Snap for 4824048 from 398f72e3fd481689a0c3f216ebcaf4b4b435076c to pi-release
Change-Id: I288a37c801d0ec5e934e0dc1ce1b1f55e07f85a6
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index ac11a3a..439c1f8 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -87,7 +87,7 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
@@ -178,7 +178,6 @@
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -190,7 +189,6 @@
r_dir_file({
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -201,7 +199,6 @@
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index afff2fa..09200b8 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -309,3 +309,104 @@
wifi_prop
}:file no_rw_file_perms;
')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_interface_restart_prop
+ -ctl_interface_start_prop
+ -ctl_interface_stop_prop
+ -ctl_mdnsd_prop
+ -ctl_restart_prop
+ -ctl_rildaemon_prop
+ -ctl_sigstop_prop
+ -ctl_start_prop
+ -ctl_stop_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -extended_core_property_type
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/public/app.te b/public/app.te
index ac11a3a..439c1f8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -87,7 +87,7 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
@@ -178,7 +178,6 @@
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -190,7 +189,6 @@
r_dir_file({
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -201,7 +199,6 @@
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
diff --git a/public/property.te b/public/property.te
index afff2fa..09200b8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -309,3 +309,104 @@
wifi_prop
}:file no_rw_file_perms;
')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_interface_restart_prop
+ -ctl_interface_start_prop
+ -ctl_interface_stop_prop
+ -ctl_mdnsd_prop
+ -ctl_restart_prop
+ -ctl_rildaemon_prop
+ -ctl_sigstop_prop
+ -ctl_start_prop
+ -ctl_stop_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -extended_core_property_type
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')