Merge "binderfs neverallows" into main
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a7a2436..b053c7a 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -517,19 +517,32 @@
 	Sepolicy *string `android:"path"`
 }
 
+type fileContextsTestProperties struct {
+	// Test data. File passed to `checkfc -t` to validate how contexts are resolved.
+	Test_data *string `android:"path"`
+}
+
 type contextsTestModule struct {
 	android.ModuleBase
 
-	// Name of the test tool. "checkfc" or "property_info_checker"
-	tool string
+	// The type of context.
+	context contextType
 
-	// Additional flags to be passed to the tool.
-	flags []string
-
-	properties    contextsTestProperties
-	testTimestamp android.OutputPath
+	properties     contextsTestProperties
+	fileProperties fileContextsTestProperties
+	testTimestamp  android.OutputPath
 }
 
+type contextType int
+
+const (
+	FileContext contextType = iota
+	PropertyContext
+	ServiceContext
+	HwServiceContext
+	VndServiceContext
+)
+
 // checkfc parses a context file and checks for syntax errors.
 // If -s is specified, the service backend is used to verify binder services.
 // If -l is specified, the service backend is used to verify hwbinder services.
@@ -538,15 +551,16 @@
 
 // file_contexts_test tests given file_contexts files with checkfc.
 func fileContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "checkfc" /* no flags: file_contexts file check */}
+	m := &contextsTestModule{context: FileContext}
 	m.AddProperties(&m.properties)
+	m.AddProperties(&m.fileProperties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
 }
 
 // property_contexts_test tests given property_contexts files with property_info_checker.
 func propertyContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "property_info_checker"}
+	m := &contextsTestModule{context: PropertyContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
@@ -554,7 +568,7 @@
 
 // hwservice_contexts_test tests given hwservice_contexts files with checkfc.
 func hwserviceContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-l" /* hwbinder services */}}
+	m := &contextsTestModule{context: HwServiceContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
@@ -563,7 +577,7 @@
 // service_contexts_test tests given service_contexts files with checkfc.
 func serviceContextsTestFactory() android.Module {
 	// checkfc -s: service_contexts test
-	m := &contextsTestModule{tool: "checkfc", flags: []string{"-s" /* binder services */}}
+	m := &contextsTestModule{context: ServiceContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
@@ -571,16 +585,16 @@
 
 // vndservice_contexts_test tests given vndservice_contexts files with checkfc.
 func vndServiceContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+	m := &contextsTestModule{context: VndServiceContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
 }
 
 func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
-	tool := m.tool
-	if tool != "checkfc" && tool != "property_info_checker" {
-		panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+	tool := "checkfc"
+	if m.context == PropertyContext {
+		tool = "property_info_checker"
 	}
 
 	if len(m.properties.Srcs) == 0 {
@@ -588,19 +602,50 @@
 		return
 	}
 
+	validateWithPolicy := true
 	if proptools.String(m.properties.Sepolicy) == "" {
-		ctx.PropertyErrorf("sepolicy", "can't be empty")
-		return
+		if m.context == FileContext {
+			if proptools.String(m.fileProperties.Test_data) == "" {
+				ctx.PropertyErrorf("test_data", "Either test_data or sepolicy should be provided")
+				return
+			}
+			validateWithPolicy = false
+		} else {
+			ctx.PropertyErrorf("sepolicy", "can't be empty")
+			return
+		}
+	}
+
+	flags := []string(nil)
+	switch m.context {
+	case FileContext:
+		if !validateWithPolicy {
+			flags = []string{"-t"}
+		}
+	case ServiceContext:
+		flags = []string{"-s" /* binder services */}
+	case HwServiceContext:
+		flags = []string{"-e" /* allow empty */, "-l" /* hwbinder services */}
+	case VndServiceContext:
+		flags = []string{"-e" /* allow empty */, "-v" /* vnd service */}
 	}
 
 	srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
-	sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
-
 	rule := android.NewRuleBuilder(pctx, ctx)
-	rule.Command().BuiltTool(tool).
-		Flags(m.flags).
-		Input(sepolicy).
-		Inputs(srcs)
+
+	if validateWithPolicy {
+		sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
+		rule.Command().BuiltTool(tool).
+			Flags(flags).
+			Input(sepolicy).
+			Inputs(srcs)
+	} else {
+		test_data := android.PathForModuleSrc(ctx, proptools.String(m.fileProperties.Test_data))
+		rule.Command().BuiltTool(tool).
+			Flags(flags).
+			Inputs(srcs).
+			Input(test_data)
+	}
 
 	m.testTimestamp = pathForModuleOut(ctx, "timestamp")
 	rule.Command().Text("touch").Output(m.testTimestamp)
diff --git a/contexts/Android.bp b/contexts/Android.bp
index f2bb9c0..ca51847 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -390,6 +390,12 @@
 }
 
 file_contexts_test {
+    name: "plat_file_contexts_data_test",
+    srcs: [":file_contexts_files{.plat_private}"],
+    test_data: "plat_file_contexts_test",
+}
+
+file_contexts_test {
     name: "system_ext_file_contexts_test",
     srcs: [":system_ext_file_contexts"],
     sepolicy: ":precompiled_sepolicy",
diff --git a/tests/plat_file_contexts_test b/contexts/plat_file_contexts_test
similarity index 99%
rename from tests/plat_file_contexts_test
rename to contexts/plat_file_contexts_test
index 9d8d906..287f754 100644
--- a/tests/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -209,6 +209,7 @@
 /dev/socket/pdx/system/vr/display/vsync                           pdx_display_vsync_endpoint_socket
 /dev/socket/prng_seeder                                           prng_seeder_socket
 /dev/socket/property_service                                      property_socket
+/dev/socket/property_service_for_system                           property_socket
 /dev/socket/racoon                                                racoon_socket
 /dev/socket/recovery                                              recovery_socket
 /dev/socket/rild                                                  rild_socket
@@ -419,6 +420,7 @@
 /system/bin/profcollectd                                          profcollectd_exec
 /system/bin/profcollectctl                                        profcollectd_exec
 /system/bin/storaged                                              storaged_exec
+/system/bin/virtual_camera                                        virtual_camera_exec
 /system/bin/virtual_touchpad                                      virtual_touchpad_exec
 /system/bin/hw/android.frameworks.bufferhub@1.0-service           fwk_bufferhub_exec
 /system/bin/hw/android.system.suspend-service                     system_suspend_exec
@@ -1226,6 +1228,8 @@
 /metadata/userspacereboot/test                                    userspace_reboot_metadata_file
 /metadata/watchdog                                                watchdog_metadata_file
 /metadata/watchdog/test                                           watchdog_metadata_file
+/metadata/repair-mode                                             repair_mode_metadata_file
+/metadata/repair-mode/test                                        repair_mode_metadata_file
 
 /mnt/asec                                                         asec_apk_file
 /mnt/asec/test                                                    asec_apk_file
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index f4541a3..2dbf495 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,7 @@
 
 # PRNG seeder daemon socket is created and listened on by init before forking.
 allow init prng_seeder:unix_stream_socket { create bind listen };
+
+# Workaround for test failures (b/306516077)
+# We get a denial for this on VM boot, but the denial is correct.
+dontaudit init device:file relabelto;
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index fa6712f..069d06a 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -59,6 +59,7 @@
     quick_start_prop
     recovery_usb_config_prop
     remote_provisioning_service
+    repair_mode_metadata_file
     rkpdapp
     servicemanager_prop
     shutdown_checkpoints_system_data_file
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index ac2ab12..0caddf2 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -841,6 +841,7 @@
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
 /metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 /metadata/watchdog(/.*)?    u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)?    u:object_r:repair_mode_metadata_file:s0
 
 #############################
 # asec containers
diff --git a/prebuilts/api/34.0/private/system_server.te b/prebuilts/api/34.0/private/system_server.te
index 98d859c..aff4a0a 100644
--- a/prebuilts/api/34.0/private/system_server.te
+++ b/prebuilts/api/34.0/private/system_server.te
@@ -1441,6 +1441,9 @@
 allow system_server watchdog_metadata_file:dir rw_dir_perms;
 allow system_server watchdog_metadata_file:file create_file_perms;
 
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
 allow system_server gsi_persistent_data_file:file create_file_perms;
 
diff --git a/prebuilts/api/34.0/public/file.te b/prebuilts/api/34.0/public/file.te
index da76aee..7cfd8ad 100644
--- a/prebuilts/api/34.0/public/file.te
+++ b/prebuilts/api/34.0/public/file.te
@@ -287,6 +287,8 @@
 type staged_install_file, file_type;
 # Metadata information within /metadata/watchdog
 type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 618bb11..ea4ed5d 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -29,6 +29,7 @@
     fwk_altitude_service
     fwk_camera_service
     fwk_sensor_service
+    game_manager_config_prop
     grammatical_inflection_service
     graphics_config_writable_prop
     hal_bluetooth_service
@@ -63,6 +64,7 @@
     quick_start_prop
     recovery_usb_config_prop
     remote_provisioning_service
+    repair_mode_metadata_file
     rkpdapp
     servicemanager_prop
     shutdown_checkpoints_system_data_file
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 2d1aea0..69902d8 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -20,4 +20,5 @@
     proc_memhealth
     virtual_device_native_service
     next_boot_prop
+    binderfs_logs_stats
   ))
diff --git a/private/file_contexts b/private/file_contexts
index 3a9c04d..2d9b30d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -561,7 +561,6 @@
 /data/gsi_persistent_data    u:object_r:gsi_persistent_data_file:s0
 /data/gsi/ota(/.*)?    u:object_r:ota_image_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
-/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tests(/.*)?	u:object_r:shell_test_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
@@ -636,8 +635,8 @@
 /data/misc/odrefresh(/.*)?      u:object_r:odrefresh_data_file:s0
 /data/misc/odsign(/.*)?         u:object_r:odsign_data_file:s0
 /data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
 /data/misc/perfetto-traces(/.*)?          u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
 /data/misc/perfetto-configs(/.*)?         u:object_r:perfetto_configs_data_file:s0
 /data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
 /data/misc/profcollectd(/.*)?   u:object_r:profcollectd_data_file:s0
@@ -680,6 +679,7 @@
 /data/vendor_ce/.*              u:object_r:vendor_data_file:s0
 /data/vendor_de                 u:object_r:vendor_userdir_file:s0
 /data/vendor_de/.*              u:object_r:vendor_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 
 # storaged proto files
 /data/misc_de/[0-9]+/storaged(/.*)?       u:object_r:storaged_data_file:s0
@@ -841,6 +841,7 @@
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
 /metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 /metadata/watchdog(/.*)?    u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)?    u:object_r:repair_mode_metadata_file:s0
 
 #############################
 # asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3ec6ab1..17db46a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -392,6 +392,7 @@
 genfscon binder /vndbinder u:object_r:vndbinder_device:s0
 genfscon binder /binder_logs u:object_r:binderfs_logs:s0
 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
 genfscon binder /features u:object_r:binderfs_features:s0
 
 genfscon inotifyfs / u:object_r:inotify:s0
diff --git a/private/init.te b/private/init.te
index 9d3a2c3..67e5561 100644
--- a/private/init.te
+++ b/private/init.te
@@ -123,3 +123,7 @@
   -vm_manager_device_type
   -port_device
 }:chr_file setattr;
+
+# Workaround for test failures (b/306516077)
+# We get a denial for this on boot, but the denial is correct.
+dontaudit init device:file relabelto;
diff --git a/private/property.te b/private/property.te
index 8be4d01..e1b42a0 100644
--- a/private/property.te
+++ b/private/property.te
@@ -57,6 +57,7 @@
 system_internal_prop(sensors_config_prop)
 system_internal_prop(hypervisor_pvmfw_prop)
 system_internal_prop(hypervisor_virtualizationmanager_prop)
+system_internal_prop(game_manager_config_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 9d1439d..6c81c03 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -416,6 +416,7 @@
 ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
 ro.camera.disableJpegR        u:object_r:camera_config_prop:s0 exact bool
 ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableVirtualCamera      u:object_r:camera_config_prop:s0 exact bool
 
 ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
 
@@ -512,6 +513,7 @@
 keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
 
 media.c2.dmabuf.padding                      u:object_r:codec2_config_prop:s0 exact int
+media.c2.hal.selection                       u:object_r:codec2_config_prop:s0 exact enum aidl hidl
 
 media.recorder.show_manufacturer_and_model   u:object_r:media_config_prop:s0 exact bool
 media.resolution.limit.32bit                 u:object_r:media_config_prop:s0 exact int
@@ -1345,6 +1347,7 @@
 ro.surface_flinger.ignore_hdr_camera_layers               u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.clear_slots_with_set_layer_buffer      u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.prime_shader_cache.ultrahdr            u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.game_default_frame_rate_override       u:object_r:surfaceflinger_prop:s0 exact int
 
 ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
 ro.sf.lcd_density           u:object_r:surfaceflinger_prop:s0 exact int
@@ -1590,3 +1593,6 @@
 
 # Properties for sensor service
 sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
+
+# Propertues for game manager service
+persist.graphics.game_default_frame_rate.enabled  u:object_r:game_manager_config_prop:s0 exact bool
diff --git a/private/system_server.te b/private/system_server.te
index f9627e3..efdeff4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1435,6 +1435,9 @@
 allow system_server watchdog_metadata_file:dir rw_dir_perms;
 allow system_server watchdog_metadata_file:file create_file_perms;
 
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
 allow system_server gsi_persistent_data_file:file create_file_perms;
 
@@ -1539,3 +1542,11 @@
 
 # Allow system server to set dynamic ART properties.
 set_prop(system_server, dalvik_dynamic_config_prop)
+
+# Allow system server to read binderfs
+allow system_server binderfs_logs:dir r_dir_perms;
+allow system_server binderfs_logs_stats:file r_file_perms;
+
+# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
+set_prop(system_server, game_manager_config_prop)
+
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3748605..c52ca15 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -379,6 +379,7 @@
 allow dumpstate binderfs_logs:dir r_dir_perms;
 allow dumpstate binderfs_logs:file r_file_perms;
 allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
 
 use_apex_info(dumpstate)
 
diff --git a/public/file.te b/public/file.te
index 72f511b..9496c02 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,6 +7,7 @@
 type binderfs, fs_type;
 type binderfs_logs, fs_type;
 type binderfs_logs_proc, fs_type;
+type binderfs_logs_stats, fs_type;
 type binderfs_features, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type, proc_type;
@@ -289,6 +290,8 @@
 type staged_install_file, file_type;
 # Metadata information within /metadata/watchdog
 type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 05826f9..051e24b 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -271,6 +271,19 @@
      printf("%s\n", result_str[result]);
 }
 
+static int warnings = 0;
+static int log_callback(int type, const char *fmt, ...) {
+    va_list ap;
+
+    if (type == SELINUX_WARNING) {
+        warnings += 1;
+    }
+    va_start(ap, fmt);
+    vfprintf(stderr, fmt, ap);
+    va_end(ap);
+    return 0;
+}
+
 static void do_test_data_and_die_on_error(struct selinux_opt opts[], unsigned int backend,
         char *paths[])
 {
@@ -329,7 +342,15 @@
 
     // Prints the coverage of file_contexts on the test data. It includes
     // warnings for rules that have not been hit by any test example.
+    union selinux_callback cb;
+    cb.func_log = log_callback;
+    selinux_set_callback(SELINUX_CB_LOG, cb);
     selabel_stats(global_state.sepolicy.sehnd[0]);
+    if (warnings) {
+        fprintf(stderr, "No test entries were found for the contexts above. " \
+                        "You may need to update %s.\n", paths[1]);
+        exit(1);
+    }
 }
 
 static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode,