Merge "Expose filesystem read events in SELinux policy."
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index cfda748..3e22734 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -112,6 +112,7 @@
untrusted_app_all_devpts
update_engine_log_data_file
vendor_default_prop
+ vendor_security_patch_level_prop
usbd
usbd_exec
usbd_tmpfs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a3f7bb5..5428d83 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -91,6 +91,7 @@
usbd_tmpfs
vendor_default_prop
vendor_init
+ vendor_security_patch_level_prop
vendor_shell
vold_metadata_file
vold_prepare_subdirs
diff --git a/public/property.te b/public/property.te
index 64f309d..6fa85dc 100644
--- a/public/property.te
+++ b/public/property.te
@@ -53,6 +53,7 @@
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
# Properties for whitelisting
type exported_config_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 20f6348..48e91a7 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -102,6 +102,7 @@
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
diff --git a/public/shell.te b/public/shell.te
index c5033ec..6641597 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a13f69..dee2006 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -178,6 +178,7 @@
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)