Merge "Ensure taking a bugreport generates no denials."
diff --git a/Android.mk b/Android.mk
index 9f101e2..ccddace 100644
--- a/Android.mk
+++ b/Android.mk
@@ -259,6 +259,7 @@
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -291,6 +292,7 @@
reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -318,6 +320,7 @@
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -367,6 +370,7 @@
plat_policy.conf := $(intermediates)/plat_policy.conf
$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -518,6 +522,7 @@
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -642,6 +647,7 @@
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -687,6 +693,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
@@ -1301,6 +1308,7 @@
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
diff --git a/definitions.mk b/definitions.mk
index 8a8c9c6..4b9e098 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -4,7 +4,7 @@
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
diff --git a/private/audioserver.te b/private/audioserver.te
index a0779b3..ed5279e 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -36,8 +36,8 @@
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
-# Grant access to the "persist.bluetooth.enabledelayreports" property
-get_prop(audioserver, bluetooth_prop);
+# Allow read/write access to bluetooth-specific properties
+set_prop(audioserver, bluetooth_prop)
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 86a7a2a..fec9494 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -61,6 +61,9 @@
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
+# Bluetooth A2DP offload requires binding with audio HAL
+hal_client_domain(bluetooth, hal_audio)
+
read_runtime_log_tags(bluetooth)
###
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 1caf952..fe3e648 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,8 +13,7 @@
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
-# TODO: unknown fd pass denials, need further investigation.
-dontaudit bpfloader netd:fd use;
+allow bpfloader netd:fd use;
# Use pinned bpf map files from netd.
allow bpfloader netd:bpf { map_read map_write };
diff --git a/private/bug_map b/private/bug_map
index 1ff1ffe..9bc5154 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -3,6 +3,7 @@
crash_dump resourcecache_data_file dir 68319037
crash_dump system_data_file file 68319037
crash_dump vendor_overlay_file dir 68319037
+platform_app nfc_data_file dir 74331887
priv_app sysfs dir 72749888
priv_app sysfs_android_usb file 72749888
priv_app system_data_file dir 72811052
@@ -10,4 +11,3 @@
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
-vold system_data_file file 62140539
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 261fc6d..74fef1a 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -11,6 +11,7 @@
(type tracing_shell_writable)
(type tracing_shell_writable_debug)
(type webview_zygote_socket)
+(type rild)
(typeattributeset accessibility_service_26_0 (accessibility_service))
(typeattributeset account_service_26_0 (account_service))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3a493e0..4d36d8e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( adbd_exec
+ ( adb_service
+ adbd_exec
bootloader_boot_reason_prop
blank_screen
blank_screen_exec
@@ -68,6 +69,7 @@
perfprofd_service
property_info
secure_element
+ secure_element_device
secure_element_tmpfs
secure_element_service
slice_service
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 1be82bf..791a6f1 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1,6 +1,7 @@
;; types removed from current policy
(type webview_zygote_socket)
(type reboot_data_file)
+(type rild)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 99db662..dcd9f88 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( blank_screen
+ ( adb_service
+ blank_screen
blank_screen_exec
blank_screen_tmpfs
bootloader_boot_reason_prop
@@ -52,6 +53,7 @@
perfprofd_service
property_info
secure_element
+ secure_element_device
secure_element_service
secure_element_tmpfs
slice_service
diff --git a/private/file_contexts b/private/file_contexts
index f05d005..e70ca4b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -321,10 +321,16 @@
#############################
# OEM and ODM files
#
-/odm(/.*)? u:object_r:vendor_file:s0
-/odm/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-/odm/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/odm/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
+/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
+/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
/oem(/.*)? u:object_r:oemfs:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index d7ffb8f..abc989e 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -6,6 +6,7 @@
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index a887a61..824dece 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -31,6 +31,9 @@
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+# section id 2005, allow reading ps dump in full
+allow incidentd domain:process getattr;
+
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
@@ -42,6 +45,11 @@
# Get process attributes
# TODO allow incidentd domain:process getattr;
+# Read files in /proc
+allow incidentd {
+ proc_stat
+}:file r_file_perms;
+
# Signal java processes to dump their stack and get the results
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
# TODO allow incidentd anr_data_file:dir create_dir_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 71d4845..985444f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,6 +1,7 @@
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
+adb u:object_r:adb_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index a512e5d..d1571d6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -746,8 +746,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
# the map after snapshot is recorded
-allow system_server fs_bpf:file write;
-allow system_server netd:bpf { map_read map_write };
+allow system_server fs_bpf:file read;
+allow system_server netd:bpf map_read;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/public/device.te b/public/device.te
index 43c89ab..231c839 100644
--- a/public/device.te
+++ b/public/device.te
@@ -39,6 +39,7 @@
type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
+type secure_element_device, dev_type;
type sensors_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index fc9c0a9..2681b99 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -180,8 +180,9 @@
allow domain vendor_configs_file:file { read open getattr };
full_treble_only(`
- # Allow all domains to be able to follow /system/vendor symlink
- allow domain vendor_file:lnk_file { getattr open read };
+ # Allow all domains to be able to follow /system/vendor and/or
+ # /vendor/odm symlinks.
+ allow domain vendor_file_type:lnk_file { getattr open read };
# This is required to be able to search & read /vendor/lib64
# in order to lookup vendor libraries. The execute permission
@@ -912,7 +913,7 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- } vendor_app_file:{ file lnk_file } r_file_perms;
+ } vendor_app_file:file r_file_perms;
')
full_treble_only(`
@@ -939,7 +940,7 @@
-system_server
-webview_zygote
-zygote
- } vendor_overlay_file:{ file lnk_file } r_file_perms;
+ } vendor_overlay_file:file r_file_perms;
')
full_treble_only(`
@@ -959,7 +960,6 @@
domain
-coredomain
-appdomain
- -rild
-vendor_executes_system_violators
-vendor_init
} {
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 08cc1ff..8d9d932 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -9,8 +9,8 @@
r_dir_file(hal_audio, proc)
r_dir_file(hal_audio, proc_asound)
-allow hal_audio audio_device:dir r_dir_perms;
-allow hal_audio audio_device:chr_file rw_file_perms;
+allow hal_audio_server audio_device:dir r_dir_perms;
+allow hal_audio_server audio_device:chr_file rw_file_perms;
# Needed to provide debug dump output via dumpsys' pipes.
allow hal_audio shell:fd use;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index c866bae..ce4b48c 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -5,7 +5,7 @@
-hal_bluetooth_server
-hal_wifi_server
-hal_wifi_supplicant_server
- -rild
+ -hal_telephony_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -15,7 +15,7 @@
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_supplicant_server
- -rild
+ -hal_telephony_server
} domain:{ tcp_socket udp_socket rawip_socket } *;
###
@@ -42,7 +42,7 @@
neverallow {
halserverdomain
-hal_dumpstate_server
- -rild
+ -hal_telephony_server
} { file_type fs_type }:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 41cfd4b..86f41cb 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -5,3 +5,42 @@
add_hwservice(hal_telephony_server, hal_telephony_hwservice)
allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
+
+allow hal_telephony_server self:netlink_route_socket nlmsg_write;
+allow hal_telephony_server kernel:system module_request;
+allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
+allow hal_telephony_server alarm_device:chr_file rw_file_perms;
+allow hal_telephony_server cgroup:dir create_dir_perms;
+allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server radio_device:chr_file rw_file_perms;
+allow hal_telephony_server radio_device:blk_file r_file_perms;
+allow hal_telephony_server mtd_device:dir search;
+allow hal_telephony_server efs_file:dir create_dir_perms;
+allow hal_telephony_server efs_file:file create_file_perms;
+allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
+allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
+allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
+allow hal_telephony_server sdcard_type:dir r_dir_perms;
+
+# property service
+set_prop(hal_telephony_server, radio_prop)
+set_prop(hal_telephony_server, exported_radio_prop)
+set_prop(hal_telephony_server, exported2_radio_prop)
+
+allow hal_telephony_server tty_device:chr_file rw_file_perms;
+
+# Allow hal_telephony_server to create and use netlink sockets.
+allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access to wake locks
+wakelock_use(hal_telephony_server)
+
+r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, sysfs_type)
+r_dir_file(hal_telephony_server, system_file)
+
+# granting the ioctl permission for hal_telephony_server should be device specific
+allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/public/property.te b/public/property.te
index e400332..cb839c9 100644
--- a/public/property.te
+++ b/public/property.te
@@ -158,7 +158,7 @@
domain
-coredomain
-appdomain
- -rild
+ -hal_telephony_server
-vendor_init
} {
exported_radio_prop
@@ -203,7 +203,7 @@
domain
-coredomain
-appdomain
- -rild
+ -hal_telephony_server
-vendor_init
} {
radio_prop
diff --git a/public/property_contexts b/public/property_contexts
index 55fad2e..f790d97 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -67,7 +67,6 @@
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
-persist.rcs.supported u:object_r:exported3_default_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
@@ -201,6 +200,7 @@
aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
@@ -212,6 +212,7 @@
ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
diff --git a/public/radio.te b/public/radio.te
index b66514c..4998a61 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,8 +5,8 @@
bluetooth_domain(radio)
binder_service(radio)
-# Talks to rild via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, rild)')
+# Talks to hal_telephony_server via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
diff --git a/public/rild.te b/public/rild.te
deleted file mode 100644
index 8cafd23..0000000
--- a/public/rild.te
+++ /dev/null
@@ -1,45 +0,0 @@
-# rild - radio interface layer daemon
-type rild, domain;
-hal_server_domain(rild, hal_telephony)
-
-net_domain(rild)
-allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
-
-allow rild self:netlink_route_socket nlmsg_write;
-allow rild kernel:system module_request;
-allow rild self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
-allow rild alarm_device:chr_file rw_file_perms;
-allow rild cgroup:dir create_dir_perms;
-allow rild cgroup:{ file lnk_file } r_file_perms;
-allow rild radio_device:chr_file rw_file_perms;
-allow rild radio_device:blk_file r_file_perms;
-allow rild mtd_device:dir search;
-allow rild efs_file:dir create_dir_perms;
-allow rild efs_file:file create_file_perms;
-allow rild shell_exec:file rx_file_perms;
-allow rild bluetooth_efs_file:file r_file_perms;
-allow rild bluetooth_efs_file:dir r_dir_perms;
-allow rild sdcard_type:dir r_dir_perms;
-
-# property service
-set_prop(rild, radio_prop)
-set_prop(rild, exported_radio_prop)
-set_prop(rild, exported2_radio_prop)
-
-allow rild tty_device:chr_file rw_file_perms;
-
-# Allow rild to create and use netlink sockets.
-allow rild self:netlink_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Access to wake locks
-wakelock_use(rild)
-
-r_dir_file(rild, proc_net)
-r_dir_file(rild, sysfs_type)
-r_dir_file(rild, system_file)
-
-# granting the ioctl permission for rild should be device specific
-allow rild self:socket create_socket_perms_no_ioctl;
-
diff --git a/public/service.te b/public/service.te
index e13b6d5..ae45987 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type adb_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 22d9c46..ac8c808 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -19,6 +19,7 @@
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
index 86fe0b9..b1a94a1 100644
--- a/vendor/hal_secure_element_default.te
+++ b/vendor/hal_secure_element_default.te
@@ -2,4 +2,6 @@
hal_server_domain(hal_secure_element_default, hal_secure_element)
type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+
init_daemon_domain(hal_secure_element_default)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 1ff9ba2..cca8094 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -15,3 +15,11 @@
# Write to security logs for audit.
get_prop(hal_wifi_supplicant_default, device_logging_prop)
+
+# Devices upgrading to P may grant this permission in device-specific
+# policy along with the data_between_core_and_vendor_violators
+# attribute needed for an exemption. However, devices that launch with
+# P should use /data/vendor/wifi, which is already granted in core
+# policy. This is dontaudited here to avoid conditional
+# device-specific behavior in wpa_supplicant.
+dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
diff --git a/vendor/rild.te b/vendor/rild.te
index 510a776..fc84ef7 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -1,3 +1,8 @@
+# rild - radio interface layer daemon
+type rild, domain;
+hal_server_domain(rild, hal_telephony)
+net_domain(rild)
+
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
type rild_exec, exec_type, vendor_file_type, file_type;