diff --git a/audio/common.mk b/audio/common.mk
index edf7b6a..a691f0a 100644
--- a/audio/common.mk
+++ b/audio/common.mk
@@ -3,8 +3,15 @@ BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/common
#Audio Vendor libraries
PRODUCT_PACKAGES += \
libfvsam_prm_parser \
- libmahalcontroller \
+ libmahalcontroller
+
+ifeq ($(USE_MAM_V4_ABOVE),true)
+PRODUCT_PACKAGES += \
+ libMAM_Google_Pixel_Android
+else
+PRODUCT_PACKAGES += \
libAlgFx_HiFi3z
+endif
ifneq ($(USE_AUDIO_HAL_AIDL),true)
## AudioHAL Configurations
diff --git a/battery_mitigation/sepolicy/vendor/dumpstate.te b/battery_mitigation/sepolicy/vendor/dumpstate.te
index 8248254..bb84ff2 100644
--- a/battery_mitigation/sepolicy/vendor/dumpstate.te
+++ b/battery_mitigation/sepolicy/vendor/dumpstate.te
@@ -8,6 +8,7 @@ allow hal_dumpstate_default sysfs_cpu:file { read open getattr };
allow hal_dumpstate_default sysfs_batteryinfo:dir { read open search };
allow hal_dumpstate_default sysfs_batteryinfo:file { read open getattr };
allow hal_dumpstate_default logbuffer_device:chr_file { read open getattr };
+allow hal_dumpstate_default mitigation_vendor_data_file:file { read open getattr };
allow hal_dumpstate_default mitigation_vendor_data_file:dir { search };
allow hal_dumpstate_default sysfs_bcl:dir { read open search };
allow hal_dumpstate_default sysfs_bcl:file { read open getattr };
diff --git a/bootctrl/aidl/BootControl.cpp b/bootctrl/aidl/BootControl.cpp
index 83deb72..8655929 100644
--- a/bootctrl/aidl/BootControl.cpp
+++ b/bootctrl/aidl/BootControl.cpp
@@ -384,7 +384,7 @@ ScopedAStatus BootControl::isSlotMarkedSuccessful(int32_t in_slot, bool* _aidl_r
*_aidl_return = true;
return ScopedAStatus::ok();
}
- if (in_slot >= slots)
+ if (in_slot < 0 || in_slot >= slots)
return ScopedAStatus::fromServiceSpecificErrorWithMessage(
INVALID_SLOT, (std::string("Invalid slot ") + std::to_string(in_slot)).c_str());
diff --git a/check_current_prebuilt/check_current_prebuilt.mk b/check_current_prebuilt/check_current_prebuilt.mk
new file mode 100644
index 0000000..72e359f
--- /dev/null
+++ b/check_current_prebuilt/check_current_prebuilt.mk
@@ -0,0 +1,27 @@
+# Create symlink for bootloader
+$(shell rm -f "pixel_current_bootloader")
+ifdef BOOTLOADER_FILE_PATH
+$(shell ln -sf ${BOOTLOADER_FILE_PATH} "pixel_current_bootloader")
+else ifdef BOOTLOADER_RADIO_FILE_PATH
+$(shell ln -sf ${BOOTLOADER_RADIO_FILE_PATH} "pixel_current_bootloader")
+endif
+
+# Create symlink for kernel
+$(shell rm -f "pixel_current_kernel")
+ifdef TARGET_KERNEL_DIR
+$(shell ln -sf ${TARGET_KERNEL_DIR} "pixel_current_kernel")
+endif
+
+# Create symlink for radio
+$(shell rm -f "pixel_current_radio")
+ifdef RADIO_FILE_PATH
+$(shell ln -sf ${RADIO_FILE_PATH} "pixel_current_radio")
+else ifdef BOOTLOADER_RADIO_FILE_PATH
+$(shell ln -sf ${BOOTLOADER_RADIO_FILE_PATH} "pixel_current_radio")
+endif
+
+# Create symlink for radiocfg
+$(shell rm -f "pixel_current_radiocfg")
+ifdef SRC_MDM_CFG_DIR
+$(shell ln -sf ${SRC_MDM_CFG_DIR} "pixel_current_radiocfg")
+endif
diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk
index 188d9f9..c1cf0e0 100644
--- a/dauntless/gsc.mk
+++ b/dauntless/gsc.mk
@@ -20,4 +20,76 @@ PRODUCT_PACKAGES_DEBUG += citadel_integration_tests \
nugget_targeted_tests \
CitadelProvision \
nugget_aidl_test_weaver
+
+# Assign default value for RELEASE_GOOGLE_DAUNTLESS_DIR if no trunk flags support
+RELEASE_GOOGLE_DAUNTLESS_DIR ?= vendor/google_nos/prebuilts/dauntless
+
+# The production Dauntless firmware will be of flavors evt and d3m2.
+# There are also several flavors of pre-release chips. Each flavor
+# (production and pre-release) requires the firmware to be signed differently.
+DAUNTLESS_FIRMWARE_SIZE := 1048576
+
+# The nearly-production Dauntless chips are "proto1.1"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+$(error GSC firmware size check fail)
endif
+PRODUCT_COPY_FILES += \
+ $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/proto11.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# The production Dauntless chips are "evt"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+ $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/evt.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# New 2023 production Dauntless chips are "d3m2"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+ $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/d3m2.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# Intermediate image artifacts are published, but aren't included in /vendor/firmware/dauntless
+# in PRODUCT_COPY_FILES
+# This is because intermediate images aren't needed on user devices, but the published artifact
+# is useful for flashstation purposes.
+
+# proto11 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin)
+endif
+# evt chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin)
+endif
+# d3m2 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin)
+endif
+
+endif # $(wildcard vendor)
diff --git a/display/dump_display.cpp b/display/dump_display.cpp
index b811889..2df6b4b 100644
--- a/display/dump_display.cpp
+++ b/display/dump_display.cpp
@@ -25,6 +25,6 @@ int main() {
dumpFileContent("Primary panel name", "/sys/devices/platform/exynos-drm/primary-panel/panel_name");
dumpFileContent("Primary panel extra info", "/sys/devices/platform/exynos-drm/primary-panel/panel_extinfo");
dumpFileContent("Primary panel power Vreg", "/sys/devices/platform/exynos-drm/primary-panel/panel_pwr_vreg");
+ dumpFileContent("Primary panel power mode register", "/sys/devices/platform/exynos-drm/primary-panel/power_mode");
return 0;
-}
-
+}
\ No newline at end of file
diff --git a/display/dump_second_display.cpp b/display/dump_second_display.cpp
index a6f2665..80ea909 100644
--- a/display/dump_second_display.cpp
+++ b/display/dump_second_display.cpp
@@ -20,6 +20,7 @@ int main() {
dumpFileContent("CRTC-1 event log", "/sys/kernel/debug/dri/0/crtc-1/event");
dumpFileContent("Secondary panel name", "/sys/devices/platform/exynos-drm/secondary-panel/panel_name");
dumpFileContent("Secondary panel extra info", "/sys/devices/platform/exynos-drm/secondary-panel/panel_extinfo");
+ dumpFileContent("Secondary panel power mode register", "/sys/devices/platform/exynos-drm/secondary-panel/power_mode");
return 0;
}
diff --git a/esim/Android.bp b/esim/Android.bp
new file mode 100644
index 0000000..a2427f1
--- /dev/null
+++ b/esim/Android.bp
@@ -0,0 +1,10 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+prebuilt_etc {
+ name: "init.esim-gs.rc",
+ src: "init.esim-gs.rc",
+ vendor: true,
+ sub_dir: "init",
+}
diff --git a/esim/OWNERS b/esim/OWNERS
new file mode 100644
index 0000000..157ecd6
--- /dev/null
+++ b/esim/OWNERS
@@ -0,0 +1,2 @@
+kiwonp@google.com
+mewan@google.com
\ No newline at end of file
diff --git a/esim/esim.mk b/esim/esim.mk
new file mode 100644
index 0000000..47e21b7
--- /dev/null
+++ b/esim/esim.mk
@@ -0,0 +1,5 @@
+PRODUCT_PACKAGES += init.esim-gs.rc
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/vendor
+# system_ext
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/esim/sepolicy/system_ext/private
diff --git a/esim/init.esim-gs.rc b/esim/init.esim-gs.rc
new file mode 100644
index 0000000..291f9ee
--- /dev/null
+++ b/esim/init.esim-gs.rc
@@ -0,0 +1,7 @@
+# Disable bootstrap when bootloader is unlocked in user build
+on property:ro.build.type=user && property:ro.boot.flash.locked=0
+ setprop setupwizard.feature.provisioning_profile_mode false
+
+# Disable bootstrap for DVT devices shipping to non-US carriers
+on property:ro.boot.warranty.sku=BOF
+ setprop setupwizard.feature.provisioning_profile_mode false
diff --git a/esim/sepolicy/system_ext/private/gmscore_app.te b/esim/sepolicy/system_ext/private/gmscore_app.te
new file mode 100644
index 0000000..90bc371
--- /dev/null
+++ b/esim/sepolicy/system_ext/private/gmscore_app.te
@@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(priv_app, setupwizard_feature_prop)
diff --git a/esim/sepolicy/system_ext/private/priv_app.te b/esim/sepolicy/system_ext/private/priv_app.te
new file mode 100644
index 0000000..90bc371
--- /dev/null
+++ b/esim/sepolicy/system_ext/private/priv_app.te
@@ -0,0 +1,2 @@
+# Allow to read setupwizard_feature_prop
+get_prop(priv_app, setupwizard_feature_prop)
diff --git a/esim/sepolicy/system_ext/private/property_contexts b/esim/sepolicy/system_ext/private/property_contexts
new file mode 100644
index 0000000..464a289
--- /dev/null
+++ b/esim/sepolicy/system_ext/private/property_contexts
@@ -0,0 +1,2 @@
+# setupwizard
+setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0
diff --git a/esim/sepolicy/system_ext/public/property.te b/esim/sepolicy/system_ext/public/property.te
new file mode 100644
index 0000000..96cb3b3
--- /dev/null
+++ b/esim/sepolicy/system_ext/public/property.te
@@ -0,0 +1,2 @@
+# setupwizard
+system_public_prop(setupwizard_feature_prop)
diff --git a/esim/sepolicy/vendor/vendor_init.te b/esim/sepolicy/vendor/vendor_init.te
new file mode 100644
index 0000000..c9cb14e
--- /dev/null
+++ b/esim/sepolicy/vendor/vendor_init.te
@@ -0,0 +1,2 @@
+# setupwizard
+set_prop(vendor_init, setupwizard_feature_prop)
diff --git a/gps/pixel/sepolicy/hal_gnss_pixel.te b/gps/pixel/sepolicy/hal_gnss_pixel.te
index cc63702..e3e4d92 100644
--- a/gps/pixel/sepolicy/hal_gnss_pixel.te
+++ b/gps/pixel/sepolicy/hal_gnss_pixel.te
@@ -10,6 +10,9 @@ allow hal_gnss_pixel sysfs_gps:file rw_file_perms;
# Allow access to CHRE multiclient HAL.
get_prop(hal_gnss_pixel, vendor_chre_hal_prop)
+# Allow read vendor gps prop.
+get_prop(hal_gnss_pixel, vendor_gps_prop)
+
# Allow binder to CHRE.
binder_call(hal_gnss_pixel, hal_contexthub_default)
allow hal_gnss_pixel hal_contexthub_service:service_manager find;
diff --git a/gpu/MK_OWNERS b/gpu/MK_OWNERS
new file mode 100644
index 0000000..1d0be18
--- /dev/null
+++ b/gpu/MK_OWNERS
@@ -0,0 +1,4 @@
+jessehall@google.com
+spyffe@google.com
+jorwag@google.com
+jeremykemp@google.com
diff --git a/gpu/OWNERS b/gpu/OWNERS
new file mode 100644
index 0000000..259dd93
--- /dev/null
+++ b/gpu/OWNERS
@@ -0,0 +1,2 @@
+per-file gpu.mk=set noparent
+per-file gpu.mk=file:MK_OWNERS
diff --git a/gril/aidl/2.0/compatibility_matrix.xml b/gril/aidl/2.0/compatibility_matrix.xml
new file mode 100644
index 0000000..8a4a776
--- /dev/null
+++ b/gril/aidl/2.0/compatibility_matrix.xml
@@ -0,0 +1,10 @@
+
+
+ vendor.google.radio_ext
+ 2
+
+ IRadioExt
+ default
+
+
+
diff --git a/gril/aidl/2.0/gril_aidl.mk b/gril/aidl/2.0/gril_aidl.mk
new file mode 100644
index 0000000..b7d5133
--- /dev/null
+++ b/gril/aidl/2.0/gril_aidl.mk
@@ -0,0 +1,3 @@
+PRODUCT_PACKAGES += vendor.google.radioext@1.0-service
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/aidl/2.0/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/aidl/2.0/sepolicy
diff --git a/gril/aidl/2.0/sepolicy/file_contexts b/gril/aidl/2.0/sepolicy/file_contexts
new file mode 100644
index 0000000..9973b80
--- /dev/null
+++ b/gril/aidl/2.0/sepolicy/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_aidl_radio_ext_exec:s0
diff --git a/gril/aidl/2.0/sepolicy/grilservice_app.te b/gril/aidl/2.0/sepolicy/grilservice_app.te
new file mode 100644
index 0000000..8f49afa
--- /dev/null
+++ b/gril/aidl/2.0/sepolicy/grilservice_app.te
@@ -0,0 +1,4 @@
+# allow grilservice_app to find hal_aidl_radio_ext_service
+allow grilservice_app hal_aidl_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_aidl_radio_ext)
+binder_call(grilservice_app, twoshay)
diff --git a/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te
new file mode 100644
index 0000000..ad6c86b
--- /dev/null
+++ b/gril/aidl/2.0/sepolicy/hal_aidl_radio_ext.te
@@ -0,0 +1,33 @@
+# hal_aidl_radio_ext domain
+type hal_aidl_radio_ext, domain;
+type hal_aidl_radio_ext_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(hal_aidl_radio_ext)
+
+get_prop(hal_aidl_radio_ext, hwservicemanager_prop)
+get_prop(hal_aidl_radio_ext, telephony_modemtype_prop)
+set_prop(hal_aidl_radio_ext, vendor_gril_prop)
+
+binder_call(hal_aidl_radio_ext, servicemanager)
+binder_call(hal_aidl_radio_ext, grilservice_app)
+binder_call(hal_aidl_radio_ext, hal_bluetooth_btlinux)
+
+add_service(hal_aidl_radio_ext, hal_aidl_radio_ext_service)
+
+# RW /dev/oem_ipc0
+allow hal_aidl_radio_ext radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_aidl_radio_ext radio_vendor_data_file:dir create_dir_perms;
+allow hal_aidl_radio_ext radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_aidl_radio_ext hal_bluetooth_coexistence_service:service_manager find;
+
+# Allow access to the backlight driver to set ssc_mode
+allow hal_aidl_radio_ext sysfs_leds:dir search;
+allow hal_aidl_radio_ext sysfs_leds:file rw_file_perms;
+
+# legacy/zuma/vendor
+allow hal_aidl_radio_ext sysfs_display:file rw_file_perms;
diff --git a/gril/aidl/2.0/sepolicy/hal_camera_default.te b/gril/aidl/2.0/sepolicy/hal_camera_default.te
new file mode 100644
index 0000000..61f8001
--- /dev/null
+++ b/gril/aidl/2.0/sepolicy/hal_camera_default.te
@@ -0,0 +1,2 @@
+# allow hal_camera_default to binder call hal_aidl_radio_ext
+binder_call(hal_camera_default, hal_aidl_radio_ext);
diff --git a/gril/aidl/2.0/sepolicy/service.te b/gril/aidl/2.0/sepolicy/service.te
new file mode 100644
index 0000000..24aa71e
--- /dev/null
+++ b/gril/aidl/2.0/sepolicy/service.te
@@ -0,0 +1,2 @@
+# Radio Ext AIDL service
+type hal_aidl_radio_ext_service, hal_service_type, protected_service, service_manager_type;
diff --git a/gril/aidl/2.0/sepolicy/service_contexts b/gril/aidl/2.0/sepolicy/service_contexts
new file mode 100644
index 0000000..7b96182
--- /dev/null
+++ b/gril/aidl/2.0/sepolicy/service_contexts
@@ -0,0 +1 @@
+vendor.google.radio_ext.IRadioExt/default u:object_r:hal_aidl_radio_ext_service:s0
diff --git a/gril/aidl/2.0/sepolicy/twoshay.te b/gril/aidl/2.0/sepolicy/twoshay.te
new file mode 100644
index 0000000..f7d3fe1
--- /dev/null
+++ b/gril/aidl/2.0/sepolicy/twoshay.te
@@ -0,0 +1,2 @@
+# allow twoshay to binder call hal_aidl_radio_ext
+binder_call(twoshay, hal_aidl_radio_ext)
diff --git a/gril/hidl/1.7/compatibility_matrix.xml b/gril/hidl/1.7/compatibility_matrix.xml
new file mode 100644
index 0000000..6129633
--- /dev/null
+++ b/gril/hidl/1.7/compatibility_matrix.xml
@@ -0,0 +1,10 @@
+
+
+ vendor.google.radioext
+ 1.7
+
+ IRadioExt
+ default
+
+
+
diff --git a/gril/hidl/1.7/gril_hidl.mk b/gril/hidl/1.7/gril_hidl.mk
new file mode 100644
index 0000000..fcd5ef8
--- /dev/null
+++ b/gril/hidl/1.7/gril_hidl.mk
@@ -0,0 +1,3 @@
+PRODUCT_PACKAGES += vendor.google.radioext@1.0-service
+DEVICE_PRODUCT_COMPATIBILITY_MATRIX_FILE += device/google/gs-common/gril/hidl/1.7/compatibility_matrix.xml
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gril/hidl/1.7/sepolicy
diff --git a/gril/hidl/1.7/sepolicy/file_contexts b/gril/hidl/1.7/sepolicy/file_contexts
new file mode 100644
index 0000000..dea8592
--- /dev/null
+++ b/gril/hidl/1.7/sepolicy/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0
diff --git a/gril/hidl/1.7/sepolicy/grilservice_app.te b/gril/hidl/1.7/sepolicy/grilservice_app.te
new file mode 100644
index 0000000..43da795
--- /dev/null
+++ b/gril/hidl/1.7/sepolicy/grilservice_app.te
@@ -0,0 +1,2 @@
+# allow grilservice_app to binder call hal_radioext_default
+binder_call(grilservice_app, hal_radioext_default)
diff --git a/gril/hidl/1.7/sepolicy/hal_camera_default.te b/gril/hidl/1.7/sepolicy/hal_camera_default.te
new file mode 100644
index 0000000..36bdd7e
--- /dev/null
+++ b/gril/hidl/1.7/sepolicy/hal_camera_default.te
@@ -0,0 +1,2 @@
+# allow hal_camera_default to binder call hal_radioext_default
+binder_call(hal_camera_default, hal_radioext_default);
diff --git a/gril/hidl/1.7/sepolicy/hal_radioext_default.te b/gril/hidl/1.7/sepolicy/hal_radioext_default.te
new file mode 100644
index 0000000..6931fb7
--- /dev/null
+++ b/gril/hidl/1.7/sepolicy/hal_radioext_default.te
@@ -0,0 +1,28 @@
+# hal_radioext_default domain
+type hal_radioext_default, domain;
+type hal_radioext_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_radioext_default)
+
+hwbinder_use(hal_radioext_default)
+get_prop(hal_radioext_default, hwservicemanager_prop)
+get_prop(hal_radioext_default, telephony_modemtype_prop)
+set_prop(hal_radioext_default, vendor_gril_prop)
+add_hwservice(hal_radioext_default, hal_radioext_hwservice)
+
+binder_call(hal_radioext_default, servicemanager)
+binder_call(hal_radioext_default, grilservice_app)
+binder_call(hal_radioext_default, hal_bluetooth_btlinux)
+
+# RW /dev/oem_ipc0
+allow hal_radioext_default radio_device:chr_file rw_file_perms;
+
+# RW MIPI Freq files
+allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_radioext_default radio_vendor_data_file:file create_file_perms;
+
+# Bluetooth
+allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+allow hal_radioext_default hal_bluetooth_coexistence_service:service_manager find;
+
+# legacy/zuma/vendor
+allow hal_radioext_default sysfs_display:file rw_file_perms;
diff --git a/gril/hidl/1.7/sepolicy/hwservice_contexts b/gril/hidl/1.7/sepolicy/hwservice_contexts
new file mode 100644
index 0000000..5589c31
--- /dev/null
+++ b/gril/hidl/1.7/sepolicy/hwservice_contexts
@@ -0,0 +1,2 @@
+# GRIL HAL
+vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0
diff --git a/gril/hidl/1.7/sepolicy/twoshay.te b/gril/hidl/1.7/sepolicy/twoshay.te
new file mode 100644
index 0000000..75c3b27
--- /dev/null
+++ b/gril/hidl/1.7/sepolicy/twoshay.te
@@ -0,0 +1,2 @@
+# allow twoshay to binder call hal_radioext_default
+binder_call(twoshay, hal_radioext_default)
diff --git a/gs_watchdogd/init.gs_watchdogd.rc b/gs_watchdogd/init.gs_watchdogd.rc
index 23d5fb2..ba3354f 100644
--- a/gs_watchdogd/init.gs_watchdogd.rc
+++ b/gs_watchdogd/init.gs_watchdogd.rc
@@ -1,5 +1,6 @@
# Pet watchdog timer every half of its timeout period.
service gs_watchdogd /system_ext/bin/gs_watchdogd
+ user root
class core
oneshot
seclabel u:r:gs_watchdogd:s0
diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te
index e0f5d7f..8022675 100644
--- a/mediacodec/vpu/sepolicy/mediacodec_google.te
+++ b/mediacodec/vpu/sepolicy/mediacodec_google.te
@@ -7,6 +7,8 @@ hal_server_domain(mediacodec_google, hal_codec2)
hal_client_domain(mediacodec_google, hal_graphics_allocator)
+add_service(mediacodec_google, eco_service)
+
allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec_google video_device:chr_file { read write open ioctl map };
@@ -19,3 +21,11 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediacodec_google domain:{ udp_socket rawip_socket } *;
neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
+
+# Allow HAL to send trace packets to Perfetto
+userdebug_or_eng(`perfetto_producer(mediacodec_google)')
+
+userdebug_or_eng(`
+ allow mediacodec_google vendor_media_data_file:dir rw_dir_perms;
+ allow mediacodec_google vendor_media_data_file:file create_file_perms;
+')
diff --git a/modem/radio_ext/sepolicy/grilservice_app.te b/modem/radio_ext/sepolicy/grilservice_app.te
new file mode 100644
index 0000000..9bd8c8e
--- /dev/null
+++ b/modem/radio_ext/sepolicy/grilservice_app.te
@@ -0,0 +1,2 @@
+allow grilservice_app hal_radio_ext_service:service_manager find;
+binder_call(grilservice_app, hal_radio_ext)
diff --git a/modem/shared_modem_platform/compatibility_matrix.xml b/modem/shared_modem_platform/compatibility_matrix.xml
index 5019c3e..66a58ce 100644
--- a/modem/shared_modem_platform/compatibility_matrix.xml
+++ b/modem/shared_modem_platform/compatibility_matrix.xml
@@ -2,7 +2,7 @@
com.google.pixel.shared_modem_platform
- 1
+ 2
ISharedModemPlatform
default
diff --git a/nfc/sepolicy_st21nfc/file_contexts b/nfc/sepolicy_st21nfc/file_contexts
new file mode 100644
index 0000000..a06842a
--- /dev/null
+++ b/nfc/sepolicy_st21nfc/file_contexts
@@ -0,0 +1,2 @@
+/dev/st21nfc u:object_r:nfc_device:s0
+/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0
diff --git a/nfc/sepolicy_st54spi/file.te b/nfc/sepolicy_st54spi/file.te
new file mode 100644
index 0000000..5f9a80d
--- /dev/null
+++ b/nfc/sepolicy_st54spi/file.te
@@ -0,0 +1,3 @@
+# SecureElement SPI device
+type st54spi_device, dev_type;
+
diff --git a/nfc/sepolicy_st54spi/file_contexts b/nfc/sepolicy_st54spi/file_contexts
new file mode 100644
index 0000000..f2762f3
--- /dev/null
+++ b/nfc/sepolicy_st54spi/file_contexts
@@ -0,0 +1,3 @@
+/dev/st54spi u:object_r:st54spi_device:s0
+/vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0
+
diff --git a/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te
new file mode 100644
index 0000000..f2051e0
--- /dev/null
+++ b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te
@@ -0,0 +1,9 @@
+# sepolicy for ST54L secure element
+type hal_secure_element_st54spi_aidl, domain;
+type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi_aidl)
+hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element)
+allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop)
+
diff --git a/nfc/sepolicy_st54spi/property.te b/nfc/sepolicy_st54spi/property.te
new file mode 100644
index 0000000..1ac5526
--- /dev/null
+++ b/nfc/sepolicy_st54spi/property.te
@@ -0,0 +1,3 @@
+# SecureElement vendor property
+vendor_internal_prop(vendor_secure_element_prop)
+
diff --git a/nfc/sepolicy_st54spi/property_contexts b/nfc/sepolicy_st54spi/property_contexts
new file mode 100644
index 0000000..2067a86
--- /dev/null
+++ b/nfc/sepolicy_st54spi/property_contexts
@@ -0,0 +1,2 @@
+# SecureElement vendor property
+persist.vendor.se. u:object_r:vendor_secure_element_prop:s0
diff --git a/nfc/sepolicy_st54spi/vendor_init.te b/nfc/sepolicy_st54spi/vendor_init.te
new file mode 100644
index 0000000..91e5cdb
--- /dev/null
+++ b/nfc/sepolicy_st54spi/vendor_init.te
@@ -0,0 +1,2 @@
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)
diff --git a/nfc/st21nfc.mk b/nfc/st21nfc.mk
new file mode 100644
index 0000000..c30ecce
--- /dev/null
+++ b/nfc/st21nfc.mk
@@ -0,0 +1,2 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st21nfc
+PRODUCT_PACKAGES += android.hardware.nfc-service.st
diff --git a/nfc/st54spi.mk b/nfc/st54spi.mk
new file mode 100644
index 0000000..046de87
--- /dev/null
+++ b/nfc/st54spi.mk
@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st54spi
+PRODUCT_PACKAGES += android.hardware.secure_element-service.thales
+
diff --git a/performance/sepolicy/file.te b/performance/sepolicy/file.te
index 8e16bbf..e79f9b2 100644
--- a/performance/sepolicy/file.te
+++ b/performance/sepolicy/file.te
@@ -1,2 +1,8 @@
+# proactive kill
type sysfs_pakills, fs_type, sysfs_type;
+
+# bts dump
type vendor_bts_debugfs, fs_type, debugfs_type;
+
+# proc_compaction_proactiveness type
+type proc_compaction_proactiveness, fs_type, proc_type;
diff --git a/performance/sepolicy/genfs_contexts b/performance/sepolicy/genfs_contexts
index 041021c..57e3634 100644
--- a/performance/sepolicy/genfs_contexts
+++ b/performance/sepolicy/genfs_contexts
@@ -1,3 +1,4 @@
genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0
genfscon sysfs /kernel/vendor_mm/pa_kill u:object_r:sysfs_pakills:s0
genfscon debugfs /bts u:object_r:vendor_bts_debugfs:s0
+genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0
diff --git a/performance/sepolicy/vendor_init.te b/performance/sepolicy/vendor_init.te
index fefecb1..188984f 100644
--- a/performance/sepolicy/vendor_init.te
+++ b/performance/sepolicy/vendor_init.te
@@ -1,3 +1,3 @@
# MM
allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms;
-
+allow vendor_init proc_compaction_proactiveness:file w_file_perms;
diff --git a/storage/sepolicy/charger_vendor.te b/storage/sepolicy/charger_vendor.te
new file mode 100644
index 0000000..62a7661
--- /dev/null
+++ b/storage/sepolicy/charger_vendor.te
@@ -0,0 +1,3 @@
+# fork from dcb05d13
+allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/device.te b/storage/sepolicy/device.te
index e0968f9..1252ee0 100644
--- a/storage/sepolicy/device.te
+++ b/storage/sepolicy/device.te
@@ -1,2 +1,11 @@
# Userdata Exp block device.
type userdata_exp_block_device, dev_type;
+
+# Block Devices
+type persist_block_device, dev_type;
+type efs_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+
+# Storage firmware upgrade
+type ufs_internal_block_device, dev_type;
+
diff --git a/storage/sepolicy/dump_storage.te b/storage/sepolicy/dump_storage.te
index 5324c17..7a5f563 100644
--- a/storage/sepolicy/dump_storage.te
+++ b/storage/sepolicy/dump_storage.te
@@ -1,8 +1,11 @@
+# adb bugreport
pixel_bugreport(dump_storage)
+# adb bugreport
allow dump_storage sysfs_scsi_devices_0000:dir r_dir_perms;
allow dump_storage sysfs_scsi_devices_0000:file r_file_perms;
+# adb bugreport
userdebug_or_eng(`
allow dump_storage debugfs_f2fs:dir r_dir_perms;
allow dump_storage debugfs_f2fs:file r_file_perms;
@@ -17,7 +20,10 @@ userdebug_or_eng(`
allow dump_storage dump_storage_data_file:file create_file_perms;
')
+# adb bugreport
get_prop(dump_storage, boottime_public_prop)
+# adb bugreport
dontaudit dump_storage debugfs_f2fs:dir r_dir_perms;
dontaudit dump_storage debugfs_f2fs:file r_file_perms;
+
diff --git a/storage/sepolicy/dumpstate.te b/storage/sepolicy/dumpstate.te
index 2c01193..2220870 100644
--- a/storage/sepolicy/dumpstate.te
+++ b/storage/sepolicy/dumpstate.te
@@ -1 +1,7 @@
-allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
\ No newline at end of file
+# adb bugreport
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir { getattr };
+allow dumpstate modem_efs_file:dir { getattr };
+allow dumpstate modem_userdata_file:dir { getattr };
+allow dumpstate vold:binder { call };
+
diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te
index c280cb7..92ff839 100644
--- a/storage/sepolicy/e2fs.te
+++ b/storage/sepolicy/e2fs.te
@@ -1 +1,10 @@
+# fix mkfs
allow e2fs userdata_exp_block_device:blk_file rw_file_perms;
+allow e2fs efs_block_device:blk_file rw_file_perms;
+allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/fastbootd.te b/storage/sepolicy/fastbootd.te
index 35bac15..e571d0b 100644
--- a/storage/sepolicy/fastbootd.te
+++ b/storage/sepolicy/fastbootd.te
@@ -1 +1,3 @@
+# fastbootd
allow fastbootd devpts:chr_file rw_file_perms;
+
diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te
index ed4f925..0fa9564 100644
--- a/storage/sepolicy/file.te
+++ b/storage/sepolicy/file.te
@@ -1,4 +1,6 @@
+# file.te
type debugfs_f2fs, debugfs_type, fs_type;
type dump_storage_data_file, file_type, data_file_type;
type sg_device, dev_type;
type sg_util_exec, exec_type, vendor_file_type, file_type;
+
diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts
index 30335eb..1ef5a67 100644
--- a/storage/sepolicy/file_contexts
+++ b/storage/sepolicy/file_contexts
@@ -1,6 +1,9 @@
+# storage
/vendor/bin/dump/dump_storage u:object_r:dump_storage_exec:s0
/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging u:object_r:sysfs_scsi_devices_0000:s0
/dev/sg[0-9] u:object_r:sg_device:s0
/data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0
/vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0
/dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0
+/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0
+
diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te
index 2043199..7369bb4 100644
--- a/storage/sepolicy/fsck.te
+++ b/storage/sepolicy/fsck.te
@@ -1 +1,7 @@
+# fix fsck
allow fsck userdata_exp_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/genfs_contexts b/storage/sepolicy/genfs_contexts
index 1a27ec4..69baae6 100644
--- a/storage/sepolicy/genfs_contexts
+++ b/storage/sepolicy/genfs_contexts
@@ -1 +1,3 @@
+# f2fs
genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0
+
diff --git a/storage/sepolicy/hal_health_default.te b/storage/sepolicy/hal_health_default.te
new file mode 100644
index 0000000..49bf50c
--- /dev/null
+++ b/storage/sepolicy/hal_health_default.te
@@ -0,0 +1,3 @@
+# dumpsys android.hardware.power.stats.IPowerStats/default
+r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
+
diff --git a/storage/sepolicy/hal_health_storage_default.te b/storage/sepolicy/hal_health_storage_default.te
index af6593a..20a3b7d 100644
--- a/storage/sepolicy/hal_health_storage_default.te
+++ b/storage/sepolicy/hal_health_storage_default.te
@@ -1,3 +1,4 @@
# Access to /sys/devices/platform/*ufs/*
allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms;
allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms;
+
diff --git a/storage/sepolicy/hal_power_stats_default.te b/storage/sepolicy/hal_power_stats_default.te
new file mode 100644
index 0000000..edd286c
--- /dev/null
+++ b/storage/sepolicy/hal_power_stats_default.te
@@ -0,0 +1,3 @@
+# dumpsys android.hardware.power.stats.IPowerStats/default
+r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000)
+
diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te
index 7070318..dc24247 100644
--- a/storage/sepolicy/init.te
+++ b/storage/sepolicy/init.te
@@ -1 +1,3 @@
+# init
allow init sysfs_scsi_devices_0000:file w_file_perms;
+
diff --git a/storage/sepolicy/ufs_firmware_update.te b/storage/sepolicy/ufs_firmware_update.te
new file mode 100644
index 0000000..2313121
--- /dev/null
+++ b/storage/sepolicy/ufs_firmware_update.te
@@ -0,0 +1,11 @@
+# support ufs ffu via ota
+init_daemon_domain(ufs_firmware_update)
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
+
+# support ufs ffu via ota
+allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
+allow ufs_firmware_update block_device:dir { search };
+allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms;
+allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te
index da4fcba..73eb527 100644
--- a/storage/sepolicy/vendor_init.te
+++ b/storage/sepolicy/vendor_init.te
@@ -1 +1,6 @@
+# vendor_init
allow vendor_init sg_device:chr_file r_file_perms;
+
+# dirty swappiness
+allow vendor_init proc_dirty:file w_file_perms;
+
diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te
index 3d35589..b776c80 100644
--- a/storage/sepolicy/vold.te
+++ b/storage/sepolicy/vold.te
@@ -1,8 +1,17 @@
+# ufs hagc
allow vold sysfs_scsi_devices_0000:file rw_file_perms;
# Access userdata_exp block device.
allow vold userdata_exp_block_device:blk_file rw_file_perms;
allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD;
+# adb bugreport
dontaudit vold dumpstate:fifo_file rw_file_perms;
dontaudit vold dumpstate:fd use ;
+
+# fix idle-maint
+allow vold efs_block_device:blk_file { getattr };
+allow vold modem_userdata_block_device:blk_file { getattr };
+allow vold modem_efs_file:dir { read open ioctl };
+allow vold modem_userdata_file:dir { read open ioctl };
+
diff --git a/touch/gti/ical/sepolicy/property.te b/touch/gti/ical/sepolicy/property.te
index 2a71d74..94fa3fc 100644
--- a/touch/gti/ical/sepolicy/property.te
+++ b/touch/gti/ical/sepolicy/property.te
@@ -1 +1,2 @@
system_public_prop(vendor_gti_prop)
+typeattribute vendor_gti_prop touch_property_type;
diff --git a/widevine/sepolicy/hal_drm_clearkey.te b/widevine/sepolicy/hal_drm_clearkey.te
index 81ecfb9..fff4f0d 100644
--- a/widevine/sepolicy/hal_drm_clearkey.te
+++ b/widevine/sepolicy/hal_drm_clearkey.te
@@ -1,5 +1,6 @@
+# sepolicy for DRM clearkey
type hal_drm_clearkey, domain;
type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(hal_drm_clearkey)
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_clearkey, hal_drm)
diff --git a/widevine/sepolicy/hal_drm_widevine.te b/widevine/sepolicy/hal_drm_widevine.te
index 41e395a..9b4792e 100644
--- a/widevine/sepolicy/hal_drm_widevine.te
+++ b/widevine/sepolicy/hal_drm_widevine.te
@@ -1,5 +1,13 @@
+# sepolicy for DRM widevine
type hal_drm_widevine, domain;
type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
init_daemon_domain(hal_drm_widevine)
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+#L1
+#TODO(snehalreddy@) : Add L1 permissions