Merge "Add ioctl FS_IOC_GETFLAGS access for gsid"
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 44d7535..8804303 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,4 +1,5 @@
;; types removed from current policy
+(type cgroup_bpf)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index bcb571d..9cead18 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
apex_info_file
debugfs_kprobes
gnss_device
+ hal_dumpstate_config_prop
keystore2_key_contexts_file
mediatranscoding_tmpfs
people_service
@@ -16,5 +17,5 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
- update_engine_stable_service))
-
+ update_engine_stable_service
+ cgroup_v2))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e67c5d3..433abbc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -103,7 +103,7 @@
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
diff --git a/private/property.te b/private/property.te
index d62ea9c..96edc14 100644
--- a/private/property.te
+++ b/private/property.te
@@ -446,3 +446,10 @@
-dumpstate
-appdomain
} camera_calibration_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -dumpstate
+ -hal_dumpstate
+ not_compatible_property(`-vendor_init')
+} hal_dumpstate_config_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 0c563fd..2397150 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -517,6 +517,7 @@
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
+persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
diff --git a/private/system_server.te b/private/system_server.te
index 23b710a..26b728f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -930,6 +930,8 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir r_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
diff --git a/public/file.te b/public/file.te
index 3cf2ff0..d3c6b89 100644
--- a/public/file.te
+++ b/public/file.te
@@ -77,7 +77,7 @@
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
-type cgroup_bpf, fs_type;
+type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
@@ -529,7 +529,7 @@
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
-allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index b7676ed..b7e14f8 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,8 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+set_prop(hal_dumpstate, hal_dumpstate_config_prop)
+
hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/init.te b/public/init.te
index 7dc522a..c0e7914 100644
--- a/public/init.te
+++ b/public/init.te
@@ -96,7 +96,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_bpf:dir { create mounton };
+allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
diff --git a/public/netd.te b/public/netd.te
index ad2dde9..48e79b7 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -62,7 +62,7 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
-r_dir_file(netd, cgroup_bpf)
+r_dir_file(netd, cgroup_v2)
allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
diff --git a/public/property.te b/public/property.te
index 3c913b1..34ed999 100644
--- a/public/property.te
+++ b/public/property.te
@@ -169,6 +169,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)