Merge "Add network permissions for tuner HAL" into main
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index d8fc8df..75f9c10 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -9,3 +9,6 @@
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
/bin/vmnic u:object_r:vmnic_exec:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ /bin/early_virtmgr u:object_r:early_virtmgr_exec:s0
+')
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 3b9d5e2..fef2e69 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -136,46 +136,6 @@
compatTestTimestamp android.ModuleOutPath
}
-func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookContext, ver string) {
- confName := fmt.Sprintf("pub_policy_%s.conf", ver)
- cilName := fmt.Sprintf("pub_policy_%s.cil", ver)
- platPubVersionedName := fmt.Sprintf("plat_pub_versioned_%s.cil", ver)
-
- ctx.CreateModule(policyConfFactory, &nameProperties{
- Name: proptools.StringPtr(confName),
- }, &policyConfProperties{
- Srcs: []string{
- fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
- fmt.Sprintf(":se_build_files{.system_ext_public_%s}", ver),
- fmt.Sprintf(":se_build_files{.product_public_%s}", ver),
- ":se_build_files{.reqd_mask}",
- },
- Installable: proptools.BoolPtr(false),
- }, &struct {
- Defaults []string
- }{
- Defaults: f.properties.Defaults,
- })
-
- ctx.CreateModule(policyCilFactory, &nameProperties{
- Name: proptools.StringPtr(cilName),
- }, &policyCilProperties{
- Src: proptools.StringPtr(":" + confName),
- Filter_out: []string{":reqd_policy_mask.cil"},
- Secilc_check: proptools.BoolPtr(false),
- Installable: proptools.BoolPtr(false),
- })
-
- ctx.CreateModule(versionedPolicyFactory, &nameProperties{
- Name: proptools.StringPtr(platPubVersionedName),
- }, &versionedPolicyProperties{
- Base: proptools.StringPtr(":" + cilName),
- Target_policy: proptools.StringPtr(":" + cilName),
- Version: proptools.StringPtr(ver),
- Installable: proptools.BoolPtr(false),
- })
-}
-
func (f *compatTestModule) createCompatTestModule(ctx android.LoadHookContext, ver string) {
srcs := []string{
":plat_sepolicy.cil",
@@ -195,7 +155,7 @@
":odm_sepolicy.cil",
)
} else {
- srcs = append(srcs, fmt.Sprintf(":plat_pub_versioned_%s.cil", ver))
+ srcs = append(srcs, fmt.Sprintf(":%s_plat_pub_versioned.cil", ver))
}
compatTestName := fmt.Sprintf("%s_compat_test", ver)
@@ -210,7 +170,6 @@
func (f *compatTestModule) loadHook(ctx android.LoadHookContext) {
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- f.createPlatPubVersionedModule(ctx, ver)
f.createCompatTestModule(ctx, ver)
}
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 7b2122c..4476f94 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -33,6 +33,7 @@
// This order should be kept. checkpolicy syntax requires it.
var policyConfOrder = []string{
+ "flagging_macros",
"security_classes",
"initial_sids",
"access_vectors",
@@ -90,8 +91,9 @@
// Desired number of MLS categories. Defaults to 1024
Mls_cats *int64
- // Whether to turn on board_api_level guard or not. Defaults to false
- Board_api_level_guard *bool
+ // Board api level of policy files. Set "vendor" for RELEASE_BOARD_API_LEVEL, "system" for
+ // turning off the guard, or a direct version string (e.g. "202404"). Defaults to "system"
+ Board_api_level *string
}
type policyConf struct {
@@ -223,11 +225,17 @@
}
func (c *policyConf) boardApiLevel(ctx android.ModuleContext) string {
- if proptools.Bool(c.properties.Board_api_level_guard) {
+ level := proptools.StringDefault(c.properties.Board_api_level, "system")
+
+ if level == "system" {
+ // aribtrary value greater than any other vendor API levels
+ return "1000000"
+ } else if level == "vendor" {
return ctx.Config().VendorApiLevel()
+ } else {
+ return level
}
- // aribtrary value greater than any other vendor API levels
- return "1000000"
+
}
func findPolicyConfOrder(name string) int {
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 26e8989..5117fab 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -18,6 +18,7 @@
name: "aosp_selinux_flags",
flags: [
"RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
+ "RELEASE_AVF_ENABLE_EARLY_VM",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
@@ -43,7 +44,7 @@
name: "se_policy_conf_public_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
build_flags: ["all_selinux_flags"],
- board_api_level_guard: true,
+ board_api_level: "vendor",
}
contexts_defaults {
@@ -55,5 +56,5 @@
filegroup {
name: "sepolicy_flagging_macros",
- srcs: ["te_macros"],
+ srcs: ["flagging_macros"],
}
diff --git a/flagging/te_macros b/flagging/flagging_macros
similarity index 100%
rename from flagging/te_macros
rename to flagging/flagging_macros
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index dce4898..e9b4b1e 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -107,6 +107,7 @@
se_policy_conf {
name: "microdroid_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_files,
installable: false,
mls_cats: 1,
@@ -121,6 +122,7 @@
se_policy_conf {
name: "microdroid_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: system_policy_files,
installable: false,
mls_cats: 1,
@@ -135,6 +137,7 @@
se_policy_conf {
name: "microdroid_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: system_public_policy_files,
installable: false,
mls_cats: 1,
@@ -172,6 +175,7 @@
se_policy_conf {
name: "microdroid_vendor_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: vendor_policy_files,
installable: false,
mls_cats: 1,
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index e418549..7486c32 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -46100,24 +46100,12 @@
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
-neverallow {
- domain
- -bpfloader
- -gpuservice
- -hal_health_server
- -mediaprovider_app
- -netd
- -netutils_wrapper
- -network_stack
- -system_server
- -uprobestats
-} *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
diff --git a/prebuilts/api/202404/Android.bp b/prebuilts/api/202404/Android.bp
index c0fb5a2..bca377e 100644
--- a/prebuilts/api/202404/Android.bp
+++ b/prebuilts/api/202404/Android.bp
@@ -1,4 +1,33 @@
-// Automatically generated file, do not edit!
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "202404_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "202404",
+}
+
+se_policy_cil {
+ name: "202404_reqd_policy_mask.cil",
+ src: ":202404_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
se_policy_conf {
name: "202404_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
@@ -8,12 +37,13 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "202404",
}
se_policy_cil {
name: "202404_plat_pub_policy.cil",
src: ":202404_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":202404_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
@@ -29,16 +59,25 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "202404",
}
se_policy_cil {
name: "202404_product_pub_policy.cil",
src: ":202404_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":202404_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "202404_plat_pub_versioned.cil",
+ base: ":202404_product_pub_policy.cil",
+ target_policy: ":202404_product_pub_policy.cil",
+ version: "202404",
+ installable: false,
+}
+
se_policy_conf {
name: "202404_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
@@ -52,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "202404",
}
se_policy_cil {
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
index 8acca29..e835288 100644
--- a/prebuilts/api/29.0/Android.bp
+++ b/prebuilts/api/29.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "29.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "29",
+}
+
+se_policy_cil {
+ name: "29.0_reqd_policy_mask.cil",
+ src: ":29.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "29.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "29",
}
se_policy_cil {
name: "29.0_plat_pub_policy.cil",
src: ":29.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":29.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "29.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.system_ext_public_29.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "29",
}
se_policy_cil {
name: "29.0_product_pub_policy.cil",
src: ":29.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":29.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "29.0_plat_pub_versioned.cil",
+ base: ":29.0_product_pub_policy.cil",
+ target_policy: ":29.0_product_pub_policy.cil",
+ version: "29.0",
+ installable: false,
+}
+
se_policy_conf {
name: "29.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_29.0}",
":se_build_files{.plat_private_29.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "29",
}
se_policy_cil {
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
index 6f3254d..df13756 100644
--- a/prebuilts/api/30.0/Android.bp
+++ b/prebuilts/api/30.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "30.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "30",
+}
+
+se_policy_cil {
+ name: "30.0_reqd_policy_mask.cil",
+ src: ":30.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "30.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "30",
}
se_policy_cil {
name: "30.0_plat_pub_policy.cil",
src: ":30.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":30.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "30.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.system_ext_public_30.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "30",
}
se_policy_cil {
name: "30.0_product_pub_policy.cil",
src: ":30.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":30.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "30.0_plat_pub_versioned.cil",
+ base: ":30.0_product_pub_policy.cil",
+ target_policy: ":30.0_product_pub_policy.cil",
+ version: "30.0",
+ installable: false,
+}
+
se_policy_conf {
name: "30.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_30.0}",
":se_build_files{.plat_private_30.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "30",
}
se_policy_cil {
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
index caf1c10..ba8d67c 100644
--- a/prebuilts/api/31.0/Android.bp
+++ b/prebuilts/api/31.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "31.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "31",
+}
+
+se_policy_cil {
+ name: "31.0_reqd_policy_mask.cil",
+ src: ":31.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "31.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "31",
}
se_policy_cil {
name: "31.0_plat_pub_policy.cil",
src: ":31.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":31.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "31.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.system_ext_public_31.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "31",
}
se_policy_cil {
name: "31.0_product_pub_policy.cil",
src: ":31.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":31.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "31.0_plat_pub_versioned.cil",
+ base: ":31.0_product_pub_policy.cil",
+ target_policy: ":31.0_product_pub_policy.cil",
+ version: "31.0",
+ installable: false,
+}
+
se_policy_conf {
name: "31.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_31.0}",
":se_build_files{.plat_private_31.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "31",
}
se_policy_cil {
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
index 9a2b4e2..053e094 100644
--- a/prebuilts/api/32.0/Android.bp
+++ b/prebuilts/api/32.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "32.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "32",
+}
+
+se_policy_cil {
+ name: "32.0_reqd_policy_mask.cil",
+ src: ":32.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "32.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "32",
}
se_policy_cil {
name: "32.0_plat_pub_policy.cil",
src: ":32.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":32.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "32.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.system_ext_public_32.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "32",
}
se_policy_cil {
name: "32.0_product_pub_policy.cil",
src: ":32.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":32.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "32.0_plat_pub_versioned.cil",
+ base: ":32.0_product_pub_policy.cil",
+ target_policy: ":32.0_product_pub_policy.cil",
+ version: "32.0",
+ installable: false,
+}
+
se_policy_conf {
name: "32.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_32.0}",
":se_build_files{.plat_private_32.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "32",
}
se_policy_cil {
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
index 0a01a44..0824e9c 100644
--- a/prebuilts/api/33.0/Android.bp
+++ b/prebuilts/api/33.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "33.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "33",
+}
+
+se_policy_cil {
+ name: "33.0_reqd_policy_mask.cil",
+ src: ":33.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "33.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "33",
}
se_policy_cil {
name: "33.0_plat_pub_policy.cil",
src: ":33.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":33.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "33.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.system_ext_public_33.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "33",
}
se_policy_cil {
name: "33.0_product_pub_policy.cil",
src: ":33.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":33.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "33.0_plat_pub_versioned.cil",
+ base: ":33.0_product_pub_policy.cil",
+ target_policy: ":33.0_product_pub_policy.cil",
+ version: "33.0",
+ installable: false,
+}
+
se_policy_conf {
name: "33.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_33.0}",
":se_build_files{.plat_private_33.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "33",
}
se_policy_cil {
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
index b3be5bb..efd3c25 100644
--- a/prebuilts/api/34.0/Android.bp
+++ b/prebuilts/api/34.0/Android.bp
@@ -13,25 +13,44 @@
// limitations under the License.
se_policy_conf {
+ name: "34.0_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "34",
+}
+
+se_policy_cil {
+ name: "34.0_reqd_policy_mask.cil",
+ src: ":34.0_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "34.0_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.reqd_mask}",
],
installable: false,
build_variant: "user",
+ board_api_level: "34",
}
se_policy_cil {
name: "34.0_plat_pub_policy.cil",
src: ":34.0_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":34.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
se_policy_conf {
name: "34.0_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.system_ext_public_34.0}",
@@ -40,18 +59,28 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "34",
}
se_policy_cil {
name: "34.0_product_pub_policy.cil",
src: ":34.0_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":34.0_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "34.0_plat_pub_versioned.cil",
+ base: ":34.0_product_pub_policy.cil",
+ target_policy: ":34.0_product_pub_policy.cil",
+ version: "34.0",
+ installable: false,
+}
+
se_policy_conf {
name: "34.0_plat_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: [
":se_build_files{.plat_public_34.0}",
":se_build_files{.plat_private_34.0}",
@@ -62,6 +91,7 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "34",
}
se_policy_cil {
diff --git a/private/access_vectors b/private/access_vectors
index 7a280c5..9d82ac8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -139,8 +139,8 @@
block_suspend
audit_read
perfmon
- checkpoint_restore
- bpf
+ starting_at_board_api(202504, `checkpoint_restore')
+ starting_at_board_api(202504, `bpf')
}
#
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
index 53ee8ff..f102b02 100644
--- a/private/compat/33.0/33.0.compat.cil
+++ b/private/compat/33.0/33.0.compat.cil
@@ -1,3 +1,12 @@
;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
;; will be compiled along with other normal policy files, on 33.0 vendors.
;;
+
+;; This type may or may not already exist in vendor policy. The 202404 sepolicy
+;; (well, the 24Q1 release) added hidraw_device, but existing vendor policy
+;; may still label the relevant devices with the old label.
+(type vendor_hidraw_device)
+(typeattributeset dev_type (vendor_hidraw_device))
+
+(allow system_server vendor_hidraw_device (dir (open getattr read search ioctl lock watch watch_reads)))
+(allow system_server vendor_hidraw_device (chr_file (getattr open read ioctl lock map watch watch_reads append write)))
\ No newline at end of file
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
new file mode 100644
index 0000000..4e332f6
--- /dev/null
+++ b/private/early_virtmgr.te
@@ -0,0 +1,8 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ # Domain for a child process that manages early VMs available before /data mount, on behalf of
+ # its parent.
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+
+ use_bootstrap_libs(early_virtmgr)
+')
diff --git a/private/ferrochrome_app.te b/private/ferrochrome_app.te
new file mode 100644
index 0000000..e12c84c
--- /dev/null
+++ b/private/ferrochrome_app.te
@@ -0,0 +1,11 @@
+type ferrochrome_app, domain;
+typeattribute ferrochrome_app coredomain;
+
+app_domain(ferrochrome_app)
+
+allow ferrochrome_app app_api_service:service_manager find;
+allow ferrochrome_app system_api_service:service_manager find;
+
+# TODO(b/348113995): after remove sysprop usage, we can use just (priv_)app.te
+set_prop(ferrochrome_app, debug_prop);
+get_prop(ferrochrome_app, debug_prop);
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 291e097..907861c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -223,3 +223,4 @@
user=_app fromRunAs=true domain=runas_app levelFrom=user
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.virtualization.ferrochrome domain=ferrochrome_app type=privapp_data_file levelFrom=all
diff --git a/private/shell.te b/private/shell.te
index 6d6e06f..f896541 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -198,6 +198,11 @@
# Allow shell to execute the remote key provisioning factory tool
binder_call(shell, hal_keymint)
+# Allow shell to run the AVF RKP HAL during the execution of the remote key
+# provisioning factory tool.
+# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
+# a separate process.
+binder_call(shell, virtualizationservice)
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
@@ -360,6 +365,7 @@
-virtual_touchpad_service
-vold_service
-default_android_service
+ -virtualization_service
}:service_manager find;
allow shell dumpstate:binder call;
@@ -489,6 +495,7 @@
hal_keymint_service
hal_secureclock_service
hal_sharedsecret_service
+ virtualization_service
}:service_manager find;
# Do not allow shell to hard link to any files.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 91e9aba..f6f1d9b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -85,6 +85,10 @@
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+# Allow reading and writing to sockets used for BLAST buffer releases
+allow surfaceflinger { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:unix_stream_socket { read write };
+allow surfaceflinger bootanim:unix_stream_socket { read write };
+
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 6b3be0c..0faf0c5 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -30,6 +30,7 @@
# Allow virtual_camera to use fd from surface flinger
allow virtual_camera surfaceflinger:fd use;
+allow virtual_camera surfaceflinger:binder call;
# Only allow virtual_camera to add a virtual_camera_service and no one else.
add_service(virtual_camera, virtual_camera_service);