Merge "SEPolicy changes for BT SAP hal."
diff --git a/private/property_contexts b/private/property_contexts
index a27b756..39e8a8d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -18,6 +18,7 @@
net. u:object_r:system_prop:s0
dev. u:object_r:system_prop:s0
ro.runtime. u:object_r:system_prop:s0
+ro.runtime.firstboot u:object_r:firstboot_prop:s0
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
diff --git a/public/domain.te b/public/domain.te
index 47b3e5a..2bf0be3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -386,6 +386,9 @@
-system_server
} serialno_prop:file r_file_perms;
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+
neverallow {
domain
-init
diff --git a/public/property.te b/public/property.te
index 0bba50d..ce5ce2f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -21,6 +21,7 @@
type dumpstate_prop, property_type, core_property_type;
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
+type firstboot_prop, property_type;
type hwservicemanager_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
diff --git a/public/recovery.te b/public/recovery.te
index bbee928..7805d0b 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,7 +92,7 @@
# Start/stop adbd via ctl.start adbd
set_prop(recovery, ctl_default_prop)
- # Read device's serial number from system properties
+ # Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
# Use setfscreatecon() to label files for OTA updates.
diff --git a/public/system_server.te b/public/system_server.te
index bc1dd9f..99ff1d8 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -391,6 +391,9 @@
# Read device's serial number from system properties
get_prop(system_server, serialno_prop)
+# Read/write the property which keeps track of whether this is the first start of system_server
+set_prop(system_server, firstboot_prop)
+
# Create a socket for receiving info from wpa.
allow system_server wpa_socket:dir rw_dir_perms;
allow system_server system_wpa_socket:sock_file create_file_perms;