Merge "Update 30.0 prebuilts to latest rvc-dev policy"
diff --git a/prebuilts/api/30.0/plat_pub_versioned.cil b/prebuilts/api/30.0/plat_pub_versioned.cil
index b593a35..3942219 100644
--- a/prebuilts/api/30.0/plat_pub_versioned.cil
+++ b/prebuilts/api/30.0/plat_pub_versioned.cil
@@ -113,6 +113,7 @@
(type cache_file)
(type cache_private_backup_file)
(type cache_recovery_file)
+(type cacheinfo_service)
(type camera_data_file)
(type camera_device)
(type cameraproxy_service)
@@ -178,6 +179,7 @@
(type dbinfo_service)
(type debug_prop)
(type debugfs)
+(type debugfs_kprobes)
(type debugfs_mmc)
(type debugfs_trace_marker)
(type debugfs_tracing)
@@ -273,6 +275,7 @@
(type face_service)
(type face_vendor_data_file)
(type fastbootd)
+(type fastbootd_protocol_prop)
(type ffs_prop)
(type file_contexts_file)
(type file_integrity_service)
@@ -296,6 +299,7 @@
(type functionfs)
(type fuse)
(type fuse_device)
+(type fusectlfs)
(type fwk_automotive_display_hwservice)
(type fwk_bufferhub_hwservice)
(type fwk_camera_hwservice)
@@ -314,6 +318,7 @@
(type gpu_device)
(type gpu_service)
(type gpuservice)
+(type graphics_config_prop)
(type graphics_device)
(type graphicsstats_service)
(type gsi_data_file)
@@ -818,6 +823,7 @@
(type sockfs)
(type sota_prop)
(type soundtrigger_middleware_service)
+(type staged_install_file)
(type staging_data_file)
(type stats_data_file)
(type statsd)
@@ -833,6 +839,7 @@
(type su_exec)
(type super_block_device)
(type surfaceflinger)
+(type surfaceflinger_display_prop)
(type surfaceflinger_service)
(type surfaceflinger_tmpfs)
(type swap_block_device)
@@ -1020,6 +1027,7 @@
(type vendor_overlay_file)
(type vendor_public_lib_file)
(type vendor_security_patch_level_prop)
+(type vendor_service_contexts_file)
(type vendor_shell)
(type vendor_shell_exec)
(type vendor_socket_hook_prop)
@@ -1646,6 +1654,9 @@
(typeattribute base_typeattr_543_30_0)
(typeattribute base_typeattr_544_30_0)
(typeattribute base_typeattr_545_30_0)
+(typeattribute base_typeattr_546_30_0)
+(typeattribute base_typeattr_547_30_0)
+(typeattribute base_typeattr_548_30_0)
(typeattribute base_typeattr_54_30_0)
(typeattribute base_typeattr_55_30_0)
(typeattribute base_typeattr_56_30_0)
@@ -1749,6 +1760,7 @@
(typeattribute cache_file_30_0)
(typeattribute cache_private_backup_file_30_0)
(typeattribute cache_recovery_file_30_0)
+(typeattribute cacheinfo_service_30_0)
(typeattribute camera_data_file_30_0)
(typeattribute camera_device_30_0)
(typeattribute camera_service_server)
@@ -1823,6 +1835,7 @@
(typeattribute dbinfo_service_30_0)
(typeattribute debug_prop_30_0)
(typeattribute debugfs_30_0)
+(typeattribute debugfs_kprobes_30_0)
(typeattribute debugfs_mmc_30_0)
(typeattribute debugfs_trace_marker_30_0)
(typeattribute debugfs_tracing_30_0)
@@ -1925,6 +1938,7 @@
(typeattribute face_service_30_0)
(typeattribute face_vendor_data_file_30_0)
(typeattribute fastbootd_30_0)
+(typeattribute fastbootd_protocol_prop_30_0)
(typeattribute ffs_prop_30_0)
(typeattribute file_contexts_file_30_0)
(typeattribute file_integrity_service_30_0)
@@ -1950,6 +1964,7 @@
(typeattribute functionfs_30_0)
(typeattribute fuse_30_0)
(typeattribute fuse_device_30_0)
+(typeattribute fusectlfs_30_0)
(typeattribute fwk_automotive_display_hwservice_30_0)
(typeattribute fwk_bufferhub_hwservice_30_0)
(typeattribute fwk_camera_hwservice_30_0)
@@ -1968,6 +1983,7 @@
(typeattribute gpu_device_30_0)
(typeattribute gpu_service_30_0)
(typeattribute gpuservice_30_0)
+(typeattribute graphics_config_prop_30_0)
(typeattribute graphics_device_30_0)
(typeattribute graphicsstats_service_30_0)
(typeattribute gsi_data_file_30_0)
@@ -2698,6 +2714,7 @@
(typeattribute sockfs_30_0)
(typeattribute sota_prop_30_0)
(typeattribute soundtrigger_middleware_service_30_0)
+(typeattribute staged_install_file_30_0)
(typeattribute staging_data_file_30_0)
(typeattribute stats_data_file_30_0)
(typeattribute stats_service_server)
@@ -2715,6 +2732,7 @@
(typeattribute super_block_device_30_0)
(typeattribute super_block_device_type)
(typeattribute surfaceflinger_30_0)
+(typeattribute surfaceflinger_display_prop_30_0)
(typeattribute surfaceflinger_service_30_0)
(typeattribute surfaceflinger_tmpfs_30_0)
(typeattribute swap_block_device_30_0)
@@ -2925,6 +2943,7 @@
(typeattribute vendor_restricted_property_type)
(typeattribute vendor_security_patch_level_prop_30_0)
(typeattribute vendor_service)
+(typeattribute vendor_service_contexts_file_30_0)
(typeattribute vendor_shell_30_0)
(typeattribute vendor_shell_exec_30_0)
(typeattribute vendor_socket_hook_prop_30_0)
diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te
index 7c7ddc6..9e702dd 100644
--- a/prebuilts/api/30.0/private/apexd.te
+++ b/prebuilts/api/30.0/private/apexd.te
@@ -37,7 +37,6 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
- LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index b2ddd84..9882d8f 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -36,5 +36,8 @@
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+# Don't allow regular apps access to storage configuration properties.
+neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
diff --git a/prebuilts/api/30.0/private/bug_map b/prebuilts/api/30.0/private/bug_map
index 60c2f15..eaa1593 100644
--- a/prebuilts/api/30.0/private/bug_map
+++ b/prebuilts/api/30.0/private/bug_map
@@ -23,11 +23,13 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 7e8e6db..fdea691 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -38,12 +38,14 @@
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
+ debugfs_kprobes
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
device_config_configuration_prop
emergency_affordance_service
exported_camera_prop
+ fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
fusectlfs
@@ -58,6 +60,7 @@
hal_tv_tuner_hwservice
hal_vibrator_service
incremental_control_file
+ incremental_prop
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
@@ -76,6 +79,7 @@
mirror_data_file
light_service
linkerconfig_file
+ lmkd_prop
media_variant_prop
metadata_bootstat_file
mnt_pass_through_file
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index dc83b8f..430cb3f 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -369,3 +369,6 @@
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index 51f2ce7..89232bc 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -153,6 +153,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
@@ -249,6 +250,7 @@
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -294,6 +296,7 @@
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/prebuilts/api/30.0/private/lmkd.te b/prebuilts/api/30.0/private/lmkd.te
index a07ce87..e51cddb 100644
--- a/prebuilts/api/30.0/private/lmkd.te
+++ b/prebuilts/api/30.0/private/lmkd.te
@@ -1,3 +1,8 @@
typeattribute lmkd coredomain;
init_daemon_domain(lmkd)
+
+# Set lmkd.* properties.
+set_prop(lmkd, lmkd_prop)
+
+neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 79d3e36..335c1b6 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -27,10 +27,6 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
-# Talk to statsd
-allow mediaprovider_app statsmanager_service:service_manager find;
-binder_call(mediaprovider_app, statsd)
-
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
@@ -44,3 +40,6 @@
};
allow mediaprovider_app proc_filesystems:file r_file_perms;
+
+#Allow MediaProvider to see if sdcardfs is in use
+get_prop(mediaprovider_app, storage_config_prop)
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index c3134f9..7908bb1 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -42,6 +42,7 @@
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
ro.khungtask. u:object_r:llkd_prop:s0
+lmkd.reinit u:object_r:lmkd_prop:s0 exact int
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
@@ -96,6 +97,9 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+# Fastbootd protocol control property
+fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -249,6 +253,9 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
+# Property to enable incremental feature
+ro.incremental.enable u:object_r:incremental_prop:s0
+
# Properties to configure userspace reboot.
init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 5e53af8..0082827 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -29,7 +29,7 @@
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -679,6 +679,9 @@
# Read wifi.interface
get_prop(system_server, wifi_prop)
+# Read the vendor property that indicates if Incremental features is enabled
+get_prop(system_server, incremental_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index 53c73b7..c892d9e 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -566,10 +566,6 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
-
-# Don't allow apps access to storage configuration properties.
-neverallow appdomain storage_config_prop:file no_rw_file_perms;
-
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/prebuilts/api/30.0/public/bootanim.te b/prebuilts/api/30.0/public/bootanim.te
index e8cb98b..bd2bec6 100644
--- a/prebuilts/api/30.0/public/bootanim.te
+++ b/prebuilts/api/30.0/public/bootanim.te
@@ -23,6 +23,7 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim surfaceflinger:unix_stream_socket { read write };
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 6563461..8d99a3c 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -76,12 +76,10 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
- hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
- hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -93,7 +91,6 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
- hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
@@ -139,12 +136,11 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
+dump_hal(hal_identity)
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
dump_hal(hal_neuralnetworks)
-dump_hal(hal_identity)
-
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/prebuilts/api/30.0/public/fastbootd.te b/prebuilts/api/30.0/public/fastbootd.te
index f10e649..8787817 100644
--- a/prebuilts/api/30.0/public/fastbootd.te
+++ b/prebuilts/api/30.0/public/fastbootd.te
@@ -120,6 +120,14 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
+
+ # Needed for TCP protocol
+ allow fastbootd node:tcp_socket node_bind;
+ allow fastbootd port:tcp_socket name_bind;
+ allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Get fastbootd protocol property
+ get_prop(fastbootd, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 8097e07..91257e2 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -131,6 +131,7 @@
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
@@ -532,7 +533,6 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
diff --git a/prebuilts/api/30.0/public/hal_audio.te b/prebuilts/api/30.0/public/hal_audio.te
index d54b2b2..5958f2c 100644
--- a/prebuilts/api/30.0/public/hal_audio.te
+++ b/prebuilts/api/30.0/public/hal_audio.te
@@ -30,10 +30,6 @@
# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
diff --git a/prebuilts/api/30.0/public/hal_neuralnetworks.te b/prebuilts/api/30.0/public/hal_neuralnetworks.te
index f8d6ff5..228d990 100644
--- a/prebuilts/api/30.0/public/hal_neuralnetworks.te
+++ b/prebuilts/api/30.0/public/hal_neuralnetworks.te
@@ -18,6 +18,9 @@
# Allow NN HAL service to read a client-provided ION memory fd.
allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+# Allow NN HAL service to use a client-provided fd residing in /storage
+allow hal_neuralnetworks_server storage_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 3c7758a..4cc3bba 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -1059,7 +1059,6 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
-define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1371,7 +1370,6 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/prebuilts/api/30.0/public/lmkd.te b/prebuilts/api/30.0/public/lmkd.te
index b852f44..67e93e1 100644
--- a/prebuilts/api/30.0/public/lmkd.te
+++ b/prebuilts/api/30.0/public/lmkd.te
@@ -60,6 +60,9 @@
# Read/Write /proc/pressure/memory
allow lmkd proc_pressure_mem:file rw_file_perms;
+# Allow lmkd to connect during reinit.
+allow lmkd lmkd_socket:sock_file write;
+
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
diff --git a/prebuilts/api/30.0/public/modprobe.te b/prebuilts/api/30.0/public/modprobe.te
index 1190409..2c7d64b 100644
--- a/prebuilts/api/30.0/public/modprobe.te
+++ b/prebuilts/api/30.0/public/modprobe.te
@@ -1,6 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index d9ac231..9a93518 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -14,6 +14,7 @@
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
+system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
@@ -120,6 +121,7 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(graphics_config_prop)
+system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
@@ -156,6 +158,7 @@
system_public_prop(exported_wifi_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
+system_public_prop(lmkd_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index 57167d1..6a99e3f 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -67,14 +67,13 @@
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
@@ -186,6 +185,7 @@
sys.usb.ffs.mtp.ready u:object_r:exported_ffs_prop:s0 exact bool
sys.usb.state u:object_r:exported2_system_prop:s0 exact string
telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
+telephony.active_modems.max_count u:object_r:exported3_default_prop:s0 exact int
tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
@@ -315,6 +315,7 @@
ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
@@ -400,6 +401,7 @@
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
diff --git a/prebuilts/api/30.0/public/recovery.te b/prebuilts/api/30.0/public/recovery.te
index 16b670f..63a9cea 100644
--- a/prebuilts/api/30.0/public/recovery.te
+++ b/prebuilts/api/30.0/public/recovery.te
@@ -154,6 +154,15 @@
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
+
+ # These are needed to allow recovery to manage network
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+ allow recovery self:global_capability_class_set net_admin;
+ allow recovery self:tcp_socket { create ioctl };
+ allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+ # Set fastbootd protocol property
+ set_prop(recovery, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index cd62a21..63fc227 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te
@@ -25,6 +25,8 @@
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te
index df203be..36bb5cb 100644
--- a/prebuilts/api/30.0/public/vendor_init.te
+++ b/prebuilts/api/30.0/public/vendor_init.te
@@ -228,6 +228,8 @@
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
+set_prop(vendor_init, incremental_prop)
+set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
diff --git a/prebuilts/api/30.0/public/vendor_misc_writer.te b/prebuilts/api/30.0/public/vendor_misc_writer.te
index 0f3f825..dee9941 100644
--- a/prebuilts/api/30.0/public/vendor_misc_writer.te
+++ b/prebuilts/api/30.0/public/vendor_misc_writer.te
@@ -8,7 +8,6 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
+dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te
index a112de0..1d125d3 100644
--- a/prebuilts/api/30.0/public/vold.te
+++ b/prebuilts/api/30.0/public/vold.te
@@ -202,6 +202,7 @@
set_prop(vold, boottime_prop)
set_prop(vold, boottime_public_prop)
get_prop(vold, storage_config_prop)
+get_prop(vold, incremental_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;