Merge changes from topic "darkboot-sepolicy" into qt-dev
* changes:
Add vendor_misc_writer change to API 29 prebuilts.
Add vendor_misc_writer.
Add persist.sys.device_provisioned change to API 29 prebuilts.
Set persist.sys.device_provisioned vendor-init-readable.
diff --git a/prebuilts/api/29.0/private/atrace.te b/prebuilts/api/29.0/private/atrace.te
index 8de1826..75be787 100644
--- a/prebuilts/api/29.0/private/atrace.te
+++ b/prebuilts/api/29.0/private/atrace.te
@@ -24,17 +24,7 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
@@ -50,6 +40,33 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te
index 2906b5b..614e1b8 100644
--- a/prebuilts/api/29.0/public/dumpstate.te
+++ b/prebuilts/api/29.0/public/dumpstate.te
@@ -72,6 +72,7 @@
mediaswcodec
sdcardd
surfaceflinger
+ vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -46,6 +46,8 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init super_block_device:lnk_file relabelto;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 566883c..31a0184 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -390,4 +390,5 @@
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/private/atrace.te b/private/atrace.te
index 8de1826..75be787 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -24,17 +24,7 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
@@ -50,6 +40,33 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2906b5b..614e1b8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -72,6 +72,7 @@
mediaswcodec
sdcardd
surfaceflinger
+ vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
diff --git a/public/init.te b/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -46,6 +46,8 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init super_block_device:lnk_file relabelto;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;
diff --git a/public/property_contexts b/public/property_contexts
index 566883c..31a0184 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -390,4 +390,5 @@
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool