Merge "DO NOT MERGE - Merge qt-dev-plus-aosp-without-vendor (5699924) into stage-aosp-master" into stage-aosp-master

prebuilts/api/28.0/private/init.te

@@ -20,6 +20,3 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
 ')
-
-# Allow the BoringSSL self test to request a reboot upon failure
-set_prop(init, powerctl_prop)

prebuilts/api/29.0/private/apexd.te

@@ -50,8 +50,6 @@ allow apexd staging_data_file:file unlink;
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };
 
-# allow apexd to read files from /vendor/apex
-
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 

prebuilts/api/29.0/private/app_neverallows.te

@@ -234,22 +234,73 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 # - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
 neverallow all_untrusted_apps {
   hwservice_manager_type
-  -fwk_bufferhub_hwservice
-  -hal_cas_hwservice
+  -same_process_hwservice
+  -coredomain_hwservice
   -hal_codec2_hwservice
   -hal_configstore_ISurfaceFlingerConfigs
   -hal_graphics_allocator_hwservice
-  -hal_graphics_mapper_hwservice
-  -hal_neuralnetworks_hwservice
   -hal_omx_hwservice
-  -hal_renderscript_hwservice
-  -hidl_allocator_hwservice
-  -hidl_manager_hwservice
-  -hidl_memory_hwservice
-  -hidl_token_hwservice
+  -hal_cas_hwservice
+  -hal_neuralnetworks_hwservice
   -untrusted_app_visible_hwservice_violators
 }:hwservice_manager find;
 
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+  default_android_hwservice
+  hal_atrace_hwservice
+  hal_audio_hwservice
+  hal_authsecret_hwservice
+  hal_bluetooth_hwservice
+  hal_bootctl_hwservice
+  hal_camera_hwservice
+  hal_confirmationui_hwservice
+  hal_contexthub_hwservice
+  hal_drm_hwservice
+  hal_dumpstate_hwservice
+  hal_fingerprint_hwservice
+  hal_gatekeeper_hwservice
+  hal_gnss_hwservice
+  hal_graphics_composer_hwservice
+  hal_health_hwservice
+  hal_input_classifier_hwservice
+  hal_ir_hwservice
+  hal_keymaster_hwservice
+  hal_light_hwservice
+  hal_memtrack_hwservice
+  hal_nfc_hwservice
+  hal_oemlock_hwservice
+  hal_power_hwservice
+  hal_power_stats_hwservice
+  hal_secure_element_hwservice
+  hal_sensors_hwservice
+  hal_telephony_hwservice
+  hal_thermal_hwservice
+  hal_tv_cec_hwservice
+  hal_tv_input_hwservice
+  hal_usb_hwservice
+  hal_vibrator_hwservice
+  hal_vr_hwservice
+  hal_weaver_hwservice
+  hal_wifi_hwservice
+  hal_wifi_offload_hwservice
+  hal_wifi_supplicant_hwservice
+  hidl_base_hwservice
+  system_net_netd_hwservice
+  thermalcallback_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+  coredomain_hwservice
+  -same_process_hwservice
+  -fwk_bufferhub_hwservice # Designed for use by any domain
+  -hidl_allocator_hwservice # Designed for use by any domain
+  -hidl_manager_hwservice # Designed for use by any domain
+  -hidl_memory_hwservice # Designed for use by any domain
+  -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
 # SELinux is not an API for untrusted apps to use
 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 
@@ -260,9 +311,10 @@ full_treble_only(`
   neverallow all_untrusted_apps {
     halserverdomain
     -coredomain
+    -hal_cas_server
+    -hal_codec2_server
     -hal_configstore_server
     -hal_graphics_allocator_server
-    -hal_cas_server
     -hal_neuralnetworks_server
     -hal_omx_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
@@ -270,8 +322,6 @@ full_treble_only(`
   }:binder { call transfer };
 ')
 
-# Untrusted apps are not allowed to find mediaextractor update service.
-
 # Access to /proc/tty/drivers, to allow apps to determine if they
 # are running in an emulated environment.
 # b/33214085 b/33814662 b/33791054 b/33211769

prebuilts/api/29.0/private/atrace.te

@@ -24,7 +24,16 @@ set_prop(atrace, debug_prop)
 # atrace pokes all the binder-enabled processes at startup with a
 # SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
 
-# Allow discovery of binder services.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+
+get_prop(atrace, hwservicemanager_prop)
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
 allow atrace {
   service_manager_type
   -apex_service
@@ -40,33 +49,6 @@ allow atrace {
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
 
-# Allow notifying the processes hosting specific binder services that
-# trace-related system properties have changed.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-# Similarly, on debug builds, allow specific HALs to be notified that
-# trace-related system properties have changed.
-userdebug_or_eng(`
-  # List HAL interfaces.
-  allow atrace hwservicemanager:hwservice_manager list;
-  # Notify the camera HAL.
-  hal_client_domain(atrace, hal_camera)
-')
-
-# Remove logspam from notification attempts to non-whitelisted services.
-dontaudit atrace hwservice_manager_type:hwservice_manager find;
-dontaudit atrace service_manager_type:service_manager find;
-dontaudit atrace domain:binder call;
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
-get_prop(atrace, hwservicemanager_prop)
-
 userdebug_or_eng(`
   # atrace is generally invoked as a standalone binary from shell or perf
   # daemons like Perfetto traced_probes. However, in userdebug builds, there is

prebuilts/api/29.0/private/audioserver.te

@@ -39,6 +39,7 @@ allow audioserver permission_service:service_manager find;
 allow audioserver power_service:service_manager find;
 allow audioserver scheduling_policy_service:service_manager find;
 allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
 
 # Allow read/write access to bluetooth-specific properties
 set_prop(audioserver, bluetooth_a2dp_offload_prop)

prebuilts/api/29.0/private/clatd.te

@@ -1,36 +1 @@
-# 464xlat daemon
-type clatd, domain, coredomain;
-type clatd_exec, system_file_type, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
-  auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
+typeattribute clatd coredomain;

prebuilts/api/29.0/private/compat/26.0/26.0.cil

@@ -18,6 +18,7 @@
 (type vold_socket)
 (type webview_zygote_socket)
 (type rild)
+(type netd_socket)
 
 (typeattributeset accessibility_service_26_0 (accessibility_service))
 (typeattributeset account_service_26_0 (account_service))

prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil

@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))

prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil

@@ -195,7 +195,6 @@
     usbd
     usbd_exec
     usbd_tmpfs
-    vendor_apex_file
     vendor_init
     vendor_shell
     vold_metadata_file

prebuilts/api/29.0/private/compat/27.0/27.0.cil

@@ -2,12 +2,13 @@
 (type commontime_management_service)
 (type mediacodec)
 (type mediacodec_exec)
+(type netd_socket)
 (type qtaguid_proc)
 (type reboot_data_file)
-(type vold_socket)
 (type rild)
 (type untrusted_v2_app)
 (type webview_zygote_socket)
+(type vold_socket)
 
 (expandtypeattribute (accessibility_service_27_0) true)
 (expandtypeattribute (account_service_27_0) true)

prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil

@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))

prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil

@@ -171,7 +171,6 @@
     usbd
     usbd_exec
     usbd_tmpfs
-    vendor_apex_file
     vendor_default_prop
     vendor_init
     vendor_security_patch_level_prop

prebuilts/api/29.0/private/compat/28.0/28.0.cil

@@ -9,9 +9,13 @@
 (type kmem_device)
 (type mediacodec)
 (type mediacodec_exec)
+(type mediaextractor_update_service)
 (type mtd_device)
+(type netd_socket)
 (type qtaguid_proc)
 (type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
 (type untrusted_v2_app)
 (type vcs_device)
 
@@ -738,8 +742,6 @@
 (expandtypeattribute (textservices_service_28_0) true)
 (expandtypeattribute (thermalcallback_hwservice_28_0) true)
 (expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (thermalserviced_28_0) true)
-(expandtypeattribute (thermalserviced_exec_28_0) true)
 (expandtypeattribute (timezone_service_28_0) true)
 (expandtypeattribute (tmpfs_28_0) true)
 (expandtypeattribute (tombstoned_28_0) true)
@@ -1379,8 +1381,6 @@
   ( proc
     proc_fs_verity
     proc_keys
-    proc_kpageflags
-    proc_lowmemorykiller
     proc_pressure_cpu
     proc_pressure_io
     proc_pressure_mem
@@ -1616,12 +1616,8 @@
 (typeattributeset textservices_service_28_0 (textservices_service))
 (typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
 (typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset thermalserviced_28_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
 (typeattributeset timezone_service_28_0 (timezone_service))
-(typeattributeset tmpfs_28_0
-  ( mnt_sdcard_file
-    tmpfs))
+(typeattributeset tmpfs_28_0 (tmpfs))
 (typeattributeset tombstoned_28_0 (tombstoned))
 (typeattributeset tombstone_data_file_28_0 (tombstone_data_file))
 (typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket))

prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil

@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))

prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil

@@ -45,7 +45,7 @@
     device_config_media_native_prop
     device_config_service
     dnsresolver_service
-    dynamic_android_service
+    dynamic_system_service
     dynamic_system_prop
     face_service
     face_vendor_data_file
@@ -106,6 +106,7 @@
     postinstall_apex_mnt_dir
     recovery_socket
     role_service
+    rollback_service
     rs
     rs_exec
     rss_hwm_reset
@@ -138,7 +139,6 @@
     traced_lazy_prop
     uri_grants_service
     use_memfd_prop
-    vendor_apex_file
     vendor_cgroup_desc_file
     vendor_idc_file
     vendor_keychars_file

prebuilts/api/29.0/private/domain.te

@@ -257,6 +257,7 @@ define(`dac_override_allowed', `{
   install_recovery
   userdebug_or_eng(`llkd')
   lmkd
+  migrate_legacy_obb_data
   netd
   perfprofd
   postinstall_dexopt

prebuilts/api/29.0/private/file_contexts

@@ -130,7 +130,6 @@
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
 /dev/socket/mtpd	u:object_r:mtpd_socket:s0
-/dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/pdx/system/buffer_hub	u:object_r:pdx_bufferhub_dir:s0
 /dev/socket/pdx/system/buffer_hub/client	u:object_r:pdx_bufferhub_client_endpoint_socket:s0
 /dev/socket/pdx/system/performance	u:object_r:pdx_performance_dir:s0
@@ -156,8 +155,8 @@
 /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
 /dev/socket/zygote	u:object_r:zygote_socket:s0
 /dev/socket/zygote_secondary	u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool	u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool_secondary	u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary	u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary	u:object_r:zygote_socket:s0
 /dev/spdif_out.*	u:object_r:audio_device:s0
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
@@ -294,7 +293,6 @@
 /system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
-/system/bin/thermalserviced      u:object_r:thermalserviced_exec:s0
 /system/bin/wpantund             u:object_r:wpantund_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
@@ -328,6 +326,7 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
 /system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 
 #############################
 # Vendor files
@@ -537,6 +536,7 @@
 
 # Face vendor data file
 /data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
 
 # Iris vendor data file
 /data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0

prebuilts/api/29.0/private/gpuservice.te

@@ -31,10 +31,6 @@ allow gpuservice adbd:unix_stream_socket { read write getattr };
 # Needed for interactive shell
 allow gpuservice devpts:chr_file { read write getattr };
 
-# Needed for dumpstate to dumpsys gpu.
-allow gpuservice dumpstate:fd use;
-allow gpuservice dumpstate:fifo_file write;
-
 add_service(gpuservice, gpu_service)
 
 # Only uncomment below line when in development

prebuilts/api/29.0/private/heapprofd.te

@@ -50,7 +50,6 @@ userdebug_or_eng(`
   # Some dex files are not world-readable.
   # We are still constrained by the SELinux rules above.
   allow heapprofd self:global_capability_class_set dac_read_search;
-
 ')
 
 # This is going to happen on user but is benign because central heapprofd

prebuilts/api/29.0/private/incidentd.te

@@ -90,6 +90,8 @@ allow incidentd {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
+  hal_face_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server

prebuilts/api/29.0/private/installd.te

@@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 

prebuilts/api/29.0/private/logd.te

@@ -8,6 +8,7 @@ neverallow logd {
   file_type
   -runtime_event_log_tags_file
   userdebug_or_eng(`-coredump_file -misc_logd_file')
+  with_native_coverage(`-method_trace_data_file')
 }:file { create write append };
 
 # protect the event-log-tags file

prebuilts/api/29.0/private/logpersist.te

@@ -19,6 +19,10 @@ userdebug_or_eng(`
 ')
 
 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow logpersist {
+  file_type
+  userdebug_or_eng(`-misc_logd_file -coredump_file')
+  with_native_coverage(`-method_trace_data_file')
+}:file { create write append };
 neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
 neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };

prebuilts/api/29.0/private/mediaserver.te

@@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
 hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+

prebuilts/api/29.0/private/migrate_legacy_obb_data.te

@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;

prebuilts/api/29.0/private/netd.te

@@ -5,9 +5,8 @@ init_daemon_domain(netd)
 # Allow netd to spawn dnsmasq in it's own domain
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 
-# Allow netd to start clatd in its own domain and kill it
+# Allow netd to start clatd in its own domain
 domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
 
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
 # the map created by bpfloader

prebuilts/api/29.0/private/perfetto.te

@@ -67,8 +67,14 @@ neverallow perfetto {
   -vendor_data_file
   -zoneinfo_data_file
   -perfetto_traces_data_file
+  with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
 neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
 neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
+neverallow perfetto {
+  data_file_type
+  -zoneinfo_data_file
+  -perfetto_traces_data_file
+  with_native_coverage(`-method_trace_data_file')
+}:file ~write;

prebuilts/api/29.0/private/priv_app.te

@@ -173,7 +173,6 @@ dontaudit priv_app net_dns_prop:file read;
 dontaudit priv_app proc:file read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
-dontaudit priv_app proc_net:file read;
 dontaudit priv_app proc_stat:file read;
 dontaudit priv_app proc_version:file read;
 dontaudit priv_app sysfs:dir read;

prebuilts/api/29.0/private/property_contexts

@@ -186,8 +186,6 @@ persist.device_config.runtime_native.        u:object_r:device_config_runtime_na
 persist.device_config.runtime_native_boot.   u:object_r:device_config_runtime_native_boot_prop:s0
 persist.device_config.media_native.          u:object_r:device_config_media_native_prop:s0
 
-# Properties that relate to legacy server configurable flags
-
 apexd.                  u:object_r:apexd_prop:s0
 persist.apexd.          u:object_r:apexd_prop:s0
 

prebuilts/api/29.0/private/recovery_persist.te

@@ -3,4 +3,9 @@ typeattribute recovery_persist coredomain;
 init_daemon_domain(recovery_persist)
 
 # recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist {
+  file_type
+  -recovery_data_file
+  userdebug_or_eng(`-coredump_file')
+  with_native_coverage(`-method_trace_data_file')
+}:file write;

prebuilts/api/29.0/private/recovery_refresh.te

@@ -3,4 +3,8 @@ typeattribute recovery_refresh coredomain;
 init_daemon_domain(recovery_refresh)
 
 # recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh {
+  file_type
+  userdebug_or_eng(`-coredump_file')
+  with_native_coverage(`-method_trace_data_file')
+}:file write;

prebuilts/api/29.0/private/service.te

@@ -1,6 +1,6 @@
 type ashmem_device_service,         app_api_service, service_manager_type;
 type attention_service,             system_server_service, service_manager_type;
-type dynamic_android_service,       system_api_service, system_server_service, service_manager_type;
+type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     system_api_service, system_server_service, service_manager_type;
 type stats_service,                 service_manager_type;

prebuilts/api/29.0/private/service_contexts

@@ -36,8 +36,8 @@ connectivity                              u:object_r:connectivity_service:s0
 connmetrics                               u:object_r:connmetrics_service:s0
 consumer_ir                               u:object_r:consumer_ir_service:s0
 content                                   u:object_r:content_service:s0
-content_suggestions                       u:object_r:content_suggestions_service:s0
 content_capture                           u:object_r:content_capture_service:s0
+content_suggestions                       u:object_r:content_suggestions_service:s0
 contexthub                                u:object_r:contexthub_service:s0
 country_detector                          u:object_r:country_detector_service:s0
 coverage                                  u:object_r:coverage_service:s0
@@ -60,7 +60,7 @@ dreams                                    u:object_r:dreams_service:s0
 drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
 dumpstate                                 u:object_r:dumpstate_service:s0
-dynamic_android                           u:object_r:dynamic_android_service:s0
+dynamic_system                            u:object_r:dynamic_system_service:s0
 econtroller                               u:object_r:radio_service:s0
 euicc_card_controller                     u:object_r:radio_service:s0
 external_vibrator_service                 u:object_r:external_vibrator_service:s0
@@ -157,6 +157,7 @@ rcs                                       u:object_r:radio_service:s0
 recovery                                  u:object_r:recovery_service:s0
 restrictions                              u:object_r:restrictions_service:s0
 role                                      u:object_r:role_service:s0
+rollback                                  u:object_r:rollback_service:s0
 rttmanager                                u:object_r:rttmanager_service:s0
 runtime                                   u:object_r:runtime_service:s0
 samplingprofiler                          u:object_r:samplingprofiler_service:s0

prebuilts/api/29.0/private/statsd.te

@@ -18,6 +18,3 @@ allow statsd {
 
 # Allow incidentd to obtain the statsd incident section.
 allow statsd incidentd:fifo_file write;
-
-# Allow StatsCompanionService to pipe data to statsd.
-allow statsd system_server:fifo_file { read getattr };

prebuilts/api/29.0/private/surfaceflinger.te

@@ -15,10 +15,10 @@ read_runtime_log_tags(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
 hal_client_domain(surfaceflinger, hal_omx)
 hal_client_domain(surfaceflinger, hal_configstore)
 hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
 allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
 
 # Perform Binder IPC.

prebuilts/api/29.0/private/system_server.te

@@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
 allow system_server hal_omx_server:process { getsched setsched };
 allow system_server mediaswcodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
@@ -124,7 +125,6 @@ allow system_server mediaserver:process { getsched setsched };
 allow system_server bootanim:process { getsched setsched };
 
 # Set scheduling info for psi monitor thread.
-# TODO: delete this line b/131761776
 allow system_server kernel:process { getsched setsched };
 
 # Allow system_server to write to /proc/<pid>/*
@@ -152,10 +152,6 @@ allow system_server stats_data_file:file unlink;
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;
 
@@ -165,7 +161,6 @@ allow system_server self:tun_socket create_socket_perms_no_ioctl;
 # Talk to init and various daemons via sockets.
 unix_socket_connect(system_server, lmkd, lmkd)
 unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
 unix_socket_connect(system_server, zygote, zygote)
 unix_socket_connect(system_server, racoon, racoon)
 unix_socket_connect(system_server, uncrypt, uncrypt)
@@ -212,6 +207,7 @@ binder_service(system_server)
 hal_client_domain(system_server, hal_allocator)
 hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_face)
@@ -281,6 +277,8 @@ allow system_server {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
+  hal_face_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server
@@ -699,7 +697,7 @@ allow system_server pstorefs:file r_file_perms;
 
 # /sys access
 allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
+allow system_server sysfs_zram:file rw_file_perms;
 
 add_service(system_server, system_server_service);
 allow system_server audioserver_service:service_manager find;
@@ -727,7 +725,6 @@ allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server stats_service:service_manager find;
-allow system_server thermal_service:service_manager find;
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
@@ -904,10 +901,6 @@ userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
 ')
 
-userdebug_or_eng(`
-  # Allow system server to notify mediaextractor of the plugin update.
-')
-
 # UsbDeviceManager uses /dev/usb-ffs
 allow system_server functionfs:dir search;
 allow system_server functionfs:file rw_file_perms;

prebuilts/api/29.0/private/technical_debt.cil

@@ -16,6 +16,10 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;

prebuilts/api/29.0/private/thermalserviced.te

@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-

prebuilts/api/29.0/private/traced.te

@@ -66,6 +66,7 @@ neverallow traced {
   # subsequent neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
   -zoneinfo_data_file
+  with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow traced { system_data_file }:dir ~{ getattr search };
 neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
@@ -75,6 +76,7 @@ neverallow traced {
   -zoneinfo_data_file
   -perfetto_traces_data_file
   -trace_data_file
+  with_native_coverage(`-method_trace_data_file')
 }:file ~write;
 
 # Only init is allowed to enter the traced domain via exec()

prebuilts/api/29.0/private/traced_probes.te

@@ -74,9 +74,6 @@ allow traced_probes {
 hal_client_domain(traced_probes, hal_health)
 hal_client_domain(traced_probes, hal_power_stats)
 
-# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
-hal_client_domain(traced_probes, hal_atrace)
-
 # On debug builds allow to ingest system logs into the trace.
 userdebug_or_eng(`read_logd(traced_probes)')
 
@@ -111,11 +108,17 @@ neverallow traced_probes {
   # subsequent neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
   -zoneinfo_data_file
+  with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
 neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
 neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *;
+neverallow traced_probes {
+  data_file_type
+  -zoneinfo_data_file
+  -packages_list_file
+  with_native_coverage(`-method_trace_data_file')
+}:file *;
 
 # Only init is allowed to enter the traced_probes domain via exec()
 neverallow { domain -init } traced_probes:process transition;

prebuilts/api/29.0/private/untrusted_app_25.te

@@ -26,9 +26,10 @@ untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
 bluetooth_domain(untrusted_app_25)
 
-# b/34115651 - net.dns* properties read
+# b/34115651, b/33308258 - net.dns* properties read
 # This will go away in a future Android release
 get_prop(untrusted_app_25, net_dns_prop)
+auditallow untrusted_app_25 net_dns_prop:file read;
 
 # b/35917228 - /proc/misc access
 # This will go away in a future Android release
@@ -60,5 +61,3 @@ userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
 # ASharedMemory instead.
 allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
 auditallow untrusted_app_25 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.

prebuilts/api/29.0/private/untrusted_app_27.te

@@ -45,5 +45,3 @@ userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
 # ASharedMemory instead.
 allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
 auditallow untrusted_app_27 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.

prebuilts/api/29.0/public/adbd.te

@@ -6,6 +6,3 @@ type adbd_exec, exec_type, file_type, system_file_type;
 # Only init is allowed to enter the adbd domain via exec()
 neverallow { domain -init } adbd:process transition;
 neverallow * adbd:process dyntransition;
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)

prebuilts/api/29.0/public/attributes

@@ -252,6 +252,7 @@ hal_attribute(bufferhub);
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(cas);
+hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
@@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant);
 
 attribute camera_service_server;
 attribute display_service_server;
-attribute mediaswcodec_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;

prebuilts/api/29.0/public/bufferhubd.te

@@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
 # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
 # Thus, there is no need to use pdx_client macro.
 allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+

prebuilts/api/29.0/public/cameraserver.te

@@ -18,6 +18,7 @@ allow cameraserver ion_device:chr_file rw_file_perms;
 allow cameraserver hal_graphics_composer:fd use;
 
 add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
 
 allow cameraserver activity_service:service_manager find;
 allow cameraserver appops_service:service_manager find;
@@ -27,6 +28,7 @@ allow cameraserver cameraproxy_service:service_manager find;
 allow cameraserver mediaserver_service:service_manager find;
 allow cameraserver processinfo_service:service_manager find;
 allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
 allow cameraserver surfaceflinger_service:service_manager find;
 
 allow cameraserver hidl_token_hwservice:hwservice_manager find;
@@ -60,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
 
 # Allow to talk with media codec
 allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
 hal_client_domain(cameraserver, hal_omx)
 hal_client_domain(cameraserver, hal_allocator)
 

prebuilts/api/29.0/public/clatd.te

@@ -0,0 +1,36 @@
+# 464xlat daemon
+type clatd, domain;
+type clatd_exec, system_file_type, exec_type, file_type;
+
+net_domain(clatd)
+
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+  auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Access objects inherited from netd.
+allow clatd netd:fd use;
+allow clatd netd:fifo_file { read write };
+# TODO: Check whether some or all of these sockets should be close-on-exec.
+allow clatd netd:netlink_kobject_uevent_socket { read write };
+allow clatd netd:netlink_nflog_socket { read write };
+allow clatd netd:netlink_route_socket { read write };
+allow clatd netd:udp_socket { read write };
+allow clatd netd:unix_stream_socket { read write };
+allow clatd netd:unix_dgram_socket { read write };
+
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
+
+# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
+# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:global_capability_class_set ipc_lock;
+
+allow clatd self:netlink_route_socket nlmsg_write;
+allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
+allow clatd tun_device:chr_file rw_file_perms;

prebuilts/api/29.0/public/domain.te

@@ -51,6 +51,12 @@ userdebug_or_eng(`
   allow domain coredump_file:dir ra_dir_perms;
 ')
 
+with_native_coverage(`
+  # Allow writing coverage information to /data/misc/trace
+  allow domain method_trace_data_file:dir create_dir_perms;
+  allow domain method_trace_data_file:file create_file_perms;
+')
+
 # Root fs.
 allow domain tmpfs:dir { getattr search };
 allow domain rootfs:dir search;
@@ -743,6 +749,16 @@ full_treble_only(`
   });
 ')
 
+  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
+  neverallow_establish_socket_comms({
+    domain
+    -coredomain
+    -netdomain
+    -socket_between_core_and_vendor_violators
+  }, netd);
+')
+
   # Vendor domains are not permitted to initiate create/open sockets owned by core domains
 full_treble_only(`
   neverallow {
@@ -842,6 +858,7 @@ full_treble_only(`
     # These functions are considered vndk-stable and thus must be allowed for
     # all processes.
     -zoneinfo_data_file
+    with_native_coverage(`-method_trace_data_file')
   }:file_class_set ~{ append getattr ioctl read write map };
   neverallow {
     vendor_init
@@ -850,6 +867,7 @@ full_treble_only(`
     core_data_file_type
     -unencrypted_data_file
     -zoneinfo_data_file
+    with_native_coverage(`-method_trace_data_file')
   }:file_class_set ~{ append getattr ioctl read write map };
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
   # The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -868,6 +886,7 @@ full_treble_only(`
     -system_data_file # default label for files on /data. Covered below...
     -vendor_data_file
     -zoneinfo_data_file
+    with_native_coverage(`-method_trace_data_file')
   }:dir *;
   neverallow {
     vendor_init
@@ -878,6 +897,7 @@ full_treble_only(`
     -system_data_file
     -vendor_data_file
     -zoneinfo_data_file
+    with_native_coverage(`-method_trace_data_file')
   }:dir *;
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
   # The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -1053,8 +1073,8 @@ neverallow {
   -system_server
 
   # Processes that can't exec crash_dump
+  -hal_codec2_server
   -hal_omx_server
-  -mediaswcodec_server
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
@@ -1384,6 +1404,7 @@ full_treble_only(`
 
 neverallow {
   domain
-  -mediaswcodec_server
+  -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
+

prebuilts/api/29.0/public/dumpstate.te

@@ -78,7 +78,9 @@ allow dumpstate {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_drm_server
+  hal_face_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server

prebuilts/api/29.0/public/file.te

@@ -286,7 +286,6 @@ type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
 # /data/app-staging
 type staging_data_file, file_type, data_file_type, core_data_file_type;
-# /vendor/apex
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
@@ -415,7 +414,6 @@ type mdns_socket, file_type, coredomain_socket;
 type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
 type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
 type mtpd_socket, file_type, coredomain_socket;
-type netd_socket, file_type, coredomain_socket;
 type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type recovery_socket, file_type, coredomain_socket;

prebuilts/api/29.0/public/hal_codec2.te

@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+

prebuilts/api/29.0/public/hal_configstore.te

@@ -42,6 +42,7 @@ neverallow hal_configstore_server {
   -anr_data_file # for crash dump collection
   -tombstone_data_file # for crash dump collection
   -zoneinfo_data_file # granted to domain
+  with_native_coverage(`-method_trace_data_file')
 }:{ file fifo_file sock_file } *;
 
 # Should never need sdcard access

prebuilts/api/29.0/public/hal_omx.te

@@ -1,7 +1,6 @@
 # applies all permissions to hal_omx NOT hal_omx_server
 # since OMX must always be in its own process.
 
-
 binder_call(hal_omx_server, binderservicedomain)
 binder_call(hal_omx_server, { appdomain -isolated_app })
 
@@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
 
 hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)

prebuilts/api/29.0/public/healthd.te

@@ -46,6 +46,7 @@ allow healthd input_device:dir r_dir_perms;
 allow healthd input_device:chr_file r_file_perms;
 allow healthd tty_device:chr_file rw_file_perms;
 allow healthd ashmem_device:chr_file execute;
+allow healthd self:process execmem;
 allow healthd proc_sysrq:file rw_file_perms;
 
 # Healthd needs to tell init to continue the boot

prebuilts/api/29.0/public/init.te

@@ -46,10 +46,6 @@ allow init {
   userdata_block_device
 }:{ blk_file lnk_file } relabelto;
 
-allow init super_block_device:lnk_file relabelto;
-
-# Create /mnt/sdcard -> /storage/self/primary symlink.
-
 # setrlimit
 allow init self:global_capability_class_set sys_resource;
 
@@ -402,6 +398,7 @@ allow init {
   sysfs_power
   sysfs_vibrator
   sysfs_wake_lock
+  sysfs_zram
 }:file setattr;
 
 # Set usermodehelpers.
@@ -485,7 +482,6 @@ allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
 allow init self:global_capability_class_set net_raw;
 
 # Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
 allow init kernel:process { getsched setsched };
 
 # swapon() needs write access to swap device

prebuilts/api/29.0/public/installd.te

@@ -67,8 +67,8 @@ allow installd media_rw_data_file:dir relabelto;
 # Delete /data/media files through sdcardfs, instead of going behind its back
 allow installd tmpfs:dir r_dir_perms;
 allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
+allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
+allow installd sdcard_type:file { getattr unlink };
 
 # Upgrade /data/misc/keychain for multi-user if necessary.
 allow installd misc_user_data_file:dir create_dir_perms;

prebuilts/api/29.0/public/kernel.te

@@ -85,10 +85,8 @@ allow kernel vold_data_file:file { read write };
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
-allow kernel {
-  apex_data_file
-  staging_data_file
-}:file read;
+allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
@@ -105,6 +103,9 @@ recovery_only(`
   allow kernel rootfs:file execute;
 ')
 
+# required by VTS lidbm unit test
+allow kernel appdomain_tmpfs:file read;
+
 ###
 ### neverallow rules
 ###

prebuilts/api/29.0/public/lmkd.te

@@ -23,7 +23,6 @@ allow lmkd sysfs_lowmemorykiller:file w_file_perms;
 
 # setsched and send kill signals
 allow lmkd appdomain:process { setsched sigkill };
-# TODO: delete this line b/131761776
 allow lmkd kernel:process { setsched };
 
 # Clean up old cgroups
@@ -48,8 +47,6 @@ allow lmkd domain:file { open read };
 # reboot because orderly shutdown may not be possible.
 allow lmkd proc_sysrq:file rw_file_perms;
 
-# Read /proc/lowmemorykiller
-
 # Read /proc/meminfo
 allow lmkd proc_meminfo:file r_file_perms;
 

prebuilts/api/29.0/public/mediaextractor.te

@@ -39,14 +39,6 @@ allow mediaextractor system_file:dir { read open };
 
 get_prop(mediaextractor, device_config_media_native_prop)
 
-userdebug_or_eng(`
-  # Allow extractor to add update service.
-
-  # Allow extractor to load media extractor plugins from update apk.
-  allow mediaextractor apk_data_file:dir search;
-  allow mediaextractor apk_data_file:file { execute open };
-')
-
 ###
 ### neverallow rules
 ###
@@ -74,4 +66,5 @@ neverallow mediaextractor {
   data_file_type
   -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
   userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+  with_native_coverage(`-method_trace_data_file')
 }:file open;

prebuilts/api/29.0/public/mediaserver.te

@@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
-# For interfacing with OMX HAL
+# For hybrid interfaces
 allow mediaserver hidl_token_hwservice:hwservice_manager find;
 
 # /oem access

prebuilts/api/29.0/public/mediaswcodec.te

@@ -1,18 +1,27 @@
 type mediaswcodec, domain;
 type mediaswcodec_exec, system_file_type, exec_type, file_type;
 
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
 
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
 
-userdebug_or_eng(`
-  binder_use(mediaswcodec)
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
 
-  # Allow mediaswcodec to load libs from update apk.
-  allow mediaswcodec apk_data_file:file { open read execute getattr map };
-  allow mediaswcodec apk_data_file:dir { search getattr };
-')

prebuilts/api/29.0/public/netd.te

@@ -81,6 +81,9 @@ allow netd system_file:file lock;
 # Allow netd to spawn dnsmasq in it's own domain
 allow netd dnsmasq:process signal;
 
+# Allow netd to start clatd in its own domain
+allow netd clatd:process signal;
+
 set_prop(netd, ctl_mdnsd_prop)
 set_prop(netd, netd_stable_secret_prop)
 

prebuilts/api/29.0/public/property_contexts

@@ -62,6 +62,7 @@ dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -100,6 +101,7 @@ ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
 ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
 ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
 ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
 ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
 ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
 ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -138,6 +140,9 @@ ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
 ro.url.legal u:object_r:exported3_default_prop:s0 exact string
 ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
 ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
 ro.zygote u:object_r:exported3_default_prop:s0 exact string
 sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
 sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
@@ -274,7 +279,6 @@ ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
 ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
 ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
 ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
 ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
 ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
 ro.carrier u:object_r:exported_default_prop:s0 exact string
@@ -386,3 +390,7 @@ ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exa
 ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
 ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool

prebuilts/api/29.0/public/recovery.te

@@ -138,10 +138,6 @@ recovery_only(`
   # This line seems suspect, as it should not really need to
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
-
-  # These are needed to update dynamic partitions in recovery.
-  r_dir_file(recovery, sysfs_dm)
-  allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
 ')
 
 ###
@@ -162,9 +158,11 @@ neverallow recovery {
    data_file_type
    -cache_file
    -cache_recovery_file
+  with_native_coverage(`-method_trace_data_file')
 }:file { no_w_file_perms no_x_file_perms };
 neverallow recovery {
    data_file_type
    -cache_file
    -cache_recovery_file
+  with_native_coverage(`-method_trace_data_file')
 }:dir no_w_dir_perms;

prebuilts/api/29.0/public/service.te

@@ -20,7 +20,6 @@ type lpdump_service,            service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
-type mediaextractor_update_service, service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
@@ -32,7 +31,6 @@ type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;
 type system_suspend_control_service, service_manager_type;
-type thermal_service,           service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
@@ -68,8 +66,8 @@ type companion_device_service, app_api_service, ephemeral_app_api_service, syste
 type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -143,6 +141,7 @@ type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
 type runtime_service, system_server_service, service_manager_type;
 type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type samplingprofiler_service, system_server_service, service_manager_type;
@@ -164,6 +163,7 @@ type testharness_service, system_server_service, service_manager_type;
 type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, system_server_service, service_manager_type;
 type timezone_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;

prebuilts/api/29.0/public/swcodec_service_server.te

@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;

prebuilts/api/29.0/public/te_macros

@@ -509,6 +509,12 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
 #
 define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
 
+#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
 #####################################
 # Build-time-only test
 # SELinux rules which are verified during build, but not as part of *TS testing.

prebuilts/api/29.0/public/thermalserviced.te

@@ -1,14 +0,0 @@
-# thermalserviced -- thermal management services for system and vendor
-type thermalserviced, domain;
-type thermalserviced_exec, system_file_type, exec_type, file_type;
-
-binder_use(thermalserviced)
-binder_service(thermalserviced)
-add_service(thermalserviced, thermal_service)
-
-hwbinder_use(thermalserviced)
-hal_client_domain(thermalserviced, hal_thermal)
-add_hwservice(thermalserviced, thermalcallback_hwservice)
-
-binder_call(thermalserviced, platform_app)
-binder_call(thermalserviced, system_server)

private/app_neverallows.te

@@ -260,9 +260,10 @@ full_treble_only(`
   neverallow all_untrusted_apps {
     halserverdomain
     -coredomain
+    -hal_cas_server
+    -hal_codec2_server
     -hal_configstore_server
     -hal_graphics_allocator_server
-    -hal_cas_server
     -hal_neuralnetworks_server
     -hal_omx_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
@@ -270,9 +271,6 @@ full_treble_only(`
   }:binder { call transfer };
 ')
 
-# Untrusted apps are not allowed to find mediaextractor update service.
-neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
-
 # Access to /proc/tty/drivers, to allow apps to determine if they
 # are running in an emulated environment.
 # b/33214085 b/33814662 b/33791054 b/33211769

private/audioserver.te

@@ -39,6 +39,7 @@ allow audioserver permission_service:service_manager find;
 allow audioserver power_service:service_manager find;
 allow audioserver scheduling_policy_service:service_manager find;
 allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
 
 # Allow read/write access to bluetooth-specific properties
 set_prop(audioserver, bluetooth_a2dp_offload_prop)

private/compat/27.0/27.0.cil

@@ -5,10 +5,10 @@
 (type netd_socket)
 (type qtaguid_proc)
 (type reboot_data_file)
-(type vold_socket)
 (type rild)
 (type untrusted_v2_app)
 (type webview_zygote_socket)
+(type vold_socket)
 
 (expandtypeattribute (accessibility_service_27_0) true)
 (expandtypeattribute (account_service_27_0) true)

private/compat/28.0/28.0.cil

@@ -9,10 +9,13 @@
 (type kmem_device)
 (type mediacodec)
 (type mediacodec_exec)
+(type mediaextractor_update_service)
 (type mtd_device)
 (type netd_socket)
 (type qtaguid_proc)
 (type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
 (type untrusted_v2_app)
 (type vcs_device)
 
@@ -739,8 +742,6 @@
 (expandtypeattribute (textservices_service_28_0) true)
 (expandtypeattribute (thermalcallback_hwservice_28_0) true)
 (expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (thermalserviced_28_0) true)
-(expandtypeattribute (thermalserviced_exec_28_0) true)
 (expandtypeattribute (timezone_service_28_0) true)
 (expandtypeattribute (tmpfs_28_0) true)
 (expandtypeattribute (tombstoned_28_0) true)
@@ -1617,8 +1618,6 @@
 (typeattributeset textservices_service_28_0 (textservices_service))
 (typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
 (typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset thermalserviced_28_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
 (typeattributeset timezone_service_28_0 (timezone_service))
 (typeattributeset tmpfs_28_0
   ( mnt_sdcard_file

private/compat/28.0/28.0.ignore.cil

@@ -47,7 +47,7 @@
     device_config_service
     device_config_sys_traced_prop
     dnsresolver_service
-    dynamic_android_service
+    dynamic_system_service
     dynamic_system_prop
     face_service
     face_vendor_data_file
@@ -108,6 +108,7 @@
     postinstall_apex_mnt_dir
     recovery_socket
     role_service
+    rollback_service
     rs
     rs_exec
     rss_hwm_reset

private/domain.te

@@ -257,6 +257,7 @@ define(`dac_override_allowed', `{
   install_recovery
   userdebug_or_eng(`llkd')
   lmkd
+  migrate_legacy_obb_data
   netd
   perfprofd
   postinstall_dexopt

private/file_contexts

@@ -155,8 +155,8 @@
 /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
 /dev/socket/zygote	u:object_r:zygote_socket:s0
 /dev/socket/zygote_secondary	u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool	u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool_secondary	u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary	u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary	u:object_r:zygote_socket:s0
 /dev/spdif_out.*	u:object_r:audio_device:s0
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
@@ -294,7 +294,6 @@
 /system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
-/system/bin/thermalserviced      u:object_r:thermalserviced_exec:s0
 /system/bin/wpantund             u:object_r:wpantund_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
@@ -328,6 +327,7 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
 /system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 
 #############################
 # Vendor files
@@ -538,6 +538,7 @@
 
 # Face vendor data file
 /data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
 
 # Iris vendor data file
 /data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0

private/incidentd.te

@@ -97,6 +97,7 @@ allow incidentd {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_face_server
   hal_graphics_allocator_server
   hal_graphics_composer_server

private/installd.te

@@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 

private/mediaserver.te

@@ -6,3 +6,5 @@ tmpfs_domain(mediaserver)
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
 hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+

private/migrate_legacy_obb_data.te

@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;

private/service.te

@@ -1,6 +1,6 @@
 type ashmem_device_service,         app_api_service, service_manager_type;
 type attention_service,             system_server_service, service_manager_type;
-type dynamic_android_service,       system_api_service, system_server_service, service_manager_type;
+type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     system_api_service, system_server_service, service_manager_type;
 type stats_service,                 service_manager_type;

private/service_contexts

@@ -36,8 +36,8 @@ connectivity                              u:object_r:connectivity_service:s0
 connmetrics                               u:object_r:connmetrics_service:s0
 consumer_ir                               u:object_r:consumer_ir_service:s0
 content                                   u:object_r:content_service:s0
-content_suggestions                       u:object_r:content_suggestions_service:s0
 content_capture                           u:object_r:content_capture_service:s0
+content_suggestions                       u:object_r:content_suggestions_service:s0
 contexthub                                u:object_r:contexthub_service:s0
 country_detector                          u:object_r:country_detector_service:s0
 coverage                                  u:object_r:coverage_service:s0
@@ -60,7 +60,7 @@ dreams                                    u:object_r:dreams_service:s0
 drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
 dumpstate                                 u:object_r:dumpstate_service:s0
-dynamic_android                           u:object_r:dynamic_android_service:s0
+dynamic_system                            u:object_r:dynamic_system_service:s0
 econtroller                               u:object_r:radio_service:s0
 euicc_card_controller                     u:object_r:radio_service:s0
 external_vibrator_service                 u:object_r:external_vibrator_service:s0
@@ -112,9 +112,7 @@ media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.metrics                             u:object_r:mediametrics_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
-media.extractor.update                    u:object_r:mediaextractor_update_service:s0
 media.codec                               u:object_r:mediacodec_service:s0
-media.codec.update                        u:object_r:mediaextractor_update_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media.drm                                 u:object_r:mediadrmserver_service:s0
@@ -159,6 +157,7 @@ rcs                                       u:object_r:radio_service:s0
 recovery                                  u:object_r:recovery_service:s0
 restrictions                              u:object_r:restrictions_service:s0
 role                                      u:object_r:role_service:s0
+rollback                                  u:object_r:rollback_service:s0
 rttmanager                                u:object_r:rttmanager_service:s0
 runtime                                   u:object_r:runtime_service:s0
 samplingprofiler                          u:object_r:samplingprofiler_service:s0

private/surfaceflinger.te

@@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
 hal_client_domain(surfaceflinger, hal_omx)
 hal_client_domain(surfaceflinger, hal_configstore)
 hal_client_domain(surfaceflinger, hal_power)

private/system_server.te

@@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched };
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
 allow system_server hal_omx_server:process { getsched setsched };
 allow system_server mediaswcodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
@@ -152,10 +153,6 @@ allow system_server stats_data_file:file unlink;
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;
 
@@ -211,6 +208,7 @@ binder_service(system_server)
 hal_client_domain(system_server, hal_allocator)
 hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_face)
@@ -280,6 +278,7 @@ allow system_server {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_face_server
   hal_graphics_allocator_server
   hal_graphics_composer_server
@@ -702,7 +701,7 @@ allow system_server pstorefs:file r_file_perms;
 
 # /sys access
 allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
+allow system_server sysfs_zram:file rw_file_perms;
 
 add_service(system_server, system_server_service);
 allow system_server audioserver_service:service_manager find;
@@ -730,7 +729,6 @@ allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server stats_service:service_manager find;
-allow system_server thermal_service:service_manager find;
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
@@ -907,11 +905,6 @@ userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
 ')
 
-userdebug_or_eng(`
-  # Allow system server to notify mediaextractor of the plugin update.
-  allow system_server mediaextractor_update_service:service_manager find;
-')
-
 # UsbDeviceManager uses /dev/usb-ffs
 allow system_server functionfs:dir search;
 allow system_server functionfs:file rw_file_perms;

private/technical_debt.cil

@@ -16,6 +16,10 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;

private/thermalserviced.te

@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-

public/attributes

@@ -252,6 +252,7 @@ hal_attribute(bufferhub);
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(cas);
+hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
@@ -306,7 +307,6 @@ hal_attribute(wifi_supplicant);
 attribute ashmem_server;
 attribute camera_service_server;
 attribute display_service_server;
-attribute mediaswcodec_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;

public/bufferhubd.te

@@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms;
 # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
 # Thus, there is no need to use pdx_client macro.
 allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+

public/cameraserver.te

@@ -18,6 +18,7 @@ allow cameraserver ion_device:chr_file rw_file_perms;
 allow cameraserver hal_graphics_composer:fd use;
 
 add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
 
 allow cameraserver activity_service:service_manager find;
 allow cameraserver appops_service:service_manager find;
@@ -27,6 +28,7 @@ allow cameraserver cameraproxy_service:service_manager find;
 allow cameraserver mediaserver_service:service_manager find;
 allow cameraserver processinfo_service:service_manager find;
 allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
 allow cameraserver surfaceflinger_service:service_manager find;
 
 allow cameraserver hidl_token_hwservice:hwservice_manager find;
@@ -60,6 +62,7 @@ allow cameraserver shell:fifo_file { read write };
 
 # Allow to talk with media codec
 allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
 hal_client_domain(cameraserver, hal_omx)
 hal_client_domain(cameraserver, hal_allocator)
 

public/domain.te

@@ -1069,8 +1069,8 @@ neverallow {
   -system_server
 
   # Processes that can't exec crash_dump
+  -hal_codec2_server
   -hal_omx_server
-  -mediaswcodec_server
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
@@ -1400,13 +1400,7 @@ full_treble_only(`
 
 neverallow {
   domain
-  -mediaswcodec_server
+  -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 
-neverallow {
-  domain
-  userdebug_or_eng(`-mediaextractor')
-  userdebug_or_eng(`-mediaswcodec')
-} mediaextractor_update_service:service_manager add;
-

public/dumpstate.te

@@ -78,6 +78,7 @@ allow dumpstate {
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_codec2_server
   hal_drm_server
   hal_face_server
   hal_graphics_allocator_server

public/hal_codec2.te

@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+

public/hal_omx.te

@@ -1,7 +1,6 @@
 # applies all permissions to hal_omx NOT hal_omx_server
 # since OMX must always be in its own process.
 
-
 binder_call(hal_omx_server, binderservicedomain)
 binder_call(hal_omx_server, { appdomain -isolated_app })
 
@@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use;
 
 hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)

public/init.te

@@ -405,6 +405,7 @@ allow init {
   sysfs_power
   sysfs_vibrator
   sysfs_wake_lock
+  sysfs_zram
 }:file setattr;
 
 # Set usermodehelpers.

public/installd.te

@@ -67,8 +67,8 @@ allow installd media_rw_data_file:dir relabelto;
 # Delete /data/media files through sdcardfs, instead of going behind its back
 allow installd tmpfs:dir r_dir_perms;
 allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
+allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
+allow installd sdcard_type:file { getattr unlink };
 
 # Upgrade /data/misc/keychain for multi-user if necessary.
 allow installd misc_user_data_file:dir create_dir_perms;

public/mediaextractor.te

@@ -39,15 +39,6 @@ allow mediaextractor system_file:dir { read open };
 
 get_prop(mediaextractor, device_config_media_native_prop)
 
-userdebug_or_eng(`
-  # Allow extractor to add update service.
-  allow mediaextractor mediaextractor_update_service:service_manager { find add };
-
-  # Allow extractor to load media extractor plugins from update apk.
-  allow mediaextractor apk_data_file:dir search;
-  allow mediaextractor apk_data_file:file { execute open };
-')
-
 ###
 ### neverallow rules
 ###

public/mediaserver.te

@@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find;
 # for ModDrm/MediaPlayer
 allow mediaserver mediadrmserver_service:service_manager find;
 
-# For interfacing with OMX HAL
+# For hybrid interfaces
 allow mediaserver hidl_token_hwservice:hwservice_manager find;
 
 # /oem access

public/mediaswcodec.te

@@ -1,20 +1,27 @@
 type mediaswcodec, domain;
 type mediaswcodec_exec, system_file_type, exec_type, file_type;
 
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
 
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
 
-userdebug_or_eng(`
-  binder_use(mediaswcodec)
-  # Add mediaextractor_update_service service
-  allow mediaswcodec mediaextractor_update_service:service_manager { find add };
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
 
-  # Allow mediaswcodec to load libs from update apk.
-  allow mediaswcodec apk_data_file:file { open read execute getattr map };
-  allow mediaswcodec apk_data_file:dir { search getattr };
-')

public/property_contexts

@@ -62,6 +62,7 @@ dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -100,6 +101,7 @@ ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
 ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
 ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
 ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
 ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
 ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
 ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -136,6 +138,9 @@ ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
 ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
 ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
 ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
 ro.zygote u:object_r:exported3_default_prop:s0 exact string
 sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
 sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
@@ -384,3 +389,7 @@ ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exa
 ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
 ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool

public/service.te

@@ -20,7 +20,6 @@ type lpdump_service,            service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
-type mediaextractor_update_service, service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
@@ -32,7 +31,6 @@ type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;
 type system_suspend_control_service, service_manager_type;
-type thermal_service,           service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
@@ -68,8 +66,8 @@ type companion_device_service, app_api_service, ephemeral_app_api_service, syste
 type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -143,6 +141,7 @@ type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
 type runtime_service, system_server_service, service_manager_type;
 type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type samplingprofiler_service, system_server_service, service_manager_type;
@@ -164,6 +163,7 @@ type testharness_service, system_server_service, service_manager_type;
 type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, system_server_service, service_manager_type;
 type timezone_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;

public/swcodec_service_server.te

@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;