Merge "Allow camera service to access "ro.camera.disableJpegR" property" into udc-dev
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 6a971da..7faafc6 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -333,7 +333,7 @@
return m
}
-func (m *selinuxContextsModule) buildHwServiceContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+func (m *selinuxContextsModule) buildServiceContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
if m.properties.Remove_comment == nil {
m.properties.Remove_comment = proptools.BoolPtr(true)
}
@@ -478,7 +478,7 @@
func hwServiceFactory() android.Module {
m := newModule()
- m.build = m.buildHwServiceContexts
+ m.build = m.buildServiceContexts
return m
}
@@ -491,7 +491,7 @@
func serviceFactory() android.Module {
m := newModule()
- m.build = m.buildGeneralContexts
+ m.build = m.buildServiceContexts
return m
}
diff --git a/prebuilts/api/34.0/private/app.te b/prebuilts/api/34.0/private/app.te
index 05332d7..528d673 100644
--- a/prebuilts/api/34.0/private/app.te
+++ b/prebuilts/api/34.0/private/app.te
@@ -9,7 +9,7 @@
-platform_app
-priv_app
-shell
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
}, proc_net_type)
@@ -23,7 +23,7 @@
-priv_app
-shell
-su
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@@ -48,11 +48,6 @@
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
@@ -81,7 +76,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -137,67 +132,67 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
-binder_call(appdomain, sdk_sandbox)
+binder_call(appdomain, sdk_sandbox_all)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
-use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# For app fuse.
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
+pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@@ -223,11 +218,11 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
-allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
+allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@@ -261,11 +256,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -411,7 +406,7 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
@@ -503,7 +498,7 @@
nfc
radio
shared_relro
- sdk_sandbox
+ sdk_sandbox_all
system_app
} {
data_file_type
diff --git a/prebuilts/api/34.0/private/attributes b/prebuilts/api/34.0/private/attributes
index 991bac1..77143a3 100644
--- a/prebuilts/api/34.0/private/attributes
+++ b/prebuilts/api/34.0/private/attributes
@@ -10,3 +10,7 @@
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
+
+# All SDK sandbox domains
+attribute sdk_sandbox_all;
+
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 3bfdcc8..54078ba 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -55,10 +55,12 @@
permissive_mte_prop
persist_sysui_builder_extras_prop
prng_seeder
+ quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
rkpdapp
servicemanager_prop
+ setupwizard_esim_prop
shutdown_checkpoints_system_data_file
stats_config_data_file
sysfs_fs_fuse_features
diff --git a/prebuilts/api/34.0/private/coredomain.te b/prebuilts/api/34.0/private/coredomain.te
index 83930a5..8abc646 100644
--- a/prebuilts/api/34.0/private/coredomain.te
+++ b/prebuilts/api/34.0/private/coredomain.te
@@ -14,6 +14,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index b51fd3c..2cffdd8 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -87,8 +87,13 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process), and MTE bootloader override to be
+# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
+get_prop(domain, device_config_runtime_native_boot_prop);
+get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
@@ -749,7 +754,7 @@
isolated_app_all
ephemeral_app
priv_app
- sdk_sandbox
+ sdk_sandbox_all
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/prebuilts/api/34.0/private/gmscore_app.te b/prebuilts/api/34.0/private/gmscore_app.te
index cd05a65..46b90c6 100644
--- a/prebuilts/api/34.0/private/gmscore_app.te
+++ b/prebuilts/api/34.0/private/gmscore_app.te
@@ -152,6 +152,11 @@
# Allow GMSCore to read RKP properties for the purpose of GTS testing.
get_prop(gmscore_app, remote_prov_prop)
+# Allow GmsCore to read Quick Start properties and prevent access from other
+# policies.
+get_prop(gmscore_app, quick_start_prop)
+neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file no_rw_file_perms;
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/prebuilts/api/34.0/private/gpuservice.te b/prebuilts/api/34.0/private/gpuservice.te
index 08c3902..297a876 100644
--- a/prebuilts/api/34.0/private/gpuservice.te
+++ b/prebuilts/api/34.0/private/gpuservice.te
@@ -64,6 +64,8 @@
# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
set_prop(gpuservice, graphics_config_writable_prop)
+neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;
+
# Needed for querying permission
allow gpuservice permission_service:service_manager find;
diff --git a/prebuilts/api/34.0/private/isolated_app_all.te b/prebuilts/api/34.0/private/isolated_app_all.te
index 200af1b..0617a57 100644
--- a/prebuilts/api/34.0/private/isolated_app_all.te
+++ b/prebuilts/api/34.0/private/isolated_app_all.te
@@ -104,7 +104,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/prebuilts/api/34.0/private/mediaprovider_app.te b/prebuilts/api/34.0/private/mediaprovider_app.te
index 7ad8feb..1f84eca 100644
--- a/prebuilts/api/34.0/private/mediaprovider_app.te
+++ b/prebuilts/api/34.0/private/mediaprovider_app.te
@@ -35,6 +35,9 @@
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
+# Read SDK sandbox data files
+allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
+
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
diff --git a/prebuilts/api/34.0/private/mediaserver.te b/prebuilts/api/34.0/private/mediaserver.te
index aaf49f6..f44cbde 100644
--- a/prebuilts/api/34.0/private/mediaserver.te
+++ b/prebuilts/api/34.0/private/mediaserver.te
@@ -19,6 +19,9 @@
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
+# Allow mediaserver to read SDK sandbox data files
+allow mediaserver sdk_sandbox_data_file:file { getattr read };
+
# Needed for stats callback registration to statsd.
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
diff --git a/prebuilts/api/34.0/private/net.te b/prebuilts/api/34.0/private/net.te
index 07e4271..4adf84c 100644
--- a/prebuilts/api/34.0/private/net.te
+++ b/prebuilts/api/34.0/private/net.te
@@ -1,7 +1,7 @@
# Bind to ports.
-allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@@ -13,7 +13,7 @@
-ephemeral_app
-mediaprovider
-priv_app
- -sdk_sandbox
+ -sdk_sandbox_all
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/prebuilts/api/34.0/private/property.te b/prebuilts/api/34.0/private/property.te
index 35f9bc7..928f86c 100644
--- a/prebuilts/api/34.0/private/property.te
+++ b/prebuilts/api/34.0/private/property.te
@@ -598,6 +598,10 @@
-init
} setupwizard_prop:property_service set;
+neverallow {
+ domain
+ -init
+} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index 2ecfa29..902e8e7 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -535,6 +535,8 @@
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_tx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -949,6 +951,8 @@
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.cpu.pagesize.max u:object_r:build_prop:s0 exact enum 4096 16384 65536
+
ro.product.system.brand u:object_r:build_prop:s0 exact string
ro.product.system.device u:object_r:build_prop:s0 exact string
ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
@@ -1448,8 +1452,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
@@ -1559,3 +1563,7 @@
# System UI notification properties
persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
+
+# Properties for Quick Start setup.
+ro.quick_start.oem_id u:object_r:quick_start_prop:s0 exact string
+ro.quick_start.device_id u:object_r:quick_start_prop:s0 exact string
diff --git a/prebuilts/api/34.0/private/sdk_sandbox.te b/prebuilts/api/34.0/private/sdk_sandbox.te
deleted file mode 100644
index 4806e6d..0000000
--- a/prebuilts/api/34.0/private/sdk_sandbox.te
+++ /dev/null
@@ -1,304 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes.
-
-type sdk_sandbox, domain;
-
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# TODO(b/252967582): remove this rule if it generates too much logs traffic.
-auditallow sdk_sandbox {
- property_type
- # remove expected properties to reduce noise.
- -servicemanager_prop
- -hwservicemanager_prop
- -use_memfd_prop
- -binder_cache_system_server_prop
- -graphics_config_prop
- -persist_wm_debug_prop
- -aaudio_config_prop
- -adbd_config_prop
- -apex_ready_prop
- -apexd_select_prop
- -arm64_memtag_prop
- -audio_prop
- -binder_cache_bluetooth_server_prop
- -binder_cache_telephony_server_prop
- -bluetooth_config_prop
- -boot_status_prop
- -bootloader_prop
- -bq_config_prop
- -build_odm_prop
- -build_prop
- -build_vendor_prop
- -camera2_extensions_prop
- -camera_calibration_prop
- -camera_config_prop
- -camerax_extensions_prop
- -codec2_config_prop
- -config_prop
- -cppreopt_prop
- -dalvik_config_prop_type
- -dalvik_prop
- -dalvik_runtime_prop
- -dck_prop
- -debug_prop
- -debuggerd_prop
- -default_prop
- -device_config_memory_safety_native_boot_prop
- -device_config_memory_safety_native_prop
- -device_config_nnapi_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -dhcp_prop
- -dumpstate_prop
- -exported3_system_prop
- -exported_config_prop
- -exported_default_prop
- -exported_dumpstate_prop
- -exported_pm_prop
- -exported_system_prop
- -ffs_config_prop
- -fingerprint_prop
- -framework_status_prop
- -gwp_asan_prop
- -hal_instrumentation_prop
- -hdmi_config_prop
- -heapprofd_prop
- -hw_timeout_multiplier_prop
- -init_service_status_private_prop
- -init_service_status_prop
- -libc_debug_prop
- -lmkd_config_prop
- -locale_prop
- -localization_prop
- -log_file_logger_prop
- -log_prop
- -log_tag_prop
- -logd_prop
- -media_config_prop
- -media_variant_prop
- -mediadrm_config_prop
- -module_sdkextensions_prop
- -net_radio_prop
- -nfc_prop
- -nnapi_ext_deny_product_prop
- -ota_prop
- -packagemanager_config_prop
- -pan_result_prop
- -permissive_mte_prop
- -persist_debug_prop
- -persist_sysui_builder_extras_prop
- -pm_prop
- -powerctl_prop
- -property_service_version_prop
- -radio_control_prop
- -radio_prop
- -restorecon_prop
- -rollback_test_prop
- -sendbug_config_prop
- -setupwizard_prop
- -shell_prop
- -soc_prop
- -socket_hook_prop
- -sqlite_log_prop
- -storagemanager_config_prop
- -surfaceflinger_color_prop
- -surfaceflinger_prop
- -system_prop
- -system_user_mode_emulation_prop
- -systemsound_config_prop
- -telephony_config_prop
- -telephony_status_prop
- -test_harness_prop
- -timezone_prop
- -usb_config_prop
- -usb_control_prop
- -usb_prop
- -userdebug_or_eng_prop
- -userspace_reboot_config_prop
- -userspace_reboot_exported_prop
- -userspace_reboot_log_prop
- -userspace_reboot_test_prop
- -vendor_socket_hook_prop
- -vndk_prop
- -vold_config_prop
- -vold_prop
- -vold_status_prop
- -vts_config_prop
- -vts_status_prop
- -wifi_log_prop
- -zygote_config_prop
- -zygote_wrap_prop
- -init_service_status_prop
-}:file { getattr open read map };
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Required to read CTS tests data from the shell_data_file location.
-allow sdk_sandbox shell_data_file:file r_file_perms;
-allow sdk_sandbox shell_data_file:dir r_dir_perms;
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow sdk_sandbox domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox debugfs:file read;
-
-# execute gpu_device
-neverallow sdk_sandbox gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow sdk_sandbox sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow sdk_sandbox proc_net:file no_rw_file_perms;
-
-# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
-
-# SDK sandbox processes don't have any access to external storage
-neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
-
-neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
-
-neverallow sdk_sandbox hal_drm_service:service_manager find;
-
-# Only certain system components should have access to sdk_sandbox_system_data_file
-# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
-neverallow {
- domain
- -init
- -installd
- -system_server
- -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { relabelfrom };
-
-neverallow {
- domain
- -init
- -installd
- -sdk_sandbox
- -system_server
- -vold_prepare_subdirs
- -zygote
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
-
-# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
-neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
-
-# Only dirs should be created at sdk_sandbox_system_data_file level
-neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_34.te b/prebuilts/api/34.0/private/sdk_sandbox_34.te
new file mode 100644
index 0000000..d45da88
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_34.te
@@ -0,0 +1,91 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_34)
+app_domain(sdk_sandbox_34)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_34 {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_all.te b/prebuilts/api/34.0/private/sdk_sandbox_all.te
new file mode 100644
index 0000000..9a3f05f
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_all.te
@@ -0,0 +1,122 @@
+###
+### sdk_sandbox_all
+###
+### This file defines the rules shared by all sdk_sandbox_all domains.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The sdk_sandbox_all_all attribute is assigned to all default
+### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
+### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.
+
+allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
+
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox_all shell_data_file:file r_file_perms;
+allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox_all domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox_all debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox_all gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox_all sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox_all hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# Only certain system components should have access to sdk_sandbox_all_system_data_file
+# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
+neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_all_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+
diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts
index 48ddeb8..fbdd93f 100644
--- a/prebuilts/api/34.0/private/seapp_contexts
+++ b/prebuilts/api/34.0/private/seapp_contexts
@@ -148,8 +148,8 @@
isSystemServer=true domain=system_server_startup
-# sdksandbox must run in the sdksandbox domain
-neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
+# sdksandbox must run in an sdksandbox domain
+neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -164,7 +164,7 @@
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
-user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/prebuilts/api/34.0/private/service_contexts b/prebuilts/api/34.0/private/service_contexts
index 5ceaa78..3bb9c85 100644
--- a/prebuilts/api/34.0/private/service_contexts
+++ b/prebuilts/api/34.0/private/service_contexts
@@ -382,6 +382,7 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
+# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
diff --git a/prebuilts/api/34.0/private/technical_debt.cil b/prebuilts/api/34.0/private/technical_debt.cil
index 485ce53..4286053 100644
--- a/prebuilts/api/34.0/private/technical_debt.cil
+++ b/prebuilts/api/34.0/private/technical_debt.cil
@@ -22,7 +22,7 @@
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
diff --git a/prebuilts/api/34.0/public/property.te b/prebuilts/api/34.0/public/property.te
index 8d6b8ee..5ee8d60 100644
--- a/prebuilts/api/34.0/public/property.te
+++ b/prebuilts/api/34.0/public/property.te
@@ -88,6 +88,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
@@ -101,7 +102,6 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-system_restricted_prop(graphics_config_writable_prop)
compatible_property_only(`
@@ -170,6 +170,7 @@
system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
+system_vendor_config_prop(quick_start_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(recovery_usb_config_prop)
system_vendor_config_prop(sendbug_config_prop)
@@ -223,6 +224,7 @@
system_public_prop(ffs_control_prop)
system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
+system_public_prop(graphics_config_writable_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
diff --git a/prebuilts/api/34.0/public/service.te b/prebuilts/api/34.0/public/service.te
index 27403ca..b32314d 100644
--- a/prebuilts/api/34.0/public/service.te
+++ b/prebuilts/api/34.0/public/service.te
@@ -80,7 +80,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/34.0/public/vendor_init.te b/prebuilts/api/34.0/public/vendor_init.te
index 288d035..3942c27 100644
--- a/prebuilts/api/34.0/public/vendor_init.te
+++ b/prebuilts/api/34.0/public/vendor_init.te
@@ -251,6 +251,7 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, graphics_config_writable_prop)
set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
diff --git a/private/app.te b/private/app.te
index 05332d7..528d673 100644
--- a/private/app.te
+++ b/private/app.te
@@ -9,7 +9,7 @@
-platform_app
-priv_app
-shell
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
}, proc_net_type)
@@ -23,7 +23,7 @@
-priv_app
-shell
-su
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@@ -48,11 +48,6 @@
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
@@ -81,7 +76,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -137,67 +132,67 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
-binder_call(appdomain, sdk_sandbox)
+binder_call(appdomain, sdk_sandbox_all)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
-use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# For app fuse.
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
+pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@@ -223,11 +218,11 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
-allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
+allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@@ -261,11 +256,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -411,7 +406,7 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
@@ -503,7 +498,7 @@
nfc
radio
shared_relro
- sdk_sandbox
+ sdk_sandbox_all
system_app
} {
data_file_type
diff --git a/private/attributes b/private/attributes
index 991bac1..77143a3 100644
--- a/private/attributes
+++ b/private/attributes
@@ -10,3 +10,7 @@
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
+
+# All SDK sandbox domains
+attribute sdk_sandbox_all;
+
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3bfdcc8..54078ba 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -55,10 +55,12 @@
permissive_mte_prop
persist_sysui_builder_extras_prop
prng_seeder
+ quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
rkpdapp
servicemanager_prop
+ setupwizard_esim_prop
shutdown_checkpoints_system_data_file
stats_config_data_file
sysfs_fs_fuse_features
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a5..8abc646 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/domain.te b/private/domain.te
index b51fd3c..2cffdd8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -87,8 +87,13 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process), and MTE bootloader override to be
+# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
+get_prop(domain, device_config_runtime_native_boot_prop);
+get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
@@ -749,7 +754,7 @@
isolated_app_all
ephemeral_app
priv_app
- sdk_sandbox
+ sdk_sandbox_all
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index cd05a65..46b90c6 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -152,6 +152,11 @@
# Allow GMSCore to read RKP properties for the purpose of GTS testing.
get_prop(gmscore_app, remote_prov_prop)
+# Allow GmsCore to read Quick Start properties and prevent access from other
+# policies.
+get_prop(gmscore_app, quick_start_prop)
+neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file no_rw_file_perms;
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 08c3902..297a876 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,6 +64,8 @@
# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
set_prop(gpuservice, graphics_config_writable_prop)
+neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;
+
# Needed for querying permission
allow gpuservice permission_service:service_manager find;
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 200af1b..0617a57 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -104,7 +104,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 7ad8feb..1f84eca 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -35,6 +35,9 @@
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
+# Read SDK sandbox data files
+allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
+
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index aaf49f6..f44cbde 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -19,6 +19,9 @@
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
+# Allow mediaserver to read SDK sandbox data files
+allow mediaserver sdk_sandbox_data_file:file { getattr read };
+
# Needed for stats callback registration to statsd.
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
diff --git a/private/net.te b/private/net.te
index 07e4271..4adf84c 100644
--- a/private/net.te
+++ b/private/net.te
@@ -1,7 +1,7 @@
# Bind to ports.
-allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@@ -13,7 +13,7 @@
-ephemeral_app
-mediaprovider
-priv_app
- -sdk_sandbox
+ -sdk_sandbox_all
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/property.te b/private/property.te
index 35f9bc7..928f86c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -598,6 +598,10 @@
-init
} setupwizard_prop:property_service set;
+neverallow {
+ domain
+ -init
+} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 2ecfa29..902e8e7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -535,6 +535,8 @@
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_tx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -949,6 +951,8 @@
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.cpu.pagesize.max u:object_r:build_prop:s0 exact enum 4096 16384 65536
+
ro.product.system.brand u:object_r:build_prop:s0 exact string
ro.product.system.device u:object_r:build_prop:s0 exact string
ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
@@ -1448,8 +1452,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
@@ -1559,3 +1563,7 @@
# System UI notification properties
persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
+
+# Properties for Quick Start setup.
+ro.quick_start.oem_id u:object_r:quick_start_prop:s0 exact string
+ro.quick_start.device_id u:object_r:quick_start_prop:s0 exact string
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
deleted file mode 100644
index 4806e6d..0000000
--- a/private/sdk_sandbox.te
+++ /dev/null
@@ -1,304 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes.
-
-type sdk_sandbox, domain;
-
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# TODO(b/252967582): remove this rule if it generates too much logs traffic.
-auditallow sdk_sandbox {
- property_type
- # remove expected properties to reduce noise.
- -servicemanager_prop
- -hwservicemanager_prop
- -use_memfd_prop
- -binder_cache_system_server_prop
- -graphics_config_prop
- -persist_wm_debug_prop
- -aaudio_config_prop
- -adbd_config_prop
- -apex_ready_prop
- -apexd_select_prop
- -arm64_memtag_prop
- -audio_prop
- -binder_cache_bluetooth_server_prop
- -binder_cache_telephony_server_prop
- -bluetooth_config_prop
- -boot_status_prop
- -bootloader_prop
- -bq_config_prop
- -build_odm_prop
- -build_prop
- -build_vendor_prop
- -camera2_extensions_prop
- -camera_calibration_prop
- -camera_config_prop
- -camerax_extensions_prop
- -codec2_config_prop
- -config_prop
- -cppreopt_prop
- -dalvik_config_prop_type
- -dalvik_prop
- -dalvik_runtime_prop
- -dck_prop
- -debug_prop
- -debuggerd_prop
- -default_prop
- -device_config_memory_safety_native_boot_prop
- -device_config_memory_safety_native_prop
- -device_config_nnapi_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -dhcp_prop
- -dumpstate_prop
- -exported3_system_prop
- -exported_config_prop
- -exported_default_prop
- -exported_dumpstate_prop
- -exported_pm_prop
- -exported_system_prop
- -ffs_config_prop
- -fingerprint_prop
- -framework_status_prop
- -gwp_asan_prop
- -hal_instrumentation_prop
- -hdmi_config_prop
- -heapprofd_prop
- -hw_timeout_multiplier_prop
- -init_service_status_private_prop
- -init_service_status_prop
- -libc_debug_prop
- -lmkd_config_prop
- -locale_prop
- -localization_prop
- -log_file_logger_prop
- -log_prop
- -log_tag_prop
- -logd_prop
- -media_config_prop
- -media_variant_prop
- -mediadrm_config_prop
- -module_sdkextensions_prop
- -net_radio_prop
- -nfc_prop
- -nnapi_ext_deny_product_prop
- -ota_prop
- -packagemanager_config_prop
- -pan_result_prop
- -permissive_mte_prop
- -persist_debug_prop
- -persist_sysui_builder_extras_prop
- -pm_prop
- -powerctl_prop
- -property_service_version_prop
- -radio_control_prop
- -radio_prop
- -restorecon_prop
- -rollback_test_prop
- -sendbug_config_prop
- -setupwizard_prop
- -shell_prop
- -soc_prop
- -socket_hook_prop
- -sqlite_log_prop
- -storagemanager_config_prop
- -surfaceflinger_color_prop
- -surfaceflinger_prop
- -system_prop
- -system_user_mode_emulation_prop
- -systemsound_config_prop
- -telephony_config_prop
- -telephony_status_prop
- -test_harness_prop
- -timezone_prop
- -usb_config_prop
- -usb_control_prop
- -usb_prop
- -userdebug_or_eng_prop
- -userspace_reboot_config_prop
- -userspace_reboot_exported_prop
- -userspace_reboot_log_prop
- -userspace_reboot_test_prop
- -vendor_socket_hook_prop
- -vndk_prop
- -vold_config_prop
- -vold_prop
- -vold_status_prop
- -vts_config_prop
- -vts_status_prop
- -wifi_log_prop
- -zygote_config_prop
- -zygote_wrap_prop
- -init_service_status_prop
-}:file { getattr open read map };
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Required to read CTS tests data from the shell_data_file location.
-allow sdk_sandbox shell_data_file:file r_file_perms;
-allow sdk_sandbox shell_data_file:dir r_dir_perms;
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow sdk_sandbox domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox debugfs:file read;
-
-# execute gpu_device
-neverallow sdk_sandbox gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow sdk_sandbox sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow sdk_sandbox proc_net:file no_rw_file_perms;
-
-# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
-
-# SDK sandbox processes don't have any access to external storage
-neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
-
-neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
-
-neverallow sdk_sandbox hal_drm_service:service_manager find;
-
-# Only certain system components should have access to sdk_sandbox_system_data_file
-# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
-neverallow {
- domain
- -init
- -installd
- -system_server
- -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { relabelfrom };
-
-neverallow {
- domain
- -init
- -installd
- -sdk_sandbox
- -system_server
- -vold_prepare_subdirs
- -zygote
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
-
-# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
-neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
-
-# Only dirs should be created at sdk_sandbox_system_data_file level
-neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
new file mode 100644
index 0000000..d45da88
--- /dev/null
+++ b/private/sdk_sandbox_34.te
@@ -0,0 +1,91 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_34)
+app_domain(sdk_sandbox_34)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_34 {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
new file mode 100644
index 0000000..9a3f05f
--- /dev/null
+++ b/private/sdk_sandbox_all.te
@@ -0,0 +1,122 @@
+###
+### sdk_sandbox_all
+###
+### This file defines the rules shared by all sdk_sandbox_all domains.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The sdk_sandbox_all_all attribute is assigned to all default
+### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
+### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.
+
+allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
+
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox_all shell_data_file:file r_file_perms;
+allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox_all domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox_all debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox_all gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox_all sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox_all hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# Only certain system components should have access to sdk_sandbox_all_system_data_file
+# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
+neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_all_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 48ddeb8..fbdd93f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -148,8 +148,8 @@
isSystemServer=true domain=system_server_startup
-# sdksandbox must run in the sdksandbox domain
-neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
+# sdksandbox must run in an sdksandbox domain
+neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -164,7 +164,7 @@
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
-user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 5ceaa78..3bb9c85 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -382,6 +382,7 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
+# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 485ce53..4286053 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -22,7 +22,7 @@
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
diff --git a/public/property.te b/public/property.te
index 8d6b8ee..5ee8d60 100644
--- a/public/property.te
+++ b/public/property.te
@@ -88,6 +88,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
@@ -101,7 +102,6 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-system_restricted_prop(graphics_config_writable_prop)
compatible_property_only(`
@@ -170,6 +170,7 @@
system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
+system_vendor_config_prop(quick_start_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(recovery_usb_config_prop)
system_vendor_config_prop(sendbug_config_prop)
@@ -223,6 +224,7 @@
system_public_prop(ffs_control_prop)
system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
+system_public_prop(graphics_config_writable_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
diff --git a/public/service.te b/public/service.te
index 27403ca..b32314d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -80,7 +80,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 288d035..3942c27 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -251,6 +251,7 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, graphics_config_writable_prop)
set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index ff28a03..710e2df 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -13,6 +13,7 @@
# Allow reading graphics properties, specifically for EGL blobcache mode
get_prop(hal_camera_default, graphics_config_prop);
+get_prop(hal_camera_default, graphics_config_writable_prop);
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;