Merge "Add sepolicy for com.android.i18n module"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index be0a598..d496e90 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -137,8 +137,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index c3f4b29..4067843 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,16 +5,21 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ charger_prop
cold_boot_done_prop
platform_compat_service
ctl_apexd_prop
device_config_sys_traced_prop
+ hal_can_bus_hwservice
+ hal_can_controller_hwservice
+ init_svc_debug_prop
ota_metadata_file
runtime_apex_dir
system_ashmem_hwservice
system_group_file
system_passwd_file
vendor_apex_file
+ virtual_ab_prop
wifi_stack
wifi_stack_service
wifi_stack_tmpfs))
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 59554c8..a978af6 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -19,6 +19,9 @@
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
+# Acquire advisory lock on /system/framework/arm/*
+allow dexoptanalyzer system_file:file lock;
+
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
diff --git a/private/file_contexts b/private/file_contexts
index 79c3043..a1002ab 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -410,6 +410,8 @@
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+
#############################
# SystemExt files
#
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9259202..e22175e 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -9,6 +9,8 @@
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0
+android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 30d3fe0..6926412 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,6 +34,9 @@
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
+# Fuse daemon
+allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
+
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 14fe3de..d1a97d9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -35,6 +35,7 @@
debug.db. u:object_r:debuggerd_prop:s0
dumpstate. u:object_r:dumpstate_prop:s0
dumpstate.options u:object_r:dumpstate_options_prop:s0
+init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0
llk. u:object_r:llkd_prop:s0
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
@@ -208,3 +209,10 @@
# Property that is set once ueventd finishes cold boot.
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
+
+# Charger properties
+ro.charger. u:object_r:charger_prop:s0
+
+# Virtual A/B properties
+ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
+ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 9f675a2..6294452 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -3,3 +3,5 @@
init_daemon_domain(servicemanager)
read_runtime_log_tags(servicemanager)
+
+set_prop(servicemanager, ctl_interface_start_prop)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 961cd67..e93a73d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,11 +10,6 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
-# TODO(b/128923994): remove once all debugging info moves to SystemSuspend.
-# Access to /sys/power/{ wake_lock, wake_unlock } suspend blocker interface.
-allow system_suspend self:global_capability2_class_set block_suspend;
-allow system_suspend sysfs_wake_lock:file rw_file_perms;
-
neverallow {
domain
-atrace # tracing
diff --git a/public/attributes b/public/attributes
index d296a46..1375978 100644
--- a/public/attributes
+++ b/public/attributes
@@ -251,6 +251,8 @@
hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
+hal_attribute(can_bus);
+hal_attribute(can_controller);
hal_attribute(cas);
hal_attribute(configstore);
hal_attribute(confirmationui);
diff --git a/public/charger.te b/public/charger.te
index 238b413..48d6ad8 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -42,3 +42,5 @@
set_prop(charger, exported_system_prop)
set_prop(charger, exported2_system_prop)
set_prop(charger, exported3_system_prop)
+
+get_prop(charger, charger_prop)
diff --git a/public/hal_can.te b/public/hal_can.te
new file mode 100644
index 0000000..c75495b
--- /dev/null
+++ b/public/hal_can.te
@@ -0,0 +1,9 @@
+# CAN controller
+binder_call(hal_can_controller_client, hal_can_controller_server)
+add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
+allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
+
+# CAN bus
+binder_call(hal_can_bus_client, hal_can_bus_server)
+add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
+allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
diff --git a/public/hal_evs.te b/public/hal_evs.te
index bf2e38b..789333a 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -2,4 +2,4 @@
hwbinder_use(hal_evs_server)
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 0f05d8a..4117878 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -3,6 +3,7 @@
neverallow {
halserverdomain
-hal_bluetooth_server
+ -hal_can_controller_server
-hal_wifi_server
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
@@ -18,6 +19,7 @@
neverallow {
halserverdomain
-hal_automotive_socket_exemption
+ -hal_can_controller_server
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_hostapd_server
diff --git a/public/hwservice.te b/public/hwservice.te
index 670b8b8..9f1f42c 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -13,6 +13,8 @@
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
+type hal_can_bus_hwservice, hwservice_manager_type;
+type hal_can_controller_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_confirmationui_hwservice, hwservice_manager_type;
diff --git a/public/property.te b/public/property.te
index 67aa55d..9dc204c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,6 +6,7 @@
type bluetooth_prop, property_type;
type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
+type charger_prop, property_type;
type cold_boot_done_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
@@ -54,6 +55,7 @@
type heapprofd_enabled_prop, property_type;
type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
+type init_svc_debug_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
type llkd_prop, property_type;
@@ -91,6 +93,7 @@
type traced_enabled_prop, property_type;
type traced_lazy_prop, property_type;
type use_memfd_prop, property_type;
+type virtual_ab_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
@@ -189,6 +192,18 @@
ctl_rildaemon_prop
}:property_service set;
+neverallow {
+ domain
+ -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
compatible_property_only(`
# Prevent properties from being set
neverallow {
diff --git a/public/property_contexts b/public/property_contexts
index ecc2610..2a1a7e2 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -105,6 +105,7 @@
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
+ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
@@ -117,9 +118,16 @@
ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.critical u:object_r:exported3_default_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.debug u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.kill_timeout_ms u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.low u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.medium u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
ro.minui.overscan_percent u:object_r:exported3_default_prop:s0 exact int
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e53f78e..87e3b43 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -76,3 +76,6 @@
# Allow update_engine_common to write to statsd socket.
unix_socket_send(update_engine_common, statsdw, statsd)
+
+# Allow to read Virtual A/B feature flags.
+get_prop(update_engine_common, virtual_ab_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3312ff8..da3651d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -217,6 +217,7 @@
-apexd_prop
-gsid_prop
-nnapi_ext_deny_product_prop
+ -init_svc_debug_prop
})
')
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 0a3e2d9..43e149e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,7 +4,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
new file mode 100644
index 0000000..9ee37fd
--- /dev/null
+++ b/vendor/hal_can_socketcan.te
@@ -0,0 +1,26 @@
+type hal_can_socketcan, domain;
+hal_server_domain(hal_can_socketcan, hal_can_controller)
+hal_server_domain(hal_can_socketcan, hal_can_bus)
+
+type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_can_socketcan)
+
+# Managing SocketCAN interfaces
+allow hal_can_socketcan self:capability net_admin;
+allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
+
+# Calling if_nametoindex(3) to open CAN sockets
+allow hal_can_socketcan self:udp_socket { create ioctl };
+allowxperm hal_can_socketcan self:udp_socket ioctl {
+ SIOCGIFINDEX
+};
+
+# Communicating with SocketCAN interfaces and bringing them up/down
+allow hal_can_socketcan self:can_socket { bind create read write ioctl };
+allowxperm hal_can_socketcan self:can_socket ioctl {
+ SIOCGIFFLAGS
+ SIOCSIFFLAGS
+};
+
+# Un-publishing ICanBus interfaces
+allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;