Revert^2 "Fix freeze test condition to board api" am: e28eb52f4e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960345
Change-Id: Ifbc4f013eea02d908efdce8666057391fc3fcf30
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/Android.mk b/Android.mk
index fe6a773..3139973 100644
--- a/Android.mk
+++ b/Android.mk
@@ -445,15 +445,13 @@
# The file_contexts.bin is built in the following way:
# 1. Collect all file_contexts files in THIS repository and process them with
# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
-# modules with m4 with a tmp file called file_contexts.modules.tmp.
-# 3. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all device specific file_contexts files and process them with m4
# into a tmp file called file_contexts.device.tmp.
-# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
-# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+# into file_contexts.concat.tmp.
+# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
# Note: That a newline file is placed between each file_context file found to
@@ -489,10 +487,6 @@
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
-# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
-# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
-file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-
device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -516,8 +510,7 @@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
- $(file_contexts.concat.tmp))
+ $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -531,7 +524,6 @@
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
file_contexts.local.tmp :=
-file_contexts.modules.tmp :=
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 83d081a..14b68ad 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -6,6 +6,7 @@
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a3fc35d..3af8dc2 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -6,6 +6,7 @@
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
diff --git a/apex/com.android.webview.bootstrap-file_contexts b/apex/com.android.webview.bootstrap-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.webview.bootstrap-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index a7d65cd..4b1c02d 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -48,8 +48,8 @@
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
- "android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
- "android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
+ "android.hardware.broadcastradio.IBroadcastRadio/amfm": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
+ "android.hardware.broadcastradio.IBroadcastRadio/dab": []string{"android.hardware.broadcastradio-service.default_fuzzer"},
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
@@ -158,6 +158,7 @@
"account": EXCEPTION_NO_FUZZER,
"activity": EXCEPTION_NO_FUZZER,
"activity_task": EXCEPTION_NO_FUZZER,
+ "adaptive_auth": EXCEPTION_NO_FUZZER,
"adb": EXCEPTION_NO_FUZZER,
"adservices_manager": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
@@ -198,7 +199,8 @@
"gsiservice": EXCEPTION_NO_FUZZER,
"appops": EXCEPTION_NO_FUZZER,
"appwidget": EXCEPTION_NO_FUZZER,
- "artd": EXCEPTION_NO_FUZZER,
+ "artd": []string{"artd_fuzzer"},
+ "artd_pre_reboot": []string{"artd_fuzzer"},
"assetatlas": EXCEPTION_NO_FUZZER,
"attention": EXCEPTION_NO_FUZZER,
"audio": EXCEPTION_NO_FUZZER,
@@ -233,6 +235,7 @@
"content_capture": EXCEPTION_NO_FUZZER,
"content_suggestions": EXCEPTION_NO_FUZZER,
"contexthub": EXCEPTION_NO_FUZZER,
+ "contextual_search": EXCEPTION_NO_FUZZER,
"country_detector": EXCEPTION_NO_FUZZER,
"coverage": EXCEPTION_NO_FUZZER,
"cpuinfo": EXCEPTION_NO_FUZZER,
@@ -249,6 +252,7 @@
"device_lock": EXCEPTION_NO_FUZZER,
"device_state": EXCEPTION_NO_FUZZER,
"devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
"diskstats": EXCEPTION_NO_FUZZER,
"display": EXCEPTION_NO_FUZZER,
"dnsresolver": []string{"resolv_service_fuzzer"},
@@ -263,6 +267,7 @@
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
"euicc_card_controller": EXCEPTION_NO_FUZZER,
"external_vibrator_service": EXCEPTION_NO_FUZZER,
@@ -327,7 +332,7 @@
"media.metrics": []string{"mediametrics_aidl_fuzzer"},
"media.extractor": []string{"mediaextractor_service_fuzzer"},
"media.transcoding": EXCEPTION_NO_FUZZER,
- "media.resource_manager": EXCEPTION_NO_FUZZER,
+ "media.resource_manager": []string{"resourcemanager_service_fuzzer", "mediaresourcemanager_fuzzer"},
"media.resource_observer": EXCEPTION_NO_FUZZER,
"media.sound_trigger_hw": EXCEPTION_NO_FUZZER,
"media.drm": EXCEPTION_NO_FUZZER,
@@ -378,6 +383,7 @@
"processinfo": EXCEPTION_NO_FUZZER,
"procstats": EXCEPTION_NO_FUZZER,
"profcollectd": EXCEPTION_NO_FUZZER,
+ "profiling_service": EXCEPTION_NO_FUZZER,
"radio.phonesubinfo": EXCEPTION_NO_FUZZER,
"radio.phone": EXCEPTION_NO_FUZZER,
"radio.sms": EXCEPTION_NO_FUZZER,
@@ -404,6 +410,7 @@
"security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
+ "sensitive_content_protection_service": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
"sensor_privacy": EXCEPTION_NO_FUZZER,
"serial": EXCEPTION_NO_FUZZER,
@@ -471,7 +478,7 @@
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtualdevice_native": EXCEPTION_NO_FUZZER,
- "virtual_camera": EXCEPTION_NO_FUZZER,
+ "virtual_camera": []string{"virtual_camera_fuzzer"},
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 64b2f2d..f75312a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -200,6 +200,9 @@
/dev/socket/mdns mdns_socket
/dev/socket/mdnsd mdnsd_socket
/dev/socket/mtpd mtpd_socket
+/dev/socket/ot-daemon/ ot_daemon_socket
+/dev/socket/ot-daemon/thread-wpan ot_daemon_socket
+/dev/socket/ot-daemon/100 ot_daemon_socket
/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
/dev/socket/pdx/system/performance pdx_performance_dir
@@ -979,6 +982,8 @@
/data/misc/net/test net_data_file
/data/misc/network_watchlist network_watchlist_data_file
/data/misc/network_watchlist/test network_watchlist_data_file
+/data/misc/telephonyconfig radio_data_file
+/data/misc/telephonyconfig/test radio_data_file
/data/misc/nfc/logs nfc_logs_data_file
/data/misc/nfc/logs/test nfc_logs_data_file
/data/misc/odrefresh odrefresh_data_file
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index f55711e..13ce685 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -7,6 +7,9 @@
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,new-instance u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,strict-boot u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
index a9c5f4a..384f5d5 100644
--- a/microdroid/system/private/init_debug_policy.te
+++ b/microdroid/system/private/init_debug_policy.te
@@ -27,6 +27,5 @@
set_prop(init_debug_policy, init_debug_policy_prop)
# Allow init_debug_policy to read AVF debug policy
-allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file r_file_perms;
-
+r_dir_file(init_debug_policy, proc_dt_avf)
+r_dir_file(init_debug_policy, sysfs_dt_avf)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index b84474a..d1a5c6f 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -18,10 +18,8 @@
allow microdroid_manager dm_device:blk_file r_file_perms;
# microdroid_manager can query AVF flags in the device tree
-allow microdroid_manager sysfs_dt_avf:file r_file_perms;
-
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
+r_dir_file(microdroid_manager, proc_dt_avf)
+r_dir_file(microdroid_manager, sysfs_dt_avf)
# Read config from the open-dice driver.
allow microdroid_manager open_dice_device:chr_file rw_file_perms;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 57852c2..201a07e 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -84,6 +84,7 @@
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
+type proc_dt_avf, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
diff --git a/prebuilts/api/33.0/public/vold.te b/prebuilts/api/33.0/public/vold.te
index 53b2c49..b49f25f 100644
--- a/prebuilts/api/33.0/public/vold.te
+++ b/prebuilts/api/33.0/public/vold.te
@@ -328,6 +328,7 @@
neverallow vold {
domain
-hal_health_storage_server
+ -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 46cea8e..e3869cd 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -34,8 +34,6 @@
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
-allow app_zygote properties_device:dir mounton;
-
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
diff --git a/private/artd.te b/private/artd.te
index acab397..f8e79fb 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,6 +7,7 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
+add_service(artd, artd_pre_reboot_service)
allow artd dumpstate:fifo_file { getattr write };
allow artd dumpstate:fd use;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0ad2c6b..be6f77c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -41,7 +41,7 @@
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
-neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
+neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
@@ -68,7 +68,7 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index aa8a56c..595d53e 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1,3 +1,10 @@
+;; types removed from current policy
+(type racoon)
+(type racoon_exec)
+(type mtp_exec)
+(type ppp_device)
+(type ppp_exec)
+
;; mapping information from ToT policy's types to 34.0 policy's types.
(expandtypeattribute (DockObserver_service_34_0) true)
(expandtypeattribute (IProxyService_service_34_0) true)
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 583b249..1de001e 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -6,11 +6,16 @@
(typeattributeset new_objects
( new_objects
archive_service
+ artd_pre_reboot_service
+ contextual_search_service
+ dexopt_chroot_setup_service
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
fwk_vibrator_control_service
+ ecm_enhanced_confirmation_service
hal_authgraph_service
+ hal_graphics_mapper_service
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
@@ -20,19 +25,22 @@
hidraw_device
virtual_camera_service
ot_daemon_service
+ ot_daemon_socket
pm_archiving_enabled_prop
remote_auth_service
security_state_service
+ sensitive_content_protection_service
setupwizard_mode_prop
sysfs_sync_on_suspend
tv_ad_service
threadnetwork_service
device_config_aconfig_flags_prop
- proc_memhealth
virtual_device_native_service
next_boot_prop
binderfs_logs_stats
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
vendor_microdroid_file
+ threadnetwork_config_prop
+ profiling_service
))
diff --git a/private/crosvm.te b/private/crosvm.te
index ed89b87..6ad3727 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -45,8 +45,14 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
-# Allow crosvm to mlock guest memory.
-allow crosvm self:capability ipc_lock;
+# When running a VM as root we get spurious capability denials.
+# Suppress them.
+userdebug_or_eng(`
+ dontaudit crosvm self:capability ipc_lock;
+')
+
+# Allow crosvm to tune for performance.
+allow crosvm self:global_capability_class_set sys_nice;
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
new file mode 100644
index 0000000..f7bd17a
--- /dev/null
+++ b/private/dexopt_chroot_setup.te
@@ -0,0 +1,23 @@
+type dexopt_chroot_setup, domain, coredomain;
+type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
+type dexopt_chroot_setup_tmpfs, file_type;
+
+# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
+binder_use(dexopt_chroot_setup)
+add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
+allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
+allow dexopt_chroot_setup dumpstate:fd use;
+
+init_daemon_domain(dexopt_chroot_setup)
+
+# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
+# processes.
+tmpfs_domain(dexopt_chroot_setup)
+
+# libart (mark_compact.cc) has some intialization code that touches the cache
+# info file and userfaultfd.
+allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
+r_dir_file(dexopt_chroot_setup, apex_art_data_file)
+userfaultfd_use(dexopt_chroot_setup)
diff --git a/private/file.te b/private/file.te
index d289f43..450fe2c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -8,7 +8,7 @@
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
-type fs_bpf_uprobe_private, fs_type, bpffs_type;
+type fs_bpf_uprobestats, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -136,8 +136,9 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
-# /sys/firmware/devicetree/base/avf
+# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
+type proc_dt_avf, fs_type, proc_type;
# Type for /system/fonts/font_fallback.xm
type system_font_fallback_file, system_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 7fbc580..cba5660 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -141,7 +141,6 @@
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
/dev/port u:object_r:port_device:s0
-/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
@@ -166,7 +165,7 @@
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/ot-daemon(/.*)? u:object_r:ot_daemon_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
@@ -179,7 +178,6 @@
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/property_service_for_system u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
@@ -319,9 +317,6 @@
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/dmesgd u:object_r:dmesgd_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
@@ -657,6 +652,7 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/telephonyconfig(/.*)? u:object_r:radio_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 41c60df..e4baeee 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -8,6 +8,7 @@
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
@@ -19,7 +20,6 @@
genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /memhealth u:object_r:proc_memhealth:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
@@ -419,4 +419,4 @@
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
-genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
+genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/keys.conf b/private/keys.conf
index 18c1a8c..fc50ef3 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -23,6 +23,9 @@
[@NETWORK_STACK]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+[@NFC]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/nfc.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index c9a9aca..fa8ffcf 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -69,4 +69,9 @@
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
+
+ <!-- NFC key in AOSP -->
+ <signer signature="@NFC" >
+ <seinfo value="nfc" />
+ </signer>
</policy>
diff --git a/private/mtp.te b/private/mtp.te
deleted file mode 100644
index 732e111..0000000
--- a/private/mtp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mtp coredomain;
-
-init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index 8be8212..6d1c10c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,9 +6,9 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
-allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f1915..a26181f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,9 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 495947f..341fa9c 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -19,7 +19,6 @@
# /data/misc/apexdata/com\.android\.tethering
allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
allow ot_daemon apex_tethering_data_file:file create_file_perms;
-allow ot_daemon apex_tethering_data_file:sock_file {create unlink};
# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};
diff --git a/private/perfetto.te b/private/perfetto.te
index a87f2ad..aae61a6 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -40,7 +40,7 @@
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
allow perfetto { statsd mm_events shell su }:fd use;
-allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
+allow perfetto { statsd mm_events shell su system_server }:fifo_file { getattr read write ioctl };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
diff --git a/private/ppp.te b/private/ppp.te
deleted file mode 100644
index 968b221..0000000
--- a/private/ppp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute ppp coredomain;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/priv_app.te b/private/priv_app.te
index 536c9d4..f1ecfac 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -179,6 +179,9 @@
# allow privileged apps to read the device config flags.
get_prop(priv_app, device_config_aconfig_flags_prop)
+# allow privileged apps to read boot reason property
+get_prop(priv_app, system_boot_reason_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index a098d05..38e69bb 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(crashrecovery_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index d9ee724..c5f679e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -410,6 +410,9 @@
# Boolean property used in AudioService to configure whether
# to enable head tracking for spatial audio
ro.audio.headtracking_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioPolicyManager to configure whether
+# to enable spatialization for stereo channel mask
+ro.audio.stereo_spatialization_enabled u:object_r:audio_config_prop:s0 exact bool
# Boolean property used in UsbAlsaManager to decide if only one or multiple
# USB devices can be connected to audio system at a certain time
@@ -541,6 +544,7 @@
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.leaudio_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
@@ -630,6 +634,7 @@
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.sco.managed_by_audio u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.le.dsa_transport_preference u:object_r:bluetooth_config_prop:s0 exact string
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -1150,7 +1155,7 @@
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_frozen u:object_r:build_vendor_prop:s0 exact bool
-ro.llndk.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.llndk.api_level u:object_r:build_prop:s0 exact int
ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
@@ -1627,3 +1632,16 @@
# Properties for app archiving
pm.archiving.enabled u:object_r:pm_archiving_enabled_prop:s0 exact bool
+# Properties for ThreadNetworkService
+threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
+
+# Properties for crashrecovery
+crashrecovery.attempting_factory_reset u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.attempting_reboot u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.boot_mitigation_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.boot_mitigation_start u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.max_rescue_level_attempted u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_start u:object_r:crashrecovery_prop:s0 exact int
+persist.crashrecovery.enable_rescue u:object_r:crashrecovery_prop:s0 exact bool
+persist.crashrecovery.last_factory_reset u:object_r:crashrecovery_prop:s0 exact int
diff --git a/private/racoon.te b/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 957d005..2219631 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -184,7 +184,9 @@
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=nfc seinfo=nfc domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro levelFrom=all
diff --git a/private/service.te b/private/service.te
index e97eb8c..36d6ccf 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,4 @@
+type adaptive_auth_service, system_server_service, service_manager_type;
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 5d3aaa7..82af95e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -139,6 +139,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
+adaptive_auth u:object_r:adaptive_auth_service:s0
adb u:object_r:adb_service:s0
adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
@@ -178,6 +179,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
artd u:object_r:artd_service:s0
+artd_pre_reboot u:object_r:artd_pre_reboot_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
@@ -213,6 +215,7 @@
content_capture u:object_r:content_capture_service:s0
content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
+contextual_search u:object_r:contextual_search_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
@@ -228,6 +231,7 @@
device_lock u:object_r:devicelock_service:s0
device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+dexopt_chroot_setup u:object_r:dexopt_chroot_setup_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
dnsresolver u:object_r:dnsresolver_service:s0
@@ -242,6 +246,7 @@
dumpstate u:object_r:dumpstate_service:s0
dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
+ecm_enhanced_confirmation u:object_r:ecm_enhanced_confirmation_service:s0
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
@@ -353,6 +358,7 @@
pinner u:object_r:pinner_service:s0
powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
+profiling_service u:object_r:profiling_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
@@ -383,6 +389,7 @@
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
+sensitive_content_protection_service u:object_r:sensitive_content_protection_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index decabe1..e5ade71 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -260,9 +260,7 @@
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Allow system_server to write to statsd.
@@ -285,6 +283,7 @@
binder_call(system_server, artd)
binder_call(system_server, binderservicedomain)
binder_call(system_server, composd)
+binder_call(system_server, dexopt_chroot_setup)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
@@ -310,6 +309,7 @@
hal_client_domain(system_server, hal_audio)
hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
+hal_client_domain(system_server, hal_bluetooth)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
@@ -578,6 +578,10 @@
allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
+# Allow system_server to exec the perfetto cmdline client and pass it a trace config
+domain_auto_trans(system_server, perfetto_exec, perfetto);
+allow system_server perfetto:fifo_file { read write };
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -737,6 +741,7 @@
set_prop(system_server, locale_prop)
set_prop(system_server, timezone_metadata_prop)
set_prop(system_server, timezone_prop)
+set_prop(system_server, crashrecovery_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
@@ -940,12 +945,14 @@
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
+allow system_server artd_pre_reboot_service:service_manager find;
allow system_server audioserver_service:service_manager find;
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server compos_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
+allow system_server dexopt_chroot_setup_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
@@ -1139,7 +1146,6 @@
allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_memhealth)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
@@ -1290,7 +1296,7 @@
# Ensure that system_server doesn't perform any domain transitions other than
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
-neverallow system_server { domain -clatd -crash_dump }:process transition;
+neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
neverallow system_server *:process dyntransition;
# Only allow crash_dump to connect to system_ndebug_socket.
@@ -1565,3 +1571,22 @@
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
set_prop(system_server, game_manager_config_prop)
+# ThreadNetworkService reads Thread Network properties
+get_prop(system_server, threadnetwork_config_prop)
+
+# Do not allow any domain other than init and system server to set the property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} threadnetwork_config_prop:file no_rw_file_perms;
+
+# Allow system server to read pm.archiving.enabled prop
+# TODO(azilio): Remove system property after archiving testing is completed.
+get_prop(system_server, pm_archiving_enabled_prop)
+
+# Do not allow any domain other than init or system server to get or set the property
+neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
+neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index 78595f6..f6dd906 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -7,8 +7,8 @@
# Allow init to start uprobestats.
init_daemon_domain(uprobestats)
-allow uprobestats fs_bpf_uprobe_private:file { read write };
-allow uprobestats fs_bpf_uprobe_private:dir search;
+allow uprobestats fs_bpf_uprobestats:file { read write };
+allow uprobestats fs_bpf_uprobestats:dir search;
allow uprobestats bpfloader:bpf { map_read map_write prog_run };
allow uprobestats self:capability2 perfmon;
allow uprobestats self:perf_event { cpu open write };
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d0fe571..3aaff5b 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -83,9 +83,9 @@
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
-# Allow virtualizationmanager to read AVF debug policy
-allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
+# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
+r_dir_file(virtualizationmanager, proc_dt_avf)
+r_dir_file(virtualizationmanager, sysfs_dt_avf)
# virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
# from pVM to HAL.
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4d8ac6b..972f376 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -29,6 +29,10 @@
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
+binder_call(virtualizationservice, remote_provisioning_service)
+allow virtualizationservice remote_provisioning_service:service_manager find;
+
# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 7b05af2..0556950 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,8 +83,6 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
-allow webview_zygote properties_device:dir mounton;
-
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
diff --git a/public/bootanim.te b/public/bootanim.te
index 9c7a0ee..a9616b7 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -17,8 +17,7 @@
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
+r_dir_file(bootanim, oemfs);
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 01143f7..32c0cd8 100644
--- a/public/file.te
+++ b/public/file.te
@@ -48,7 +48,6 @@
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
-type proc_memhealth, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
@@ -539,6 +538,7 @@
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
+type ot_daemon_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 35a19de..39ba46e 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -3,6 +3,7 @@
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_service:service_manager find;
allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
# GPU device access
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index e77ea9d..621a0b8 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -33,6 +33,7 @@
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
-hal_nlinterceptor_server
+ -hal_bluetooth_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -45,6 +46,7 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_nlinterceptor_server
+ -hal_bluetooth_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index b3b26c1..dc45500 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -11,6 +11,9 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+# get aac_drc_* properties
+get_prop(mediaswcodec, aac_drc_prop)
+
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
diff --git a/public/mtp.te b/public/mtp.te
index add63c0..4f3ce9a 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,11 +1,2 @@
# vpn tunneling protocol manager
type mtp, domain;
-type mtp_exec, system_file_type, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
-allow mtp self:global_capability_class_set net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/public/ppp.te b/public/ppp.te
index b736def..29900ea 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,23 +1,2 @@
# Point to Point Protocol daemon
type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, system_file_type, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net_type)
-
-allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:global_capability_class_set net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/public/property.te b/public/property.te
index b072b5b..c513434 100644
--- a/public/property.te
+++ b/public/property.te
@@ -181,6 +181,7 @@
system_vendor_config_prop(suspend_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(threadnetwork_config_prop)
system_vendor_config_prop(tombstone_config_prop)
system_vendor_config_prop(usb_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
diff --git a/public/racoon.te b/public/racoon.te
deleted file mode 100644
index b0383f0..0000000
--- a/public/racoon.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, system_file_type, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
-allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
diff --git a/public/service.te b/public/service.te
index 1c7605e..a6f854a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -2,6 +2,7 @@
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type artd_service, service_manager_type;
+type artd_pre_reboot_service, service_manager_type;
type audioserver_service, service_manager_type, isolated_compute_allowed_service;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -10,6 +11,7 @@
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
+type dexopt_chroot_setup_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@@ -38,6 +40,7 @@
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
type ot_daemon_service, service_manager_type;
+type profiling_service, app_api_service, system_server_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -89,6 +92,7 @@
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type contextual_search_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -118,6 +122,7 @@
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -215,6 +220,7 @@
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type security_state_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sensitive_content_protection_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
@@ -302,6 +308,7 @@
type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
type hal_graphics_allocator_service, hal_service_type, service_manager_type;
type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_mapper_service, hal_service_type, service_manager_type;
type hal_health_service, protected_service, hal_service_type, service_manager_type;
type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
type hal_identity_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index c0fdf50..ad6ef83 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -338,6 +338,7 @@
neverallow vold {
domain
-hal_health_storage_server
+ -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index ab01745..26082cb 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -56,7 +56,16 @@
pattern: str
-Matcher = Is | Glob | Regex
+@dataclass
+class BinaryFile:
+ pass
+
+
+Matcher = Is | Glob | Regex | BinaryFile
+
+
+# predicate functions for Func matcher
+
@dataclass
class AllowPerm:
@@ -72,7 +81,13 @@
pass
-Rule = AllowPerm | ResolveType
+@dataclass
+class NotAnyOf:
+ """Rule checking if entity is not labelled as any of the given labels"""
+ labels: set[str]
+
+
+Rule = AllowPerm | ResolveType | NotAnyOf
# Helper for 'read'
@@ -89,6 +104,8 @@
return pathlib.PurePath(path).match(pattern)
case Regex(pattern):
return re.match(pattern, path)
+ case BinaryFile:
+ return path.startswith('./bin/') and not path.endswith('/')
def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
@@ -109,6 +126,9 @@
case ResolveType():
if tcontext not in pol.GetAllTypes(False):
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
+ case NotAnyOf(labels):
+ if tcontext in labels:
+ errors.append(f"Error: {path}: can't be labelled as '{tcontext}'")
return errors
@@ -118,6 +138,8 @@
generic_rules = [
+ # binaries should be executable
+ (BinaryFile, NotAnyOf({'vendor_file'})),
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 3fee43d..727a023 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -102,5 +102,11 @@
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
+ def test_binaries(self):
+ self.assert_ok('./bin/init u:object_r:init_exec:s0')
+ self.assert_ok('./bin/hw/svc u:object_r:init_exec:s0')
+ self.assert_error('./bin/hw/svc u:object_r:vendor_file:s0',
+ r"Error: .*svc: can\'t be labelled as \'vendor_file\'")
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 7a341cb..1df8231 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -190,6 +190,7 @@
"hal_graphics_allocator_hwservice":["hwservice_manager"],
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_graphics_mapper_service":["service_manager"],
"hal_neuralnetworks": ["binder", "fd"],
"hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 60e0339..5dad554 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -164,7 +164,7 @@
/(vendor|system/vendor)/lib(64)?/android\.hardware\.common-V2-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.common\.fmq-V1-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.allocator-V2-ndk\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V4-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V5-ndk\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.0\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.1\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.2\.so u:object_r:same_process_hal_file:s0