Merge changes from topic "avf_vendor_clients" into main
* changes:
Open virtmgr / crosvm / libavf for vendor clients
Allow virtmgr to read caller exe path
diff --git a/apex/Android.bp b/apex/Android.bp
index 37400dd..66f8ef3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -253,6 +253,13 @@
}
filegroup {
+ name: "com.android.bt-file_contexts",
+ srcs: [
+ "com.android.bt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.bt-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth-file_contexts
rename to apex/com.android.bt-file_contexts
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 275a455..8c331d0 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -92,6 +92,9 @@
# apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
+# apexd can set apex.all.ready sysprop
+set_prop(apexd, apex_ready_prop)
+
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2bd5a22..803e25e 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -58,6 +58,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
+apex.all.ready u:object_r:apex_ready_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 7db53d0..18dab10 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -2,6 +2,7 @@
type apex_config_prop, property_type;
type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
+type apex_ready_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
diff --git a/private/apexd.te b/private/apexd.te
index 58a3658..3205b02 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -229,8 +229,8 @@
# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
# and make binder calls to apexd.
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+neverallow { domain -init -apexd -keystore -system_server -update_engine -update_provider } apex_service:service_manager find;
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
+neverallow { domain -init -apexd -keystore -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 2284bb3..2ddfec3 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -23,7 +23,6 @@
media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
- dynamic_instrumentation_service
intrusion_detection_service
wifi_mainline_supplicant_service
crosvm
diff --git a/private/keystore.te b/private/keystore.te
index 50542b0..014903e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -41,6 +41,9 @@
set_prop(keystore, keystore_crash_prop)
+# Allow keystore to monitor the `apexd.status` property.
+get_prop(keystore, apexd_prop)
+
# keystore is using apex_info via libvintf
use_apex_info(keystore)
@@ -61,6 +64,10 @@
allow keystore remote_provisioning_service:service_manager find;
allow keystore rkp_cert_processor_service:service_manager find;
+# Allow keystore to communicate to apexd
+allow keystore apex_service:service_manager find;
+allow keystore apexd:binder call;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/private/property_contexts b/private/property_contexts
index 6b0cbfa..ace1470 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -483,6 +483,10 @@
# See b/323989070 for the discussion why this approach was chosen.
ro.audio.ihaladaptervendorextension_enabled u:object_r:system_audio_config_prop:s0 exact bool
+# String property used in audioparameterparser.example service to load
+# vendor implementation IHalAdapterVendorExtension
+ro.audio.ihaladaptervendorextension_libname u:object_r:system_audio_config_prop:s0 exact string
+
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
@@ -699,6 +703,7 @@
bluetooth.core.le.max_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.min_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.max_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.aggressive_connection_threshold u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ce49fc4..25ed1ba 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -224,4 +224,3 @@
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index 7e89300..a90b3ba 100644
--- a/private/service.te
+++ b/private/service.te
@@ -62,6 +62,11 @@
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
+type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+
+is_flag_enabled(RELEASE_RANGING_STACK, `
+ type ranging_service, app_api_service, system_server_service, service_manager_type;
+')
###
### Neverallow rules
diff --git a/private/service_contexts b/private/service_contexts
index 1478e93..2e050eb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -188,9 +188,7 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
-starting_at_board_api(202504, `
- dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
-')
+dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
diff --git a/private/uprobestats.te b/private/uprobestats.te
index c55f23d..d778126 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,9 +24,7 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
-starting_at_board_api(202504, `
- allow uprobestats dynamic_instrumentation_service:service_manager find;
-')
+allow uprobestats dynamic_instrumentation_service:service_manager find;
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c4fa6a1..31eadb2 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -55,3 +55,6 @@
allow virtual_camera adbd:fd use;
allow virtual_camera adbd:unix_stream_socket { getattr read write };
allow virtual_camera shell:fifo_file { getattr read write };
+
+# Allow virtual_camera to access dmabuf_system_heap_device
+allow virtual_camera dmabuf_system_heap_device:chr_file { read open };
diff --git a/public/service.te b/public/service.te
index 854ceef..68f4ea0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,9 +75,6 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
-')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -220,9 +217,6 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-is_flag_enabled(RELEASE_RANGING_STACK, `
- type ranging_service, app_api_service, system_server_service, service_manager_type;
-')
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
