Reorder 30.0.ignore.cil am: 99f6010820
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1421853
Change-Id: I0b680ac97ee447483de5b99ffa30a9b8d5c02d41
diff --git a/prebuilts/api/26.0/public/property.te b/prebuilts/api/26.0/public/property.te
index d6fa868..232872c 100644
--- a/prebuilts/api/26.0/public/property.te
+++ b/prebuilts/api/26.0/public/property.te
@@ -1,6 +1,7 @@
type asan_reboot_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
+type boottime_public_prop, property_type;
type bluetooth_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
diff --git a/prebuilts/api/27.0/public/property.te b/prebuilts/api/27.0/public/property.te
index 95efcaa..2c716c5 100644
--- a/prebuilts/api/27.0/public/property.te
+++ b/prebuilts/api/27.0/public/property.te
@@ -1,5 +1,6 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
+type boottime_public_prop, property_type;
type bluetooth_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index b0397e9..a4f0d87 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -1,5 +1,6 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
+type boottime_public_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
type bluetooth_prop, property_type;
type bootloader_boot_reason_prop, property_type;
diff --git a/prebuilts/api/29.0/public/property.te b/prebuilts/api/29.0/public/property.te
index cea50ac..4ccd8ac 100644
--- a/prebuilts/api/29.0/public/property.te
+++ b/prebuilts/api/29.0/public/property.te
@@ -1,6 +1,7 @@
type apexd_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
+type boottime_public_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
type bluetooth_audio_hal_prop, property_type;
type bluetooth_prop, property_type;
@@ -361,6 +362,7 @@
-bluetooth_prop
-bootloader_boot_reason_prop
-boottime_prop
+ -boottime_public_prop
-bpf_progs_loaded_prop
-config_prop
-cppreopt_prop
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 5c6b31f..71002be 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -218,6 +218,8 @@
ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
+ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
+ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
ro.boot.console u:object_r:exported2_default_prop:s0 exact string
ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
@@ -407,4 +409,3 @@
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index 9882d8f..b2ddd84 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -36,8 +36,5 @@
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
-# Don't allow regular apps access to storage configuration properties.
-neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
-
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
diff --git a/prebuilts/api/30.0/private/app_zygote.te b/prebuilts/api/30.0/private/app_zygote.te
index a826f7f..9285323 100644
--- a/prebuilts/api/30.0/private/app_zygote.te
+++ b/prebuilts/api/30.0/private/app_zygote.te
@@ -4,9 +4,6 @@
###### Policy below is different from regular zygote-spawned apps
######
-# The app_zygote needs to be able to transition domains.
-typeattribute app_zygote mlstrustedsubject;
-
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
@@ -95,12 +92,14 @@
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
-# Should not have any access to non-app data files.
+# Should not have any access to data files.
neverallow app_zygote {
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
+ app_data_file
+ privapp_data_file
}:file { rwx_file_perms };
neverallow app_zygote {
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 8dc585a..7e8e6db 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -28,6 +28,7 @@
binderfs_logs_proc
boringssl_self_test
bq_config_prop
+ cacheinfo_service
charger_prop
cold_boot_done_prop
credstore
@@ -43,7 +44,6 @@
device_config_configuration_prop
emergency_affordance_service
exported_camera_prop
- fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
fusectlfs
@@ -58,7 +58,6 @@
hal_tv_tuner_hwservice
hal_vibrator_service
incremental_control_file
- incremental_prop
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
@@ -77,7 +76,6 @@
mirror_data_file
light_service
linkerconfig_file
- lmkd_prop
media_variant_prop
metadata_bootstat_file
mnt_pass_through_file
@@ -97,6 +95,7 @@
soundtrigger_middleware_service
staged_install_file
storage_config_prop
+ surfaceflinger_display_prop
sysfs_dm_verity
system_adbd_prop
system_config_service
diff --git a/prebuilts/api/30.0/private/lmkd.te b/prebuilts/api/30.0/private/lmkd.te
index e51cddb..a07ce87 100644
--- a/prebuilts/api/30.0/private/lmkd.te
+++ b/prebuilts/api/30.0/private/lmkd.te
@@ -1,8 +1,3 @@
typeattribute lmkd coredomain;
init_daemon_domain(lmkd)
-
-# Set lmkd.* properties.
-set_prop(lmkd, lmkd_prop)
-
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 5881255..79d3e36 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -44,6 +44,3 @@
};
allow mediaprovider_app proc_filesystems:file r_file_perms;
-
-#Allow MediaProvider to see if sdcardfs is in use
-get_prop(mediaprovider_app, storage_config_prop)
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index 1a5471f..c3134f9 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -42,7 +42,6 @@
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
ro.khungtask. u:object_r:llkd_prop:s0
-lmkd.reinit u:object_r:lmkd_prop:s0 exact int
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
@@ -97,9 +96,6 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
-# Fastbootd protocol control property
-fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
-
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -253,9 +249,6 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-# Property to enable incremental feature
-ro.incremental.enable u:object_r:incremental_prop:s0
-
# Properties to configure userspace reboot.
init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
@@ -263,3 +256,6 @@
init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+
+# surfaceflinger-settable
+graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
diff --git a/prebuilts/api/30.0/private/seapp_contexts b/prebuilts/api/30.0/private/seapp_contexts
index 7743c0f..a8c61be 100644
--- a/prebuilts/api/30.0/private/seapp_contexts
+++ b/prebuilts/api/30.0/private/seapp_contexts
@@ -151,8 +151,8 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
-user=_isolated domain=isolated_app levelFrom=all
-user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
diff --git a/prebuilts/api/30.0/private/service_contexts b/prebuilts/api/30.0/private/service_contexts
index e01dcc1..5c6f1a4 100644
--- a/prebuilts/api/30.0/private/service_contexts
+++ b/prebuilts/api/30.0/private/service_contexts
@@ -40,6 +40,7 @@
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
bugreport u:object_r:bugreport_service:s0
+cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
diff --git a/prebuilts/api/30.0/private/surfaceflinger.te b/prebuilts/api/30.0/private/surfaceflinger.te
index cf709df..2e9ce19 100644
--- a/prebuilts/api/30.0/private/surfaceflinger.te
+++ b/prebuilts/api/30.0/private/surfaceflinger.te
@@ -57,6 +57,7 @@
set_prop(surfaceflinger, exported2_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 7968b79..5e53af8 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -679,9 +679,6 @@
# Read wifi.interface
get_prop(system_server, wifi_prop)
-# Read the vendor property that indicates if Incremental features is enabled
-get_prop(system_server, incremental_prop)
-
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index c892d9e..53c73b7 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -566,6 +566,10 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+
+# Don't allow apps access to storage configuration properties.
+neverallow appdomain storage_config_prop:file no_rw_file_perms;
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/prebuilts/api/30.0/public/bootanim.te b/prebuilts/api/30.0/public/bootanim.te
index bd2bec6..e8cb98b 100644
--- a/prebuilts/api/30.0/public/bootanim.te
+++ b/prebuilts/api/30.0/public/bootanim.te
@@ -23,7 +23,6 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim surfaceflinger:unix_stream_socket { read write };
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/fastbootd.te b/prebuilts/api/30.0/public/fastbootd.te
index 8787817..f10e649 100644
--- a/prebuilts/api/30.0/public/fastbootd.te
+++ b/prebuilts/api/30.0/public/fastbootd.te
@@ -120,14 +120,6 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
-
- # Needed for TCP protocol
- allow fastbootd node:tcp_socket node_bind;
- allow fastbootd port:tcp_socket name_bind;
- allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
-
- # Get fastbootd protocol property
- get_prop(fastbootd, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/hal_neuralnetworks.te b/prebuilts/api/30.0/public/hal_neuralnetworks.te
index 228d990..f8d6ff5 100644
--- a/prebuilts/api/30.0/public/hal_neuralnetworks.te
+++ b/prebuilts/api/30.0/public/hal_neuralnetworks.te
@@ -18,9 +18,6 @@
# Allow NN HAL service to read a client-provided ION memory fd.
allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
-# Allow NN HAL service to use a client-provided fd residing in /storage
-allow hal_neuralnetworks_server storage_file:file { getattr map read };
-
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/prebuilts/api/30.0/public/iorapd.te b/prebuilts/api/30.0/public/iorapd.te
index 426ecca..b970699 100644
--- a/prebuilts/api/30.0/public/iorapd.te
+++ b/prebuilts/api/30.0/public/iorapd.te
@@ -42,6 +42,16 @@
# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
allow iorapd system_file:file rx_file_perms;
+# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
+allow iorapd iorap_inode2filename:process signull;
+allow iorapd iorap_prefetcherd:process signull;
+
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
###
### neverallow rules
###
@@ -55,6 +65,7 @@
domain
-init
-iorapd
+ -system_server
} iorapd_data_file:dir *;
neverallow {
@@ -69,6 +80,7 @@
-kernel
-vendor_init
-iorapd
+ -system_server
} { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
diff --git a/prebuilts/api/30.0/public/kernel.te b/prebuilts/api/30.0/public/kernel.te
index 42fe2c4..35018e9 100644
--- a/prebuilts/api/30.0/public/kernel.te
+++ b/prebuilts/api/30.0/public/kernel.te
@@ -65,10 +65,10 @@
allow kernel { app_data_file privapp_data_file }:file read;
allow kernel asec_image_file:file read;
-# Allow reading loop device in update_engine_unittests. (b/28319454)
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
- allow kernel update_engine_data_file:file read;
+ allow kernel update_engine_data_file:file { read write };
allow kernel nativetest_data_file:file { read write };
')
diff --git a/prebuilts/api/30.0/public/lmkd.te b/prebuilts/api/30.0/public/lmkd.te
index 67e93e1..b852f44 100644
--- a/prebuilts/api/30.0/public/lmkd.te
+++ b/prebuilts/api/30.0/public/lmkd.te
@@ -60,9 +60,6 @@
# Read/Write /proc/pressure/memory
allow lmkd proc_pressure_mem:file rw_file_perms;
-# Allow lmkd to connect during reinit.
-allow lmkd lmkd_socket:sock_file write;
-
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
diff --git a/prebuilts/api/30.0/public/modprobe.te b/prebuilts/api/30.0/public/modprobe.te
index 2c7d64b..1190409 100644
--- a/prebuilts/api/30.0/public/modprobe.te
+++ b/prebuilts/api/30.0/public/modprobe.te
@@ -1,7 +1,6 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
-allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index 5f817ff..d9ac231 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -14,7 +14,6 @@
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
-system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
@@ -71,11 +70,13 @@
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
+system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -119,7 +120,6 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(graphics_config_prop)
-system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
@@ -156,7 +156,6 @@
system_public_prop(exported_wifi_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
-system_public_prop(lmkd_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
@@ -602,3 +601,17 @@
} {
userspace_reboot_test_prop
}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
+
+neverallow {
+ -init
+ -surfaceflinger
+} {
+ surfaceflinger_display_prop
+}:property_service set;
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index 2f04b17..40f6889 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -73,7 +73,6 @@
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
@@ -185,7 +184,6 @@
sys.usb.ffs.mtp.ready u:object_r:exported_ffs_prop:s0 exact bool
sys.usb.state u:object_r:exported2_system_prop:s0 exact string
telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
-telephony.active_modems.max_count u:object_r:exported3_default_prop:s0 exact int
tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
@@ -243,6 +241,8 @@
ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
+ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
+ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
ro.boot.console u:object_r:exported2_default_prop:s0 exact string
ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
@@ -313,7 +313,6 @@
ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
-ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
@@ -408,6 +407,7 @@
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
+ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
# public-readable
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
@@ -466,3 +466,7 @@
cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
+
+# Graphics related properties
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/prebuilts/api/30.0/public/recovery.te b/prebuilts/api/30.0/public/recovery.te
index 63a9cea..16b670f 100644
--- a/prebuilts/api/30.0/public/recovery.te
+++ b/prebuilts/api/30.0/public/recovery.te
@@ -154,15 +154,6 @@
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
-
- # These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
- allow recovery self:global_capability_class_set net_admin;
- allow recovery self:tcp_socket { create ioctl };
- allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
-
- # Set fastbootd protocol property
- set_prop(recovery, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/service.te b/prebuilts/api/30.0/public/service.te
index 968e523..f27772e 100644
--- a/prebuilts/api/30.0/public/service.te
+++ b/prebuilts/api/30.0/public/service.te
@@ -63,6 +63,7 @@
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type broadcastradio_service, system_server_service, service_manager_type;
+type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
@@ -182,7 +183,7 @@
type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index 63fc227..cd62a21 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te
@@ -25,8 +25,6 @@
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
-allow servicemanager dumpstate:fd use;
-allow servicemanager dumpstate:fifo_file write;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te
index 12a360e..df203be 100644
--- a/prebuilts/api/30.0/public/vendor_init.te
+++ b/prebuilts/api/30.0/public/vendor_init.te
@@ -228,8 +228,6 @@
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
-set_prop(vendor_init, incremental_prop)
-set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
@@ -246,6 +244,7 @@
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
get_prop(vendor_init, theme_prop)
get_prop(vendor_init, ota_prop)
diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te
index 6c5ff78..a112de0 100644
--- a/prebuilts/api/30.0/public/vold.te
+++ b/prebuilts/api/30.0/public/vold.te
@@ -200,8 +200,8 @@
set_prop(vold, restorecon_prop)
set_prop(vold, ota_prop)
set_prop(vold, boottime_prop)
+set_prop(vold, boottime_public_prop)
get_prop(vold, storage_config_prop)
-get_prop(vold, incremental_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index a826f7f..9285323 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -4,9 +4,6 @@
###### Policy below is different from regular zygote-spawned apps
######
-# The app_zygote needs to be able to transition domains.
-typeattribute app_zygote mlstrustedsubject;
-
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
@@ -95,12 +92,14 @@
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
-# Should not have any access to non-app data files.
+# Should not have any access to data files.
neverallow app_zygote {
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
+ app_data_file
+ privapp_data_file
}:file { rwx_file_perms };
neverallow app_zygote {
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 7d5a04f..1079046 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -28,6 +28,7 @@
binderfs_logs_proc
boringssl_self_test
bq_config_prop
+ cacheinfo_service
charger_prop
cold_boot_done_prop
credstore
@@ -98,6 +99,7 @@
soundtrigger_middleware_service
staged_install_file
storage_config_prop
+ surfaceflinger_display_prop
sysfs_dm_verity
system_adbd_prop
system_config_service
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index f882ab0..5022160 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -56,6 +56,7 @@
dontaudit gmscore_app sysfs_loop:file r_file_perms;
dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
+dontaudit gmscore_app mnt_vendor_file:dir search;
# Access the network
net_domain(gmscore_app)
diff --git a/private/keystore.te b/private/keystore.te
index a36926e..2f62920c 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -14,8 +14,9 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
+
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/property.te b/private/property.te
index 2d3d861..bc1934d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -405,6 +405,13 @@
}:property_service set;
neverallow {
+ -init
+ -surfaceflinger
+} {
+ surfaceflinger_display_prop
+}:property_service set;
+
+neverallow {
-coredomain
-appdomain
-vendor_init
diff --git a/private/property_contexts b/private/property_contexts
index 3d02e97..34cc0f8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -576,6 +576,9 @@
ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
+ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
+ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
+
ro.build.date u:object_r:build_prop:s0 exact string
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
@@ -884,3 +887,7 @@
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+
+# surfaceflinger-settable
+graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ebbbf08..4b23e89 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -151,8 +151,8 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
-user=_isolated domain=isolated_app levelFrom=all
-user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 808edcc..a78b108 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -42,6 +42,7 @@
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
bugreport u:object_r:bugreport_service:s0
+cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
@@ -246,7 +247,7 @@
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
wifi u:object_r:wifi_service:s0
-wificond u:object_r:wifinl80211_service:s0
+wifinl80211 u:object_r:wifinl80211_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
window u:object_r:window_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 973350e..37601b9 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -56,6 +56,7 @@
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/private/vold.te b/private/vold.te
index d286e8f..ce451ac 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -30,6 +30,7 @@
set_prop(vold, restorecon_prop)
set_prop(vold, ota_prop)
set_prop(vold, boottime_prop)
+set_prop(vold, boottime_public_prop)
# Vold will use Keystore instead of using Keymint directly. But it still needs
# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
@@ -43,3 +44,4 @@
update
use
};
+
diff --git a/public/iorapd.te b/public/iorapd.te
index 426ecca..b970699 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -42,6 +42,16 @@
# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
allow iorapd system_file:file rx_file_perms;
+# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
+allow iorapd iorap_inode2filename:process signull;
+allow iorapd iorap_prefetcherd:process signull;
+
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
###
### neverallow rules
###
@@ -55,6 +65,7 @@
domain
-init
-iorapd
+ -system_server
} iorapd_data_file:dir *;
neverallow {
@@ -69,6 +80,7 @@
-kernel
-vendor_init
-iorapd
+ -system_server
} { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
diff --git a/public/property.te b/public/property.te
index 34ed999..5f48884 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,6 +60,7 @@
system_restricted_prop(binder_cache_telephony_server_prop)
system_restricted_prop(boot_status_prop)
system_restricted_prop(bootloader_prop)
+system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
@@ -74,6 +75,7 @@
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(usb_prop)
@@ -294,3 +296,4 @@
typeattribute system_prop core_property_type;
typeattribute usb_prop core_property_type;
typeattribute vold_prop core_property_type;
+
diff --git a/public/service.te b/public/service.te
index 8134a18..07ab90f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -64,6 +64,7 @@
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type broadcastradio_service, system_server_service, service_manager_type;
+type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
@@ -184,7 +185,7 @@
type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a09d4fc..609880a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -250,6 +250,7 @@
get_prop(vendor_init, ota_prop)
get_prop(vendor_init, provisioned_prop)
get_prop(vendor_init, retaildemo_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
get_prop(vendor_init, theme_prop)
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index d5b8f57..abe1e77 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -3,3 +3,5 @@
type hal_tv_tuner_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_tv_tuner_default)
+
+allow hal_tv_tuner_default ion_device:chr_file r_file_perms;