,9 @@
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+# We exempt crosvm because parts of its memory are inaccessible to the
+# kernel. TODO(b/238324526): Remove this.
+domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
@@ -288,7 +290,7 @@
-apexd
-installd
-priv_app
- -virtualizationservice
+ -virtualizationmanager
} staging_data_file:dir *;
neverallow {
domain
@@ -301,7 +303,7 @@
-installd
-priv_app
-shell
- -virtualizationservice
+ -virtualizationmanager
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
@@ -650,7 +652,7 @@
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
-# Restrict write access to shell owned files. The /data/local/tmp directory is
+# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
@@ -669,6 +671,51 @@
userdebug_or_eng(`-crosvm')
} shell_data_file:file open;
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
+neverallow {
+ domain
+ -adbd
+ -artd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir open;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -artd
+ -dumpstate
+ -init
+ -installd
+ -simpleperf_app_runner
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:dir search;
+
# respect system_app sandboxes
neverallow {
domain
diff --git a/private/dumpstate.te b/private/dumpstate.te
index ee59cb7..fe442b3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -30,6 +30,9 @@
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
+# Kill incident in case of a timeout
+allow dumpstate incident:process { signal sigkill };
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
diff --git a/private/file.te b/private/file.te
index 60e2274..e33469f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
type fs_bpf_net_shared, fs_type, bpffs_type;
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -90,7 +91,9 @@
type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
# /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# virtualizationmanager, which runs at a more constrained MLS level.
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -99,7 +102,9 @@
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
-type kvm_device, dev_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# crosvm, which runs at a more constrained MLS level.
+type kvm_device, dev_type, mlstrustedobject;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 72fae62..632e069 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -223,7 +223,7 @@
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
+/system/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index a26726d..0cc450d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -28,6 +28,7 @@
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
+set_prop(flags_health_check, device_config_camera_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index e069233..2e5089c 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -11,9 +11,6 @@
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29d8561..6fa98ea 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -43,7 +43,6 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
@@ -395,7 +394,9 @@
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
diff --git a/private/network_stack.te b/private/network_stack.te
index 3cdf884..dfee019 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -75,44 +75,27 @@
# This place is as good as any for these rules,
# and it is probably the most appropriate because
# network_stack itself is entirely mainline code.
-#
-# Unfortunately init/vendor_init have all sorts of extra privs
# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
-
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
# netd's access should be readonly
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
neverallow netd fs_bpf_netd_readonly:file write;
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
-
# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
# netutils_wrapper requires access to be able to run iptables and only needs readonly access
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
neverallow netutils_wrapper fs_bpf_netd_shared:file write;
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
-
# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;
diff --git a/private/property.te b/private/property.te
index cac04d3..dee6369 100644
--- a/private/property.te
+++ b/private/property.te
@@ -432,6 +432,7 @@
-init
-shell
-system_app
+ -system_server
-mtectrl
} {
arm64_memtag_prop
diff --git a/private/property_contexts b/private/property_contexts
index 823fa2f..f208e52 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -247,6 +247,7 @@
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.camera_native. u:object_r:device_config_camera_native_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
@@ -321,6 +322,8 @@
ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -360,6 +363,11 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
+# spatializer tuning
+audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
@@ -377,6 +385,7 @@
camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+camera.enable_landscape_to_portrait u:object_r:camera_config_prop:s0 exact bool
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
@@ -465,7 +474,6 @@
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -504,6 +512,7 @@
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.core.gap.le.conn.only_init_1m_phy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -639,6 +648,7 @@
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 535f324..21f9b0c 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -5,6 +5,7 @@
typeattribute rkpdapp coredomain;
app_domain(rkpdapp)
+net_domain(rkpdapp)
# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
@@ -15,6 +16,10 @@
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
+# Grant access to media.metrics service, needed for widevine. This
+# access is granted to all other apps already (e.g. untrusted_app_all).
+allow rkpdapp mediametrics_service:service_manager find;
+
# Grant access to statsd
allow rkpdapp statsmanager_service:service_manager find;
binder_call(rkpdapp, statsd)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 12310d2..a0e77a2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -213,6 +213,10 @@
allow sdk_sandbox system_linker_exec:file execute_no_trans;
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox shell_data_file:file r_file_perms;
+allow sdk_sandbox shell_data_file:dir r_dir_perms;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 81563a5..d3f065b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -165,6 +165,7 @@
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 562e3d4..a144db1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,11 +1,22 @@
+android.frameworks.cameraservice.service.ICameraService/default u:object_r:fwk_camera_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/a2dp u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/bluetooth u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/hearing_aid u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/msd u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/r_submix u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/stub u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/usb u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
+android.hardware.audio.sounddose.ISoundDoseFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
+android.hardware.automotive.can.ICanController/default u:object_r:hal_can_controller_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
@@ -13,6 +24,7 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
@@ -58,9 +70,15 @@
android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot3 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot3 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
@@ -74,8 +92,9 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
-android.hardware.tv.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
-android.hardware.tv.hdmi.IHdmi/default u:object_r:hal_tv_hdmi_service:s0
+android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
+android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
+android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
@@ -88,6 +107,12 @@
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE1 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE2 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE3 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
@@ -208,6 +233,7 @@
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
gnss_time_update_service u:object_r:gnss_time_update_service:s0
+grammatical_inflection u:object_r:grammatical_inflection_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
@@ -313,6 +339,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+remote_provisioning u:object_r:remote_provisioning_service:s0
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
diff --git a/private/su.te b/private/su.te
index 2496473..cc00e10 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,6 +19,9 @@
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
+ # Put the virtmgr command into its domain.
+ domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_server.te b/private/system_server.te
index 3a7dd8a..53acab0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
@@ -330,8 +331,9 @@
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_hdmi)
hal_client_domain(system_server, hal_tv_hdmi_cec)
+hal_client_domain(system_server, hal_tv_hdmi_connection)
+hal_client_domain(system_server, hal_tv_hdmi_earc)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
hal_client_domain(system_server, hal_usb_gadget)
@@ -743,6 +745,7 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_lmkd_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_camera_native_prop)
set_prop(system_server, device_config_mglru_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_statsd_native_prop)
@@ -760,6 +763,7 @@
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
+set_prop(system_server, arm64_memtag_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -1084,7 +1088,7 @@
allow system_server toolbox_exec:file rx_file_perms;
# Allow system process to setup fs-verity
-allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
# Allow system process to measure fs-verity for apps, apps being installed and system files
allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
@@ -1180,8 +1184,9 @@
# System server may dump profile data for debuggable apps in the /data/misc/profman.
# As such it needs to be able create files but it should never read from them.
+# It also needs to stat the directory to check if it has the right permissions.
allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
+allow system_server profman_dump_data_file:dir rw_dir_perms;
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d924187..bef7c6d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -29,6 +29,14 @@
allow system_suspend dumpstate:fd use;
allow system_suspend dumpstate:fifo_file write;
+# Allow init to take kernel wakelock and system suspend to
+# remove kenel wakelocks and the capability to access these
+# files
+allow init sysfs_wake_lock:file rw_file_perms;
+allow init self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+allow system_suspend self:global_capability2_class_set block_suspend;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
new file mode 100644
index 0000000..4cd32b7
--- /dev/null
+++ b/private/virtualizationmanager.te
@@ -0,0 +1,77 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+
+type virtualizationmanager, domain, coredomain;
+type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+
+# Allow virtualizationmanager to communicate use, read and write over the adb connection.
+allow virtualizationmanager adbd:fd use;
+allow virtualizationmanager adbd:unix_stream_socket { read write };
+
+# Let the virtualizationmanager domain use Binder.
+binder_use(virtualizationmanager)
+
+# Let virtualizationmanager find and communicate with virtualizationservice.
+allow virtualizationmanager virtualization_service:service_manager find;
+binder_call(virtualizationmanager, virtualizationservice)
+
+# Allow calling into the system server to find native services. "permission_service" to check
+# permissions, and "package_native" for staged apex info.
+binder_call(virtualizationmanager, system_server)
+allow virtualizationmanager { package_native_service permission_service }:service_manager find;
+
+# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationmanager, crosvm_exec, crosvm)
+
+# Let virtualizationmanager kill crosvm.
+allow virtualizationmanager crosvm:process sigkill;
+
+# Let virtualizationmanager create files inside virtualizationservice's temporary directories.
+allow virtualizationmanager virtualizationservice_data_file:dir rw_dir_perms;
+allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } create_file_perms;
+
+# Let virtualizationmanager read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationmanager apk_data_file:file { getattr read };
+
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationmanager {
+ app_data_file
+ apex_compos_data_file
+ privapp_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationmanager shell_data_file:file { getattr read write };
+
+# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationmanager apex_info_file:file r_file_perms;
+allow virtualizationmanager apex_data_file:dir search;
+allow virtualizationmanager staging_data_file:file r_file_perms;
+allow virtualizationmanager staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationmanager derive_classpath_exec:file rx_file_perms;
+allow virtualizationmanager apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationmanager self:dir write;
+
+# Let virtualizationmanager to accept vsock connection from the guest VMs
+allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationmanager to inspect all hypervisor capabilities.
+get_prop(virtualizationmanager, hypervisor_prop)
+get_prop(virtualizationmanager, hypervisor_restricted_prop)
+
+# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
+unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
+
+# Append ramdumps to tombstone files passed as fds from tombstoned
+allow virtualizationmanager tombstone_data_file:file { append getattr };
+allow virtualizationmanager tombstoned:fd use;
+
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationmanager, crosvm);
+
+# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
+# a harmless denial for CompOS log files, so ignore that.
+dontaudit virtualizationmanager apex_module_data_file:dir search;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 883ff56..28982bc 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -1,80 +1,45 @@
type virtualizationservice, domain, coredomain;
type virtualizationservice_exec, system_file_type, exec_type, file_type;
+# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
+# the virtualizationmanager domain running at a more constrained MLS level.
+typeattribute virtualizationservice mlstrustedsubject;
+
# When init runs a file labelled with virtualizationservice_exec, run it in the
# virtualizationservice domain.
init_daemon_domain(virtualizationservice)
# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)
-# ... and host a binder service
-binder_service(virtualizationservice)
-
-# Allow calling into the system server so that it can check permissions.
-binder_call(virtualizationservice, system_server)
-allow virtualizationservice permission_service:service_manager find;
-# Allow virtualizationservice to access "package_native" service for staged apex info.
-allow virtualizationservice package_native_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-
-# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
+# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
+allow virtualizationservice virtualizationmanager:process setrlimit;
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
+# Let virtualizationservice set the owner of a VM's temporary directory.
+allow virtualizationservice self:capability chown;
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+# Let virtualizationservice create and delete temporary directories of VMs. To remove old
+# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-
-# Let virtualizationservice manage crosvm control sockets.
-allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
-# Let virtualizationservice read and write files from its various clients, but not open them
-# directly as they must be passed over Binder by the client.
-allow virtualizationservice apk_data_file:file { getattr read };
-# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice {
- app_data_file
- apex_compos_data_file
- privapp_data_file
-}:file { getattr read write };
-
-# shell_data_file is used for automated tests and manual debugging.
-allow virtualizationservice shell_data_file:file { getattr read write };
-
-# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
-allow virtualizationservice apex_info_file:file r_file_perms;
-allow virtualizationservice apex_data_file:dir search;
-allow virtualizationservice staging_data_file:file r_file_perms;
-allow virtualizationservice staging_data_file:dir search;
-
-# Run derive_classpath in our domain
-allow virtualizationservice derive_classpath_exec:file rx_file_perms;
-allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
-# Ignore harmless denials on /proc/self/fd
-dontaudit virtualizationservice self:dir write;
-
-# Let virtualizationservice to accept vsock connection from the guest VMs
+# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
-# Allow virtualizationservice to inspect all hypervisor capabilities.
-get_prop(virtualizationservice, hypervisor_prop)
-get_prop(virtualizationservice, hypervisor_restricted_prop)
-
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
@@ -85,9 +50,6 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
-# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
-r_dir_file(virtualizationservice, crosvm);
-
neverallow {
domain
-init
@@ -97,5 +59,12 @@
neverallow {
domain
-init
+ -virtualizationmanager
-virtualizationservice
} virtualizationservice_data_file:file { open create };
+
+neverallow virtualizationservice {
+ domain
+ -virtualizationmanager
+ -virtualizationservice
+}:process setrlimit;
diff --git a/public/attributes b/public/attributes
index ae610e6..5509813 100644
--- a/public/attributes
+++ b/public/attributes
@@ -370,8 +370,9 @@
hal_attribute(tetheroffload);
hal_attribute(thermal);
hal_attribute(tv_cec);
-hal_attribute(tv_hdmi);
hal_attribute(tv_hdmi_cec);
+hal_attribute(tv_hdmi_connection);
+hal_attribute(tv_hdmi_earc);
hal_attribute(tv_input);
hal_attribute(tv_tuner);
hal_attribute(usb);
@@ -399,6 +400,7 @@
attribute camera_service_server;
attribute display_service_server;
attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d41339a..c88e3f0 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -19,6 +19,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_service(cameraserver, fwk_camera_service)
add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
diff --git a/public/domain.te b/public/domain.te
index 217738d..79e62d0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -582,6 +582,7 @@
-e2fs
-fsck
-fastbootd
+ -hal_fastboot_server
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
@@ -1100,6 +1101,7 @@
neverallow {
domain
-appdomain
+ -artd
-installd
} { app_data_file privapp_data_file }:lnk_file read;
@@ -1110,37 +1112,6 @@
-installd
} shell_data_file:lnk_file read;
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-# artd doesn't need to access /data/local/tmp, but it needs to access
-# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
-# dex files.
-neverallow {
- domain
- -adbd
- -artd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -artd
- -dumpstate
- -init
- -installd
- -simpleperf_app_runner
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c0af235..6b112dc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -150,6 +150,7 @@
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
dump_hal(hal_contexthub)
dump_hal(hal_drm)
dump_hal(hal_dumpstate)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,6 +23,9 @@
# Needed to allow sound trigger hal to access shared memory from apps.
allow hal_audio_server appdomain:fd use;
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
# allow hal audio to use vnbinder
vndbinder_use(hal_audio)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 97177ba..53bbef2 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,8 +1,10 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+binder_call(hal_bluetooth_server, servicemanager)
hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+hal_attribute_service(hal_bluetooth, hal_bluetooth_service)
wakelock_use(hal_bluetooth);
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..d48c43f 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,7 @@
binder_call(hal_can_bus_client, hal_can_bus_server)
binder_call(hal_can_bus_server, hal_can_bus_client)
hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+
+# AIDL HAL for CAN buses (ICanController)
+hal_attribute_service(hal_can_controller, hal_can_controller_service)
+binder_use(hal_can_controller)
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index 3724d35..8d3e15c 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -3,3 +3,8 @@
binder_call(hal_secure_element_server, hal_secure_element_client)
hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
+hal_attribute_service(hal_secure_element, hal_secure_element_service)
+
+binder_use(hal_secure_element_server)
+
+allow hal_secure_element_client hal_secure_element_service:service_manager find;
diff --git a/public/hal_tv_hdmi.te b/public/hal_tv_hdmi.te
deleted file mode 100644
index 8e91aa2..0000000
--- a/public/hal_tv_hdmi.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Binder IPC from clients into server, and callbacks
-binder_call(hal_tv_hdmi_client, hal_tv_hdmi_server)
-binder_call(hal_tv_hdmi_server, hal_tv_hdmi_client)
-binder_call(hal_tv_hdmi_client, servicemanager)
-binder_call(hal_tv_hdmi_server, servicemanager)
-
-hal_attribute_service(hal_tv_hdmi, hal_tv_hdmi_service)
diff --git a/public/hal_tv_hdmi_cec.te b/public/hal_tv_hdmi_cec.te
index 1b75676..eb01b67 100644
--- a/public/hal_tv_hdmi_cec.te
+++ b/public/hal_tv_hdmi_cec.te
@@ -1,7 +1,7 @@
# Binder IPC from clients into server, and callbacks
binder_call(hal_tv_hdmi_cec_client, hal_tv_hdmi_cec_server)
binder_call(hal_tv_hdmi_cec_server, hal_tv_hdmi_cec_client)
-binder_call(hal_tv_hdmi_cec_client, servicemanager)
-binder_call(hal_tv_hdmi_cec_server, servicemanager)
+binder_use(hal_tv_hdmi_cec_client)
+binder_use(hal_tv_hdmi_cec_server)
hal_attribute_service(hal_tv_hdmi_cec, hal_tv_hdmi_cec_service)
diff --git a/public/hal_tv_hdmi_connection.te b/public/hal_tv_hdmi_connection.te
new file mode 100644
index 0000000..f6de27d
--- /dev/null
+++ b/public/hal_tv_hdmi_connection.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_connection_client, hal_tv_hdmi_connection_server)
+binder_call(hal_tv_hdmi_connection_server, hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_server)
+
+hal_attribute_service(hal_tv_hdmi_connection, hal_tv_hdmi_connection_service)
diff --git a/public/hal_tv_hdmi_earc.te b/public/hal_tv_hdmi_earc.te
new file mode 100644
index 0000000..2d76fc6
--- /dev/null
+++ b/public/hal_tv_hdmi_earc.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_earc_client, hal_tv_hdmi_earc_server)
+binder_call(hal_tv_hdmi_earc_server, hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_server)
+
+hal_attribute_service(hal_tv_hdmi_earc, hal_tv_hdmi_earc_service)
diff --git a/public/init.te b/public/init.te
index d99172f..a399b3a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,6 +199,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-exec_type
-misc_logd_file
-nativetest_data_file
@@ -212,6 +213,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-credstore_data_file
-exec_type
-keystore_data_file
@@ -233,6 +235,7 @@
file_type
-apex_info_file
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -259,6 +262,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -278,6 +282,7 @@
file_type
-apex_mnt_dir
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -297,6 +302,7 @@
allow init {
file_type
+ -bpffs_type
-system_dlkm_file_type
-system_file_type
-vendor_file_type
@@ -321,6 +327,7 @@
# chown/chmod on pseudo files.
allow init {
fs_type
+ -bpffs_type
-contextmount_type
-keychord_device
-proc_type
@@ -330,7 +337,14 @@
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
+allow init {
+ fs_type
+ -bpffs_type
+ -contextmount_type
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+}:dir { open read setattr search };
allow init {
binder_device
@@ -365,7 +379,8 @@
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append };
+ allow init overlayfs_file:file { append rename };
+ allow init overlayfs_file:chr_file unlink;
allow init system_block_device:blk_file { write };
')
@@ -383,7 +398,6 @@
allow init {
proc_abi
- proc_bpf
proc_cpu_alignment
proc_dirty
proc_hostname
diff --git a/public/keystore.te b/public/keystore.te
index 8ac503e..4cef175 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -5,6 +5,7 @@
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
@@ -17,6 +18,7 @@
add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/public/property.te b/public/property.te
index 00ae1bb..c0a3a6e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
+system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 0000000..710b43d
--- /dev/null
+++ b/public/remote_provisioning_service_server.te
@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)
diff --git a/public/service.te b/public/service.te
index 1ff3668..443a4f7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -7,6 +7,7 @@
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
+type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
@@ -135,6 +136,7 @@
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
+type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -194,6 +196,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
@@ -271,9 +274,11 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
@@ -306,11 +311,13 @@
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_hdmi_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 730c1e0..3473e74 100644
--- a/public/su.te
+++ b/public/su.te
@@ -97,8 +97,9 @@
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
typeattribute su hal_tv_cec_client;
- typeattribute su hal_tv_hdmi_client;
typeattribute su hal_tv_hdmi_cec_client;
+ typeattribute su hal_tv_hdmi_connection_client;
+ typeattribute su hal_tv_hdmi_earc_client;
typeattribute su hal_tv_input_client;
typeattribute su hal_tv_tuner_client;
typeattribute su hal_usb_client;
diff --git a/public/te_macros b/public/te_macros
index ab42534..11041b6 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -183,26 +183,25 @@
####################################
# virtualizationservice_use(domain)
# Allow domain to create and communicate with a virtual machine using
-# virtualizationservice.
+# virtualizationservice and virtualizationmanager.
define(`virtualizationservice_use', `
-allow $1 virtualization_service:service_manager find;
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice and on
-# to crosvm
-allow { virtualizationservice crosvm } $1:fd use;
+# Transition to virtualizationmanager when the client executes it.
+domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
+# Allow virtualizationmanager to communicate over UDS with the client.
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
+allow { virtualizationmanager crosvm } $1:fd use;
+# Let the client use file descriptors created by virtualizationmanager.
+allow $1 virtualizationmanager:fd use;
# Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
-# Allow client to read/write vsock created by virtualizationservice to
-# communicate with the VM that it created. Notice that we do not grant
-# permission to create a vsock; the client can only connect to VMs
-# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
-# Allow client to read (but not open) the crashdump provided by virtualizationservice
+# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
')
diff --git a/public/usbd.te b/public/usbd.te
index 6f34954..ee36784 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,2 +1,4 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
+
+binder_call(usbd, servicemanager)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 61fa686..683ab61 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -48,6 +48,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-system_dlkm_file_type
@@ -67,6 +68,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -86,6 +88,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -103,6 +106,7 @@
allow vendor_init {
file_type
-apex_mnt_dir
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -119,6 +123,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-mnt_product_file
@@ -142,6 +147,7 @@
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
+ -bpffs_type
-contextmount_type
-keychord_device
-sdcard_type
@@ -157,6 +163,7 @@
allow vendor_init {
fs_type
+ -bpffs_type
-contextmount_type
-sdcard_type
-fusefs_type
@@ -164,7 +171,7 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
+}:dir { open read setattr search };
allow vendor_init dev_type:blk_file getattr;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c69b451..b21302c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,10 +10,11 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -91,14 +92,16 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi-service u:object_r:hal_tv_hdmi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service u:object_r:hal_tv_hdmi_connection_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.earc-service u:object_r:hal_tv_hdmi_earc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
@@ -113,6 +116,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 82cbf8e..506c7e4 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,5 +6,8 @@
hal_client_domain(hal_audio_default, hal_allocator)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_audio_default fwk_sensor_service:service_manager find;
+
# allow audioserver to call hal_audio dump with its own fd to retrieve status
allow hal_audio_default audioserver:fifo_file write;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index b0912d4..e7c5886 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -4,7 +4,12 @@
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+# HIDL sensorservice
allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow hal_camera_default fwk_sensor_service:service_manager find;
+
+get_prop(hal_camera_default, device_config_camera_native_prop);
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 7498788..12bb028 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -9,10 +9,12 @@
allow hal_can_socketcan self:capability net_admin;
allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
-# Calling if_nametoindex(3) to open CAN sockets
+# See man page for netdevice(7) for more info on ioctls
allow hal_can_socketcan self:udp_socket { create ioctl };
allowxperm hal_can_socketcan self:udp_socket ioctl {
SIOCGIFINDEX
+ SIOCGIFFLAGS
+ SIOCSIFFLAGS
};
# Communicating with SocketCAN interfaces and bringing them up/down
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index ddfa62e..66ce40c 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -4,4 +4,7 @@
type hal_face_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_face_default)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_face_default fwk_sensor_service:service_manager find;
+
set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 812c528..7173223 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -4,4 +4,7 @@
type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_fingerprint_default fwk_sensor_service:service_manager find;
+
set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
diff --git a/vendor/hal_tv_hdmi_connection_default.te b/vendor/hal_tv_hdmi_connection_default.te
new file mode 100644
index 0000000..bad8961
--- /dev/null
+++ b/vendor/hal_tv_hdmi_connection_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_connection_default, domain;
+hal_server_domain(hal_tv_hdmi_connection_default, hal_tv_hdmi_connection)
+
+type hal_tv_hdmi_connection_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_connection_default)
diff --git a/vendor/hal_tv_hdmi_default.te b/vendor/hal_tv_hdmi_default.te
deleted file mode 100644
index e974fd8..0000000
--- a/vendor/hal_tv_hdmi_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_tv_hdmi_default, domain;
-hal_server_domain(hal_tv_hdmi_default, hal_tv_hdmi)
-
-type hal_tv_hdmi_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_hdmi_default)
diff --git a/vendor/hal_tv_hdmi_earc_default.te b/vendor/hal_tv_hdmi_earc_default.te
new file mode 100644
index 0000000..d2a729d
--- /dev/null
+++ b/vendor/hal_tv_hdmi_earc_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_earc_default, domain;
+hal_server_domain(hal_tv_hdmi_earc_default, hal_tv_hdmi_earc)
+
+type hal_tv_hdmi_earc_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_earc_default)