Merge "Allow system apps to read log props."
diff --git a/private/audioserver.te b/private/audioserver.te
index 9119daa..b6deb28 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -29,6 +29,7 @@
 ')
 
 add_service(audioserver, audioserver_service)
+allow audioserver activity_service:service_manager find;
 allow audioserver appops_service:service_manager find;
 allow audioserver batterystats_service:service_manager find;
 allow audioserver permission_service:service_manager find;
@@ -45,6 +46,17 @@
 # For A2DP bridge which is loaded directly into audioserver
 unix_socket_connect(audioserver, bluetooth, bluetooth)
 
+# Allow shell commands from ADB for CTS testing/dumping
+allow audioserver adbd:fd use;
+allow audioserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+  allow audioserver su:fd use;
+  allow audioserver su:fifo_file { read write };
+  allow audioserver su:unix_stream_socket { read write };
+')
+
 ###
 ### neverallow rules
 ###
diff --git a/private/coredomain.te b/private/coredomain.te
index 244c83c..c8f2b1d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,2 +1,17 @@
 get_prop(coredomain, pm_prop)
 get_prop(coredomain, exported_pm_prop)
+
+full_treble_only(`
+neverallow {
+    coredomain
+    -init
+    -vendor_init
+
+    # generic access to sysfs_type
+    -ueventd
+    -vold
+    -priv_app
+    -storaged
+    -system_app
+} sysfs_leds:file *;
+')
diff --git a/private/domain.te b/private/domain.te
index c022564..6fef279 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -49,7 +49,6 @@
     coredomain
     -fsck
     -init
-    -shell
     -ueventd
     -vendor_init
   } device:{ blk_file file } no_rw_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 9909e06..ec52d56 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -122,11 +122,14 @@
 allow priv_app traced_tmpfs:file { read write getattr map };
 unix_socket_connect(priv_app, traced_producer, traced)
 
-# suppress denials when safetynet scans /system
+# suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app net_dns_prop:file read;
 
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
diff --git a/private/property_contexts b/private/property_contexts
index bf95b02..ecde9d3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -122,9 +122,13 @@
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
 
-# Common vendor default properties.
+# Common default properties for vendor and odm.
+init.svc.odm.           u:object_r:vendor_default_prop:s0
 init.svc.vendor.        u:object_r:vendor_default_prop:s0
 ro.hardware.            u:object_r:vendor_default_prop:s0
+ro.odm.                 u:object_r:vendor_default_prop:s0
 ro.vendor.              u:object_r:vendor_default_prop:s0
+odm.                    u:object_r:vendor_default_prop:s0
+persist.odm.            u:object_r:vendor_default_prop:s0
 persist.vendor.         u:object_r:vendor_default_prop:s0
 vendor.                 u:object_r:vendor_default_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 92988b4..62f3a86 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -280,7 +280,6 @@
 r_dir_file(system_server, sysfs_wakeup_reasons)
 
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
 allow system_server sysfs_mac_address:file r_file_perms;
 allow system_server sysfs_power:dir search;
 allow system_server sysfs_power:file rw_file_perms;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 0dd4a80..ebf0992 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -17,6 +17,8 @@
 allow cameraserver hal_graphics_composer:fd use;
 
 add_service(cameraserver, cameraserver_service)
+
+allow cameraserver activity_service:service_manager find;
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;
 allow cameraserver batterystats_service:service_manager find;
@@ -47,3 +49,14 @@
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+  allow cameraserver su:fd use;
+  allow cameraserver su:fifo_file { read write };
+  allow cameraserver su:unix_stream_socket { read write };
+')
diff --git a/public/charger.te b/public/charger.te
index 33f3254..7145548 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -6,10 +6,12 @@
 allow charger kmsg_device:chr_file rw_file_perms;
 
 # Read access to pseudo filesystems.
-allow charger sysfs_type:dir search;
 r_dir_file(charger, rootfs)
 r_dir_file(charger, cgroup)
 
+# Allow to read /sys/class/power_supply directory
+allow charger sysfs_type:dir r_dir_perms;
+
 allow charger self:global_capability_class_set { sys_tty_config };
 allow charger self:global_capability_class_set sys_boot;
 
diff --git a/public/domain.te b/public/domain.te
index d458510..76318ec 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -892,6 +892,25 @@
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+
+    # Do not allow system components to execute files from vendor
+    # except for the ones whitelisted here.
+    neverallow {
+      coredomain
+      -init
+      -system_executes_vendor_violators
+      -vendor_init
+    } {
+      vendor_file_type
+      -same_process_hal_file
+      -vndk_sp_file
+      -vendor_app_file
+    }:file execute;
+
+    neverallow {
+      coredomain
+      -system_executes_vendor_violators
+    } vendor_file_type:file execute_no_trans;
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/property_contexts b/public/property_contexts
index e5772e5..2596161 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -198,6 +198,7 @@
 aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
 gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
 media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
 ro.board.platform u:object_r:exported_default_prop:s0 exact string
 ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
 ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string