Merge "Add sepolicy for the securityfs mount type." into rvc-dev
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 7a9c0d0..e47ca0f 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -104,6 +104,7 @@
userspace_reboot_config_prop
userspace_reboot_exported_prop
userspace_reboot_log_prop
+ userspace_reboot_test_prop
vehicle_hal_prop
tv_tuner_resource_mgr_service
vendor_apex_file
diff --git a/private/domain.te b/private/domain.te
index 32b40c1..3f5bbaa 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -101,6 +101,7 @@
get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
+ get_prop({coredomain shell}, userspace_reboot_test_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b70a397..2355326 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -56,6 +56,7 @@
dontaudit gmscore_app wifi_prop:file r_file_perms;
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
+dontaudit gmscore_app mnt_vendor_file:dir search;
# Access the network
net_domain(gmscore_app)
diff --git a/private/priv_app.te b/private/priv_app.te
index dd4d5c7..db28bec 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -147,11 +147,15 @@
connect getattr read recvfrom sendto write getopt setopt };
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System
-allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+# the Incremental File System, and fill missing blocks in the apk
+allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
-allow priv_app incremental_control_file:file { read getattr };
+allow priv_app incremental_control_file:file { read getattr ioctl };
+
+# allow apps like Phonesky to request permission to fill blocks of an apk file
+# on the Incremental File System.
+allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
###
### neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index 9175d10..1eb2d70 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -91,6 +91,7 @@
sys.boot.reason.last u:object_r:last_boot_reason_prop:s0
pm. u:object_r:pm_prop:s0
test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
+test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
diff --git a/private/shell.te b/private/shell.te
index 2c69f95..76ff073 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -73,6 +73,10 @@
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
+# Allow shell to set and read value of properties used for CTS tests of
+# userspace reboot
+set_prop(shell, userspace_reboot_test_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/system_server.te b/private/system_server.te
index 3b72518..5533d42 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -24,12 +24,12 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# To create files on Incremental File System
+# To create files and get permission to fill blocks on Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
-# To get signature of an APK installed on Incremental File System
-allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+# To get signature of an APK installed on Incremental File System and fill in data blocks
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index f1427a9..902941e 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,13 +7,6 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
-# Allow to pick up integrity-checked artifacts from the dalvik cache.
-allow system_server_startup dalvikcache_data_file:dir r_dir_perms;
-allow system_server_startup dalvikcache_data_file:file { r_file_perms execute };
-
-# While doing the above, will touch the apex mount dir.
-allow system_server_startup mnt_expand_file:dir getattr;
-
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 4eeeb4e..4cc3bba 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1057,6 +1057,8 @@
define(`IMSETDEVNAME', `0x80184947')
define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
+define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
+define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/property.te b/public/property.te
index 65281ea..7c1d5fa 100644
--- a/public/property.te
+++ b/public/property.te
@@ -21,6 +21,7 @@
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(userspace_reboot_log_prop)
+system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
@@ -587,3 +588,11 @@
} {
adbd_prop
}:property_service set;
+
+neverallow {
+ # Only allow init and shell to set userspace_reboot_test_prop
+ -init
+ -shell
+} {
+ userspace_reboot_test_prop
+}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
index 70e57d4..8f1cf2d 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -413,6 +413,8 @@
ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.max_graphics_height u:object_r:exported3_default_prop:s0 exact int
+ro.surface_flinger.max_graphics_width u:object_r:exported3_default_prop:s0 exact int
ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 exact int