Merge "Let adbd set service.adb.tcp.port."
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index d46cd15..592a1f9 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1288,7 +1288,8 @@
(typeattributeset debugfs_mmc_30_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_30_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug
+ debugfs_tracing_printk_formats))
(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances))
(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources))
(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing))
@@ -1296,7 +1297,13 @@
(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
(typeattributeset default_android_service_30_0 (default_android_service))
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
-(typeattributeset default_prop_30_0 (default_prop init_service_status_private_prop))
+(typeattributeset default_prop_30_0 (
+ default_prop
+ init_service_status_private_prop
+ setupwizard_prop
+ verity_status_prop
+ zygote_wrap_prop
+))
(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
(typeattributeset device_30_0 (device))
(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 069f82f..c6806ea 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -43,6 +43,7 @@
snapuserd_socket
sysfs_devices_cs_etm
system_server_dumper_service
+ system_suspend_control_internal_service
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index b3986ea..3450010 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -11,6 +11,7 @@
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
@@ -20,6 +21,7 @@
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_wrap_prop)
full_treble_only(`
neverallow {
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1b22725..83f76ca 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -173,6 +173,8 @@
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
diff --git a/private/property.te b/private/property.te
index 53f4284..68dcfb2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -15,10 +15,13 @@
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
+system_internal_prop(verity_status_prop)
+system_internal_prop(zygote_wrap_prop)
# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
system_internal_prop(keystore2_enable_prop)
@@ -492,3 +495,15 @@
-system_server
-zygote
} keystore2_enable_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+} zygote_wrap_prop:property_service set;
+
+neverallow {
+ -init
+} verity_status_prop:property_service set;
+
+neverallow {
+ -init
+} setupwizard_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 2d90875..9e42541 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -94,6 +94,7 @@
test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+wrap. u:object_r:zygote_wrap_prop:s0 prefix string
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -361,6 +362,12 @@
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
+media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool
media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
@@ -435,6 +442,7 @@
ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
@@ -459,7 +467,8 @@
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
@@ -585,36 +594,97 @@
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-ro.build.date u:object_r:build_prop:s0 exact string
-ro.build.date.utc u:object_r:build_prop:s0 exact int
-ro.build.description u:object_r:build_prop:s0 exact string
-ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.host u:object_r:build_prop:s0 exact string
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.product u:object_r:build_prop:s0 exact string
-ro.build.system_root_image u:object_r:build_prop:s0 exact bool
-ro.build.tags u:object_r:build_prop:s0 exact string
-ro.build.type u:object_r:build_prop:s0 exact string
-ro.build.user u:object_r:build_prop:s0 exact string
-ro.build.version.base_os u:object_r:build_prop:s0 exact string
-ro.build.version.codename u:object_r:build_prop:s0 exact string
-ro.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.build.version.sdk u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.characteristics u:object_r:build_prop:s0 exact string
+ro.build.date u:object_r:build_prop:s0 exact string
+ro.build.date.utc u:object_r:build_prop:s0 exact int
+ro.build.description u:object_r:build_prop:s0 exact string
+ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.flavor u:object_r:build_prop:s0 exact string
+ro.build.host u:object_r:build_prop:s0 exact string
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.product u:object_r:build_prop:s0 exact string
+ro.build.system_root_image u:object_r:build_prop:s0 exact bool
+ro.build.tags u:object_r:build_prop:s0 exact string
+ro.build.type u:object_r:build_prop:s0 exact string
+ro.build.user u:object_r:build_prop:s0 exact string
+ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
+ro.build.version.base_os u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+
+ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.treble.enabled u:object_r:build_prop:s0 exact bool
+
ro.product.cpu.abi u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.system.brand u:object_r:build_prop:s0 exact string
+ro.product.system.device u:object_r:build_prop:s0 exact string
+ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system.model u:object_r:build_prop:s0 exact string
+ro.product.system.name u:object_r:build_prop:s0 exact string
+
+ro.system.build.date u:object_r:build_prop:s0 exact string
+ro.system.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system.build.id u:object_r:build_prop:s0 exact string
+ro.system.build.tags u:object_r:build_prop:s0 exact string
+ro.system.build.type u:object_r:build_prop:s0 exact string
+ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system.build.version.release u:object_r:build_prop:s0 exact string
+ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
+
ro.adb.secure u:object_r:build_prop:s0 exact bool
ro.secure u:object_r:build_prop:s0 exact int
+ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
+ro.product.system_ext.device u:object_r:build_prop:s0 exact string
+ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system_ext.model u:object_r:build_prop:s0 exact string
+ro.product.system_ext.name u:object_r:build_prop:s0 exact string
+
+ro.system_ext.build.date u:object_r:build_prop:s0 exact string
+ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system_ext.build.id u:object_r:build_prop:s0 exact string
+ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
+ro.system_ext.build.type u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
+ro.product.product.brand u:object_r:build_prop:s0 exact string
+ro.product.product.device u:object_r:build_prop:s0 exact string
+ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.product.model u:object_r:build_prop:s0 exact string
+ro.product.product.name u:object_r:build_prop:s0 exact string
+
+ro.product.build.date u:object_r:build_prop:s0 exact string
+ro.product.build.date.utc u:object_r:build_prop:s0 exact int
+ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.product.build.id u:object_r:build_prop:s0 exact string
+ro.product.build.tags u:object_r:build_prop:s0 exact string
+ro.product.build.type u:object_r:build_prop:s0 exact string
+ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.product.build.version.release u:object_r:build_prop:s0 exact string
+ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
+
# These 5 properties are set by property_service
ro.product.brand u:object_r:build_prop:s0 exact string
ro.product.device u:object_r:build_prop:s0 exact string
@@ -647,30 +717,40 @@
ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
-ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.odm_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.odm_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.old_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All vendor build props are set by /vendor/build.prop
-ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
-ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
ro.product.board u:object_r:build_vendor_prop:s0 exact string
ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -680,6 +760,24 @@
ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
+ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+
+ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
+
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
@@ -905,9 +1003,10 @@
# Graphics related properties
ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
-ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
@@ -924,3 +1023,35 @@
# Enable Keystore 2.0.
# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
+
+partition.system.verified u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
+partition.product.verified u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+
+ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
+ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+
+setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index 02ec5d2..4106357 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -221,6 +221,7 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
+suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 56b9746..53c31c2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -97,6 +97,7 @@
-iorapd_service
-lpdump_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
diff --git a/private/system_server.te b/private/system_server.te
index 76ac007..0d48554 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1144,6 +1144,7 @@
allow system_server apex_info_file:file r_file_perms;
# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
binder_call(system_suspend, system_server)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 7f343f2..217548f 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -3,8 +3,9 @@
type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)
-# To serve ISuspendControlService.aidl.
+# To serve ISuspendControlService and ISuspendControlServiceInternal.
binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_internal_service)
add_service(system_suspend, system_suspend_control_service)
# Access to /sys/power/{ wakeup_count, state } suspend interface.
@@ -23,6 +24,15 @@
neverallow {
domain
-atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
+
+neverallow {
+ domain
+ -atrace # tracing
-bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service
diff --git a/private/traced_probes.te b/private/traced_probes.te
index f010a77..c669eba 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -14,6 +14,7 @@
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the denylist/allowlist.
diff --git a/public/domain.te b/public/domain.te
index 4b245c6..0e5dde9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1387,3 +1387,5 @@
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
+
+neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
diff --git a/public/file.te b/public/file.te
index 0e61e8c..8ddaf2f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -140,6 +140,7 @@
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type securityfs, fs_type;
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 4538962..52208c7 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -49,8 +49,8 @@
# commonly used TTY ioctls
# merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY
- TCSETSW TCFLSH TIOCSPGRP TIOCGPGRP
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
}')
# point to point ioctls
diff --git a/public/service.te b/public/service.te
index 3cbbdff..7e58740 100644
--- a/public/service.te
+++ b/public/service.te
@@ -31,6 +31,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index ee90a63..fa9079c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -84,6 +84,7 @@
-installd_service
-iorapd_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
diff --git a/tests/policy.py b/tests/policy.py
index 24466e9..d0ef6c4 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -56,7 +56,7 @@
# Query policy for the types associated with Attr
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find types associated with input paths.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.intersection(TypesPol)
ret = ""
if len(violators) > 0:
@@ -65,6 +65,8 @@
ret += " must not be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -91,7 +93,7 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.difference(TypesPol)
ret = ""
@@ -101,6 +103,8 @@
ret += " must be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
def AssertPropertyOwnersAreExclusive(self):
@@ -272,8 +276,9 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
- def __GetTypesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
+ def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
Types = set()
+ Files = set()
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -285,7 +290,8 @@
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
Types.add(PathType[1])
- return Types
+ Files.add(PathType[0])
+ return Types, Files
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None: