Merge changes from topic "darkboot-sepolicy" into qt-dev
* changes:
Add vendor_misc_writer change to API 29 prebuilts.
Add vendor_misc_writer.
Add persist.sys.device_provisioned change to API 29 prebuilts.
Set persist.sys.device_provisioned vendor-init-readable.
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_misc_writer
+ vendor_misc_writer_exec
vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 919c889..3f432f2 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -350,6 +350,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 6493ca4..7e33230 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -603,6 +603,7 @@
-uncrypt
-update_engine
-vendor_init
+ -vendor_misc_writer
-vold
-recovery
-ueventd
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 4fb06a1..31a0184 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -161,6 +161,7 @@
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/vendor_misc_writer.te b/prebuilts/api/29.0/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/prebuilts/api/29.0/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_misc_writer
+ vendor_misc_writer_exec
vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/file_contexts b/private/file_contexts
index 919c889..3f432f2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -350,6 +350,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/public/domain.te b/public/domain.te
index 6493ca4..7e33230 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -603,6 +603,7 @@
-uncrypt
-update_engine
-vendor_init
+ -vendor_misc_writer
-vold
-recovery
-ueventd
diff --git a/public/property_contexts b/public/property_contexts
index 4fb06a1..31a0184 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -161,6 +161,7 @@
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/vendor/vendor_misc_writer.te b/vendor/vendor_misc_writer.te
new file mode 100644
index 0000000..245749e
--- /dev/null
+++ b/vendor/vendor_misc_writer.te
@@ -0,0 +1 @@
+init_daemon_domain(vendor_misc_writer)