diff --git a/Android.mk b/Android.mk
index 8c9802cf8f82fe8268e2fd573028607c2dda70d3..e5b244b510e111f000459a461675681ec9a6f0ba 100644
--- a/Android.mk
+++ b/Android.mk
@@ -190,6 +190,7 @@ ifeq ($(PRODUCT_FULL_TREBLE),true)
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
+ 26.0.cil \
nonplat_sepolicy.cil \
plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \
@@ -378,6 +379,16 @@ current_mapping.cil :=
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := 26.0.cil
+LOCAL_SRC_FILES := private/compat/26.0/26.0.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_PREBUILT)
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 046394e0d5ea54e81c52ca7a9e21849241f82565..65fd9c73a474c66345d2746eb53dd5e9d2fb8837 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -3,108 +3,12 @@
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -sdcardd
- -system_server
- -tee
-} system_data_file:file { getattr read };
-auditallow {
- domain_deprecated
- -appdomain
- -system_server
- -tee
-} system_data_file:lnk_file r_file_perms;
-')
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:dir { getattr search };
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:lnk_file r_file_perms;
-')
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
-
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -sdcardd
- -system_server
- -update_engine
- -vold
-} proc:file r_file_perms;
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -system_server
- -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index de5c53c479963b0066d01382e7ad3d8420bf2067..872892b7beebd5ca0779b719f1204f4d688c6647 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -19,6 +19,10 @@ app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
@@ -35,8 +39,7 @@ allow ephemeral_app ephemeral_app_api_service:service_manager find;
### neverallow rules
###
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e3893bf4b57438a74f6b3b7cb35e8c22ac207..a97fc70552313b4c51a14a48a444978d87b9e05b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -105,7 +105,6 @@ user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index a46272ad6be7a9fc8fa6fb82507a50b6a7e99451..40c5382d5fdced60591ae3adc126d8cfae1aeb3f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -493,6 +493,7 @@ set_prop(system_server, firstboot_prop)
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files.
+allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
diff --git a/public/attributes b/public/attributes
index d384efd8d8b33c9eaf7e5b0491bd101dc2125e27..fa8a6a693b124821d86be4593e22fd2b60ac4c69 100644
--- a/public/attributes
+++ b/public/attributes
@@ -243,13 +243,13 @@ expandattribute hal_drm false;
attribute hal_drm_client;
expandattribute hal_drm_client true;
attribute hal_drm_server;
-expandattribute hal_drm_server true;
+expandattribute hal_drm_server false;
attribute hal_cas;
-expandattribute hal_cas true;
+expandattribute hal_cas false;
attribute hal_cas_client;
expandattribute hal_cas_client true;
attribute hal_cas_server;
-expandattribute hal_cas_server true;
+expandattribute hal_cas_server false;
attribute hal_dumpstate;
expandattribute hal_dumpstate true;
attribute hal_dumpstate_client;
diff --git a/public/te_macros b/public/te_macros
index e8c667d41944f71608763161108a8f799bf9a434..cac977b1ccea130a5cdac4a6d9c552b3928ccf29 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -459,6 +459,12 @@ define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+#####################################
+# User builds
+# SELinux rules which apply only to user builds
+#
+define(`userbuild', ifelse(target_build_variant, `user', $1, ))
+
#####################################
# asan builds
# SELinux rules which apply only to asan builds
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index 1754fc7e6b712d2fb1e4ec72a547b01a4bc1899f..25408a3176a14dabfaa4a8b7c3213ac6bad40275 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -10,6 +10,6 @@ LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c boole
LOCAL_STATIC_LIBRARIES := libsepol
LOCAL_CXX_STL := none
-LOCAL_COMPATIBILITY_SUITE := cts gts
+LOCAL_COMPATIBILITY_SUITE := cts gts vts
include $(BUILD_HOST_EXECUTABLE)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 7fd8f85617637a6b5f3e186fb78b74bae2dbc525..1bde858cd0d7bdb6e68925dbef65a76164fad266 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -6,5 +6,11 @@ init_daemon_domain(hal_sensors_default)
allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
+# Allow sensor hals to access and use gralloc memory allocated by
+# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms;
+
+# allow sensor hal to use lock for keeping system awake for wake up
+# events delivery.
+wakelock_use(hal_sensors_default);