Merge "Use cil_write_build_ast"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ac5ad6c..fd9fa47 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -222,11 +222,12 @@
 # TODO(b/199007910): remove these
 set_prop(domain, {
     property_type
+    -default_prop
     -vmsecret_keymint_prop
     -microdroid_manager_roothash_prop
 })
-# auditallow { domain -init } property_type:property_service set;
-# auditallow { domain -init } property_type:file rw_file_perms;
+#auditallow { domain -default_prop -init } property_type:property_service set;
+#auditallow { domain -default_prop -init } property_type:file rw_file_perms;
 
 allow domain linkerconfig_file:dir search;
 allow domain linkerconfig_file:file r_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7460fb4..3c6d248 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -34,7 +34,11 @@
 
 ro.logd.kernel u:object_r:logd_prop:s0 exact bool
 
+ro.config.low_ram u:object_r:build_prop:s0 exact bool
+
 ro.boottime.adbd                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.apexd-vm                  u:object_r:boottime_prop:s0 exact int
+ro.boottime.apkdmverity               u:object_r:boottime_prop:s0 exact int
 ro.boottime.authfs_service            u:object_r:boottime_prop:s0 exact int
 ro.boottime.hwservicemanager          u:object_r:boottime_prop:s0 exact int
 ro.boottime.init                      u:object_r:boottime_prop:s0 exact int
@@ -58,33 +62,51 @@
 
 hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
 
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+apexd.status      u:object_r:apexd_prop:s0 exact enum starting activated ready
+ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
 
 ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
 
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+sys.usb.controller     u:object_r:usb_control_prop:s0 exact string
+persist.sys.usb.config u:object_r:usb_control_prop:s0 exact string
 
-init.svc.authfs_service            u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager          u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2                 u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd                      u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit               u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.microdroid_manager        u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager            u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.ueventd                   u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.zipfuse                   u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apexd-vm           u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apkdmverity        u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.authfs_service     u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.hwservicemanager   u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2          u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd               u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit        u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager     u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd            u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse            u:object_r:init_service_status_private_prop:s0 exact string
 
 init.svc.adbd       u:object_r:init_service_status_prop:s0 exact string
 init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
 
 init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
 
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.baseband      u:object_r:bootloader_prop:s0 exact string
-ro.bootloader    u:object_r:bootloader_prop:s0 exact string
-ro.bootmode      u:object_r:bootloader_prop:s0 exact string
-ro.hardware      u:object_r:bootloader_prop:s0 exact string
-ro.revision      u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware                   u:object_r:bootloader_prop:s0 exact string
+ro.boot.avb_version                u:object_r:bootloader_prop:s0 exact string
+ro.boot.boot_devices               u:object_r:bootloader_prop:s0 exact string
+ro.boot.first_stage_console        u:object_r:bootloader_prop:s0 exact string
+ro.boot.force_normal_boot          u:object_r:bootloader_prop:s0 exact string
+ro.boot.slot_suffix                u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version         u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.device_state        u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.digest              u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.hash_alg            u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.invalidate_on_error u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.size                u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate          u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode                 u:object_r:bootloader_prop:s0 exact string
+
+ro.baseband   u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode   u:object_r:bootloader_prop:s0 exact string
+ro.hardware   u:object_r:bootloader_prop:s0 exact string
+ro.revision   u:object_r:bootloader_prop:s0 exact string
 
 ro.build.id                     u:object_r:build_prop:s0 exact string
 ro.build.version.release        u:object_r:build_prop:s0 exact string
@@ -95,12 +117,22 @@
 
 ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
 
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
 
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
 apex_config.done u:object_r:apex_config_prop:s0 exact bool
 
 microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+
+dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.root   u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.vendor u:object_r:dev_mnt_prop:s0 exact string
+
+gsid.image_installed  u:object_r:gsid_prop:s0 exact bool
+ro.gsid.image_running u:object_r:gsid_prop:s0 exact bool
+
+service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
+
+persist.adb.wifi.guid  u:object_r:adbd_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 577353a..7e77df2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -1,3 +1,4 @@
+type adbd_prop, property_type;
 type apexd_prop, property_type;
 type bootloader_prop, property_type;
 type boottime_prop, property_type;
@@ -19,13 +20,15 @@
 type ctl_zipfuse_prop, property_type;
 type debug_prop, property_type;
 type default_prop, property_type;
-type exported_default_prop, property_type;
+type dev_mnt_prop, property_type;
 type fingerprint_prop, property_type;
+type gsid_prop, property_type;
 type hwservicemanager_prop, property_type;
 type init_perf_lsm_hooks_prop, property_type;
 type init_service_status_private_prop, property_type;
 type init_service_status_prop, property_type;
 type init_svc_debug_prop, property_type;
+type keystore_crash_prop, property_type;
 type keystore_listen_prop, property_type;
 type logd_prop, property_type;
 type property_service_version_prop, property_type;
@@ -38,7 +41,9 @@
 
 allow property_type tmpfs:filesystem associate;
 
-#----------------------------------------
-type adbd_config_prop, property_type;
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
 
-type module_sdkextensions_prop, property_type;
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 9e73292..1a7aaa4 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -985,4 +985,5 @@
 define(`read_fstab', `
   allow $1 { metadata_file gsi_metadata_file_type }:dir search;
   allow $1 gsi_public_metadata_file:file r_file_perms;
+  allow $1 proc_bootconfig:file r_file_perms;
 ')
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
index 5601f64..e55ff17 100644
--- a/private/compos_verify_key.te
+++ b/private/compos_verify_key.te
@@ -15,9 +15,6 @@
 allow compos_verify_key odsign:fd use;
 allow compos_verify_key odsign_devpts:chr_file { read write };
 
-# TODO: Remove this!
-allow compos_verify_key self:vsock_socket create_socket_perms_no_ioctl;
-
 # Only odsign can enter the domain via exec
 neverallow { domain -odsign } compos_verify_key:process transition;
 neverallow * compos_verify_key:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index 725e79e..4f85125 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,3 +13,6 @@
 allow composd apex_module_data_file:dir search;
 allow composd apex_compos_data_file:dir create_dir_perms;
 allow composd apex_compos_data_file:file create_file_perms;
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(composd, odrefresh_exec, odrefresh)
diff --git a/private/file.te b/private/file.te
index e185b85..124309c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -68,6 +68,3 @@
 
 # /dev/kvm
 type kvm_device, dev_type;
-
-# /dev/userspace_panic
-type userspace_panic_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8849602..0c8bf78 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,6 @@
 /dev/uio[0-9]*		u:object_r:uio_device:s0
 /dev/urandom		u:object_r:random_device:s0
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
-/dev/userspace_panic	u:object_r:userspace_panic_device:s0
 /dev/v4l-touch[0-9]*	u:object_r:input_device:s0
 /dev/vhost-vsock	u:object_r:kvm_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
diff --git a/private/init.te b/private/init.te
index 400e47c..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -112,6 +112,3 @@
   -kvm_device
   -port_device
 }:chr_file setattr;
-
-# Allow use userpanic to request panic.
-allow init userspace_panic_device:chr_file w_file_perms;
diff --git a/private/llkd.te b/private/llkd.te
index 0d19f62..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -44,9 +44,6 @@
 allow llkd proc_sysrq:file rw_file_perms;
 allow llkd kmsg_device:chr_file w_file_perms;
 
-# Allow use userpanic to request panic.
-allow llkd userspace_panic_device:chr_file w_file_perms;
-
 ### neverallow rules
 
 neverallow { domain -init } llkd:process { dyntransition transition };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3db1ae8..811b7cf 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -34,16 +34,30 @@
 allow odrefresh odsign_devpts:chr_file { read write };
 allow odrefresh odsign:fd use;
 
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Use inherited stdin/stdout/stderr from composd which exec()'s
+# odrefesh.
+allow odrefresh composd:fd use;
+
+# Run system binaries, e.g. pvm_exec, in the same domain
+allow odrefresh system_file:file execute_no_trans;
+
 # Do not audit unused resources from parent processes (adb, shell, su).
 # These appear to be unnecessary for odrefresh.
 dontaudit odrefresh { adbd shell }:fd use;
 dontaudit odrefresh devpts:chr_file rw_file_perms;
 dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
 
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
 # No other processes should be creating files in the staging area.
 neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
 
@@ -51,10 +65,3 @@
 # odrefresh_data_files.
 neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
 neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/property.te b/private/property.te
index 3ee6650..659d1d4 100644
--- a/private/property.te
+++ b/private/property.te
@@ -40,6 +40,7 @@
 system_internal_prop(zygote_wrap_prop)
 system_internal_prop(ctl_mediatranscoding_prop)
 system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
 
 ###
 ### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index ba0d557..cd10fe6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1233,3 +1233,6 @@
 
 # dck properties
 ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/private/system_server.te b/private/system_server.te
index 622fd41..ee4cfe2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1156,9 +1156,6 @@
 # Allow system server to read profcollectd reports for upload.
 userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
 
-# Allow use userpanic to request panic.
-allow system_server userspace_panic_device:chr_file w_file_perms;
-
 ###
 ### Neverallow rules
 ###
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0c09509..3b23449 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -54,3 +54,11 @@
 
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+neverallow {
+  domain
+  -init
+  -virtualizationservice
+} virtualizationservice_prop:property_service set;
diff --git a/private/vold.te b/private/vold.te
index de0fde4..1ad1f43 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -22,6 +22,7 @@
 get_prop(vold, vold_config_prop)
 get_prop(vold, storage_config_prop);
 get_prop(vold, incremental_prop);
+get_prop(vold, gsid_prop);
 
 set_prop(vold, vold_post_fs_data_prop)
 set_prop(vold, vold_prop)
diff --git a/public/te_macros b/public/te_macros
index 4cd7e53..c112cc1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1019,4 +1019,5 @@
 define(`read_fstab', `
   allow $1 { metadata_file gsi_metadata_file_type }:dir search;
   allow $1 gsi_public_metadata_file:file r_file_perms;
+  allow $1 proc_bootconfig:file r_file_perms;
 ')