Merge "traced_probes: allow traced_probes to access diskstats info"
diff --git a/Android.mk b/Android.mk
index 8220fd5..618f7f0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -260,19 +260,6 @@
SHAREDLIB_EXT=so
endif
-# Convert a file_context file for a non-flattened APEX into a file for
-# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
-# $(1): path to the input file_contexts file for non-flattened APEX
-# $(2): path to the flattened APEX
-# $(3): path to the generated file_contexts file for flattened APEX
-# $(4): variable where $(3) is added to
-define build_flattened_apex_file_contexts
-$(4) += $(3)
-$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2))
-$(3): $(1)
- $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
-endef
-
#################################
include $(CLEAR_VARS)
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 88cd32b..d91ef21 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -217,6 +217,7 @@
"country_detector": EXCEPTION_NO_FUZZER,
"coverage": EXCEPTION_NO_FUZZER,
"cpuinfo": EXCEPTION_NO_FUZZER,
+ "cpu_monitor": EXCEPTION_NO_FUZZER,
"credential": EXCEPTION_NO_FUZZER,
"crossprofileapps": EXCEPTION_NO_FUZZER,
"dataloader_manager": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/bug_map b/microdroid/system/private/bug_map
index 5b042ae..e69de29 100644
--- a/microdroid/system/private/bug_map
+++ b/microdroid/system/private/bug_map
@@ -1,35 +0,0 @@
-dnsmasq netd fifo_file b/77868789
-dnsmasq netd unix_stream_socket b/77868789
-gmscore_app system_data_file dir b/146166941
-init app_data_file file b/77873135
-init cache_file blk_file b/77873135
-init logpersist file b/77873135
-init nativetest_data_file dir b/77873135
-init pstorefs dir b/77873135
-init shell_data_file dir b/77873135
-init shell_data_file file b/77873135
-init shell_data_file lnk_file b/77873135
-init shell_data_file sock_file b/77873135
-init system_data_file chr_file b/77873135
-isolated_app privapp_data_file dir b/119596573
-isolated_app app_data_file dir b/120394782
-mediaextractor app_data_file file b/77923736
-mediaextractor radio_data_file file b/77923736
-mediaprovider cache_file blk_file b/77925342
-mediaprovider mnt_media_rw_file dir b/77925342
-mediaprovider shell_data_file dir b/77925342
-mediaswcodec ashmem_device chr_file b/142679232
-netd priv_app unix_stream_socket b/77870037
-netd untrusted_app unix_stream_socket b/77870037
-netd untrusted_app_25 unix_stream_socket b/77870037
-netd untrusted_app_27 unix_stream_socket b/77870037
-netd untrusted_app_29 unix_stream_socket b/77870037
-platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
-system_server overlayfs_file file b/142390309
-system_server sdcardfs file b/77856826
-system_server zygote process b/77856826
-untrusted_app untrusted_app netlink_route_socket b/155595000
-vold system_data_file file b/124108085
-zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index f4bb79b..6dd97d0 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -11,7 +11,7 @@
dontaudit compos self:global_capability_class_set dac_override;
# Allow settings system properties that ART expects.
-set_prop(compos, dalvik_config_prop)
+set_prop(compos, dalvik_config_prop_type)
set_prop(compos, device_config_runtime_native_boot_prop)
# Allow running odrefresh in its own domain
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 6a43b56..3eae8c0 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -63,4 +63,5 @@
}:process { ptrace signal sigchld sigstop sigkill };
')
+neverallow crash_dump self:process ptrace;
neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index bd93f6e..1639640 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -31,7 +31,7 @@
allow dex2oat apex_info_file:file r_file_perms;
# Allow reading dalvik system properties that may affect compilation
-get_prop(dex2oat, dalvik_config_prop)
+get_prop(dex2oat, dalvik_config_prop_type)
get_prop(dex2oat, device_config_runtime_native_boot_prop)
# Don't audit because we don't configure the compiler through these
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a8fff90..1e8529b 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -185,10 +185,6 @@
# named pipes, and named sockets). We start off with a safe set.
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
# this allowlist to domain does not grant the ioctl permission to
@@ -229,8 +225,6 @@
allow { domain } cgroup_v2:dir w_dir_perms;
allow { domain } cgroup_v2:file w_file_perms;
-allow domain cgroup_rc_file:dir search;
-allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
@@ -533,12 +527,6 @@
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
-} ashmem_device:chr_file open;
-
neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
# Linux lockdown "integrity" level is enforced for user builds.
@@ -550,3 +538,6 @@
# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
neverallow domain encryptedstore_file:file no_x_file_perms;
+
+# Only crash_dump is allowed to access ptrace
+neverallow { domain -crash_dump } domain:process ptrace;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index a06a9cf..c6ed654 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -1,7 +1,6 @@
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow encryptedstore_file encryptedstore_fs:filesystem associate;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index fa81c90..3498680 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -32,8 +32,6 @@
# Devices
#
/dev(/.*)? u:object_r:device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
@@ -41,14 +39,8 @@
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/console u:object_r:console_device:s0
-/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
-/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/hvc0 u:object_r:serial_device:s0
/dev/hvc1 u:object_r:serial_device:s0
@@ -59,7 +51,6 @@
/dev/ptmx u:object_r:ptmx_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
-/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/open-dice0 u:object_r:open_dice_device:s0
/dev/random u:object_r:random_device:s0
@@ -73,17 +64,10 @@
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
-/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
-/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 5ad30e5..408418c 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -27,7 +27,6 @@
allow init {
dev_type
-hw_random_device
- -kvm_device
}:chr_file setattr;
# /dev/__null__ node created by init.
@@ -40,9 +39,6 @@
# /dev/__properties__/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto;
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
@@ -114,7 +110,6 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
@@ -181,7 +176,6 @@
file_type
-apex_info_file
-exec_type
- -runtime_event_log_tags_file
-shell_data_file
-system_file_type
-vendor_file_type
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 8635ed4..23b5033 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -122,6 +122,10 @@
# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+# Allow microdroid_manager to read AVF debug policy
+allow microdroid_manager sysfs_dt_avf:dir search;
+allow microdroid_manager sysfs_dt_avf:file { open read };
+
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c236637..0acf046 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -37,7 +37,7 @@
# Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
# in the output for later verification check.
-get_prop(odrefresh, dalvik_config_prop)
+get_prop(odrefresh, dalvik_config_prop_type)
get_prop(odrefresh, device_config_runtime_native_boot_prop)
# Silently ignore the write to properties, e.g. for setting boot animation progress.
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 638b246..3077301 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -2,6 +2,7 @@
# Declare ART properties for CompOS
system_public_prop(dalvik_config_prop)
+system_public_prop(dalvik_dynamic_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index dd43a81..e74d6d2 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -152,10 +152,22 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
-# ART properties for CompOS
+# ART properties for CompOS.
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
+# A list of ART properties that can be set dynamically.
+dalvik.vm.background-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.background-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index d6c3c0d..038be00 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -1,8 +1,5 @@
typeattribute shell coredomain;
-# allow shell input injection
-allow shell uhid_device:chr_file rw_file_perms;
-
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index cfefc67..5b6f82e 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -150,3 +150,6 @@
# Domains that are blocked from producing a crash dump
attribute no_crash_dump_domain;
+
+# All types of ART properties.
+attribute dalvik_config_prop_type;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 8c6f777..1a64b62 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,24 +1,17 @@
-type ashmem_device, dev_type;
-type ashmem_libcutils_device, dev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
-type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
type fuse_device, dev_type;
type hw_random_device, dev_type;
type kmsg_debug_device, dev_type;
type kmsg_device, dev_type;
-type kvm_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
type null_device, dev_type;
type open_dice_device, dev_type;
type owntty_device, dev_type;
-type ppp_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
@@ -30,10 +23,6 @@
type log_device, dev_type;
type socket_device, dev_type;
type tty_device, dev_type;
-type tun_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type userdata_sysdev, dev_type;
type vd_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d9a6e44..d53de79 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -8,14 +8,12 @@
type authfs_service_socket, file_type, coredomain_socket;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
-type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
type linkerconfig_file, file_type;
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
type property_contexts_file, file_type, system_file_type;
type property_socket, file_type, coredomain_socket;
-type runtime_event_log_tags_file, file_type;
type sepolicy_file, file_type, system_file_type;
type service_contexts_file, file_type, system_file_type;
type shell_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index fa5db03..3db899a 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -49,7 +49,6 @@
allow vendor_init {
file_type
-exec_type
- -runtime_event_log_tags_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -144,6 +143,5 @@
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
- -kvm_device
-hw_random_device
}:chr_file setattr;
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index e284e19..8f193fb 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -351,6 +351,8 @@
audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.pose_predictor_type u:object_r:audio_config_prop:s0 exact enum 0 1 2 3
+audio.spatializer.prediction_duration_ms u:object_r:audio_config_prop:s0 exact int
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
diff --git a/private/app.te b/private/app.te
index 5c3472d..fa40b52 100644
--- a/private/app.te
+++ b/private/app.te
@@ -34,7 +34,7 @@
get_prop(appdomain, test_harness_prop)
get_prop(appdomain, boot_status_prop)
-get_prop(appdomain, dalvik_config_prop)
+get_prop(appdomain, dalvik_config_prop_type)
get_prop(appdomain, media_config_prop)
get_prop(appdomain, packagemanager_config_prop)
get_prop(appdomain, radio_control_prop)
@@ -46,6 +46,7 @@
get_prop(appdomain, adbd_config_prop)
get_prop(appdomain, dck_prop)
get_prop(appdomain, persist_wm_debug_prop)
+get_prop(appdomain, persist_sysui_builder_extras_prop)
# Allow ART to be configurable via device_config properties
# (ART "runs" inside the app process)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 6bdc259..eecda30 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -33,14 +33,14 @@
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
-neverallow { domain -bpfloader } fs_bpf_loader:file read;
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file { getattr read };
+neverallow { domain -bpfloader } fs_bpf_loader:file { getattr read };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file { getattr read };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file { getattr read };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index afcebba..8fa3985 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1545,7 +1545,10 @@
(typeattributeset ctl_sigstop_prop_33_0 (ctl_sigstop_prop))
(typeattributeset ctl_start_prop_33_0 (ctl_start_prop))
(typeattributeset ctl_stop_prop_33_0 (ctl_stop_prop))
-(typeattributeset dalvik_config_prop_33_0 (dalvik_config_prop))
+(typeattributeset dalvik_config_prop_33_0
+ ( dalvik_config_prop
+ dalvik_dynamic_config_prop
+))
(typeattributeset dalvik_prop_33_0 (dalvik_prop))
(typeattributeset dalvik_runtime_prop_33_0 (dalvik_runtime_prop))
(typeattributeset dalvikcache_data_file_33_0 (dalvikcache_data_file))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3b61f73..cfbe2da 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -10,6 +10,9 @@
artd
bt_device
build_attestation_prop
+ composd_vm_art_prop
+ composd_vm_vendor_prop
+ cpu_monitor_service
credential_service
device_as_webcam
device_config_camera_native_prop
@@ -48,6 +51,7 @@
fuseblkd
fuseblkd_exec
permissive_mte_prop
+ persist_sysui_builder_extras_prop
prng_seeder
recovery_usb_config_prop
remote_provisioning_service
@@ -55,6 +59,7 @@
servicemanager_prop
shutdown_checkpoints_system_data_file
stats_config_data_file
+ sysfs_fs_fuse_features
system_net_netd_service
timezone_metadata_prop
traced_oome_heap_session_count_prop
diff --git a/private/composd.te b/private/composd.te
index 96991c6..409b2cb 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -30,9 +30,16 @@
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
+# Read properties used to configure the CompOS VM
+get_prop(composd, composd_vm_art_prop)
+get_prop(composd, composd_vm_vendor_prop)
+
# Read ART's properties
-get_prop(composd, dalvik_config_prop)
+get_prop(composd, dalvik_config_prop_type)
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file create;
+
+# ART sets these properties via init script, nothing else should
+neverallow { domain -init } composd_vm_art_prop:property_service set;
diff --git a/private/coredomain.te b/private/coredomain.te
index 96ce488..f8b2ee5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,7 +1,7 @@
get_prop(coredomain, apex_ready_prop)
get_prop(coredomain, boot_status_prop)
get_prop(coredomain, camera_config_prop)
-get_prop(coredomain, dalvik_config_prop)
+get_prop(coredomain, dalvik_config_prop_type)
get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)
diff --git a/private/crosvm.te b/private/crosvm.te
index df97235..f1012b7 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -2,14 +2,20 @@
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
+# Let crosvm open VM manager devices such as /dev/kvm.
+allow crosvm vm_manager_device_type:chr_file rw_file_perms;
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+# Most other domains shouldn't access other vm managers either.
+# These restrictions need to be slightly looser than for kvm_device to allow
+# for different implementations.
+neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
+neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
+
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
diff --git a/private/domain.te b/private/domain.te
index 1e5e0f5..1c27662 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -56,6 +56,9 @@
# Everyone can access the IncFS list of features.
r_dir_file(domain, sysfs_fs_incfs_features);
+# Everyone can access the fuse list of features.
+r_dir_file(domain, sysfs_fs_fuse_features);
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
diff --git a/private/file.te b/private/file.te
index 539e63e..f6781b0 100644
--- a/private/file.te
+++ b/private/file.te
@@ -104,7 +104,7 @@
# /dev/kvm
# The type needs to be mlstrustedobject to allow for being accessed from
# crosvm, which runs at a more constrained MLS level.
-type kvm_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f5a92ac..8e35c46 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -150,6 +150,7 @@
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /fs/fuse/bpf_prog_type_fuse u:object_r:sysfs_fs_fuse_bpf:s0
+genfscon sysfs /fs/fuse/features u:object_r:sysfs_fs_fuse_features:s0
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
diff --git a/private/init.te b/private/init.te
index 72dedd2..9d3a2c3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -120,6 +120,6 @@
dev_type
-hw_random_device
-keychord_device
- -kvm_device
+ -vm_manager_device_type
-port_device
}:chr_file setattr;
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index bb9da6c..200af1b 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -95,6 +95,7 @@
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
+ -sysfs_fs_fuse_features
-sysfs_fs_incfs_features
}:file no_rw_file_perms;
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index bde6195..4ed4b36 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -32,6 +32,9 @@
# permitted.
allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+# Allow access to the toybox: b/275024392
+allow isolated_compute_app toolbox_exec:file rx_file_perms;
+
#####
##### Neverallow
#####
diff --git a/private/netd.te b/private/netd.te
index ae43e47..8be8212 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -7,7 +7,7 @@
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 900b35c..01f1915 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -26,7 +26,7 @@
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/network_stack.te b/private/network_stack.te
index dfee019..d9135a1 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -61,7 +61,7 @@
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
# Use XFRM (IPsec) netlink sockets
diff --git a/private/perfetto.te b/private/perfetto.te
index 45fa60b..a87f2ad 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,6 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
+# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
+allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
+allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
@@ -117,6 +121,7 @@
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
@@ -124,6 +129,7 @@
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/platform_app.te b/private/platform_app.te
index 5d16d85..6d49502 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -45,6 +45,10 @@
')
neverallow { domain -init -dumpstate userdebug_or_eng(`-domain') } persist_wm_debug_prop:property_service set;
+userdebug_or_eng(`
+ set_prop(platform_app, persist_sysui_builder_extras_prop)
+')
+
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
proc_vmstat
@@ -122,5 +126,7 @@
### Neverallow rules
###
+neverallow { domain -init userdebug_or_eng(`-shell -platform_app') } persist_sysui_builder_extras_prop:property_service set;
+
# app domains which access /dev/fuse should not run as platform_app
neverallow platform_app fuse_device:chr_file *;
diff --git a/private/property.te b/private/property.te
index 9e49c30..35f9bc7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -54,6 +54,7 @@
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(log_file_logger_prop)
+system_restricted_prop(persist_sysui_builder_extras_prop)
###
### Neverallow rules
@@ -275,7 +276,7 @@
-vendor_init
} {
core_property_type
- dalvik_config_prop
+ dalvik_config_prop_type
extended_core_property_type
exported3_system_prop
systemsound_config_prop
diff --git a/private/property_contexts b/private/property_contexts
index 00b1347..603c70b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -373,6 +373,8 @@
audio.spatializer.priority u:object_r:audio_config_prop:s0 exact int
audio.spatializer.effect.affinity u:object_r:audio_config_prop:s0 exact int
audio.spatializer.effect.util_clamp_min u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.pose_predictor_type u:object_r:audio_config_prop:s0 exact enum 0 1 2 3
+audio.spatializer.prediction_duration_ms u:object_r:audio_config_prop:s0 exact int
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
@@ -405,31 +407,27 @@
ro.vendor.camera.extensions.package u:object_r:camera2_extensions_prop:s0 exact string
ro.vendor.camera.extensions.service u:object_r:camera2_extensions_prop:s0 exact string
-# ART properties
+# ART properties.
dalvik.vm. u:object_r:dalvik_config_prop:s0
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
ro.zygote u:object_r:dalvik_config_prop:s0 exact string
# A set of ART properties listed explicitly for compatibility purposes.
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-max-image-block-size u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
@@ -448,10 +446,8 @@
dalvik.vm.hot-startup-method-samples u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.image-dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.image-dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.isa.arm.features u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.isa.arm.variant u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.isa.arm64.features u:object_r:dalvik_config_prop:s0 exact string
@@ -481,11 +477,21 @@
dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
+# A list of ART properties that can be set dynamically.
+dalvik.vm.background-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.background-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
@@ -1483,6 +1489,10 @@
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+# composd properties
+composd.vm.art.memory_mib.config u:object_r:composd_vm_art_prop:s0 exact uint
+composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
+
# properties for the virtual Face HAL
persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
@@ -1538,3 +1548,6 @@
# UVC Gadget property
ro.usb.uvc.enabled u:object_r:usb_uvc_enabled_prop:s0 exact bool
+
+# System UI notification properties
+persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index cfcf2a4..fc4fce3 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -42,7 +42,7 @@
-codec2_config_prop
-config_prop
-cppreopt_prop
- -dalvik_config_prop
+ -dalvik_config_prop_type
-dalvik_prop
-dalvik_runtime_prop
-dck_prop
diff --git a/private/shell.te b/private/shell.te
index cdbf7c2..85d09f9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -243,3 +243,7 @@
# Allow shell to write GWP-ASan properties even on user builds.
set_prop(shell, gwp_asan_prop)
+
+# Allow shell to set persist.sysui.notification.builder_extras_override property
+userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
+
diff --git a/private/stats.te b/private/stats.te
index 89b9488..5790faa 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -56,4 +56,5 @@
-system_app
-system_server
-traceur_app
+ -traced_probes
} stats_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 27e5594..20e6427 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -836,6 +836,9 @@
# Read persist.wm.debug. properties
get_prop(system_server, persist_wm_debug_prop)
+# Read persist.sysui.notification.builder_extras_override property
+get_prop(system_server, persist_sysui_builder_extras_prop)
+
# Read ro.tuner.lazyhal
get_prop(system_server, tuner_config_prop)
# Write tuner.server.enable
@@ -1175,7 +1178,7 @@
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
@@ -1527,3 +1530,6 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+
+# Allow system server to set dynamic ART properties.
+set_prop(system_server, dalvik_dynamic_config_prop)
diff --git a/private/traced.te b/private/traced.te
index 171e092..fc75239 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -24,9 +24,6 @@
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
-# ... and /data/misc/perfetto-traces/bugreport*
-allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
-allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
@@ -89,7 +86,6 @@
neverallow traced {
data_file_type
-perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
-media_userdir_file
@@ -104,7 +100,6 @@
neverallow traced {
data_file_type
-perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
-trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 86f5067..0d68fa3 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -103,8 +103,10 @@
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
-# Allow traced_probes to talk to statsd for logging metrics.
+# Allow traced_probes to talk to statsd for logging metrics and recording atoms.
unix_socket_send(traced_probes, statsdw, statsd)
+binder_call(traced_probes, statsd)
+allow traced_probes stats_service:service_manager find;
###
### Neverallow rules
diff --git a/private/vendor_init.te b/private/vendor_init.te
index acbd84e..1680f96 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -19,7 +19,7 @@
allow vendor_init {
dev_type
-keychord_device
- -kvm_device
+ -vm_manager_device_type
-port_device
-lowpan_device
-hw_random_device
diff --git a/public/attributes b/public/attributes
index 0b5f596..1e2dabb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -417,6 +417,9 @@
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
+# Types for VM managers
+attribute vm_manager_device_type;
+
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
@@ -430,3 +433,6 @@
# permissions to maintain the health loop, writing to kernel log, handling
# inputs and drawing screens, etc.
attribute charger_type;
+
+# All types of ART properties.
+attribute dalvik_config_prop_type;
diff --git a/public/file.te b/public/file.te
index 9ca6802..da76aee 100644
--- a/public/file.te
+++ b/public/file.te
@@ -123,6 +123,7 @@
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_fuse_bpf, sysfs_type, fs_type;
+type sysfs_fs_fuse_features, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
type sysfs_vendor_sched, sysfs_type, fs_type;
diff --git a/public/iorap.te b/public/iorap.te
deleted file mode 100644
index 0671c34..0000000
--- a/public/iorap.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# Define these types for now, as they may be used in device-specific policy.
-type iorapd;
-type iorap_inode2filename;
-type iorap_prefetcherd;
diff --git a/public/property.te b/public/property.te
index 74dd0f5..4427822 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
+system_restricted_prop(composd_vm_art_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
@@ -142,6 +143,7 @@
system_vendor_config_prop(camerax_extensions_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(codec2_config_prop)
+system_vendor_config_prop(composd_vm_vendor_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(debugfs_restriction_prop)
@@ -205,6 +207,7 @@
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_dynamic_config_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
system_public_prop(device_config_memory_safety_native_boot_prop)
@@ -365,3 +368,5 @@
typeattribute usb_prop core_property_type;
typeattribute vold_prop core_property_type;
+typeattribute dalvik_config_prop dalvik_config_prop_type;
+typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
diff --git a/public/service.te b/public/service.te
index e8f97bb..3dc9d85 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type cpu_monitor_service, system_server_service, service_manager_type;
type credential_service, app_api_service, ephemeral_app_api_service, system_api_service, system_server_service, service_manager_type;
type dataloader_manager_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index e1c24c6..71597cc 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -34,6 +34,7 @@
binder_call(statsd, appdomain)
binder_call(statsd, incidentd)
binder_call(statsd, system_server)
+binder_call(statsd, traced_probes)
# Allow statsd to interact with gpuservice
allow statsd gpu_service:service_manager find;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 683ab61..288d035 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -235,6 +235,7 @@
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_dynamic_config_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_bluetooth_prop)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1d380ab..2c52e2c 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -347,7 +347,8 @@
"hal_neuralnetworks_service":["service_manager"],
"servicemanager":["fd"],
"speech_recognition_service":["service_manager"],
- "mediaserver_service" :["service_manager"]
+ "mediaserver_service" :["service_manager"],
+ "toolbox_exec": ["file"],
}
def resolveHalServerSubtype(target):
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 59d6c39..0bdb7fd 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -29,3 +29,6 @@
# allow to monitor uevents and access video devices
allow hal_evs_default device:dir r_dir_perms;
allow hal_evs_default video_device:chr_file rw_file_perms;
+
+# allow to access graphics related properties
+get_prop(hal_evs_default, graphics_config_prop);