Merge "Add sdcardfs variable to storage_config_props"
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 3d649a0..2dd0265 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -18,8 +18,9 @@
apexd_prop
apexd_tmpfs
app_zygote
- audio_config_prop
+ art_apex_dir
atrace
+ audio_config_prop
binder_calls_stats_service
biometric_service
blank_screen
@@ -134,10 +135,11 @@
perfetto_tmpfs
perfetto_traces_data_file
property_info
+ provisioned_prop
recovery_socket
+ retaildemo_prop
role_service
runas_app
- art_apex_dir
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index e4719f5..40e91e2 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -43,6 +43,7 @@
device_config_configuration_prop
emergency_affordance_service
exported_camera_prop
+ fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
gmscore_app
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 973d580..481cbe3 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1361,7 +1361,11 @@
media_config_prop
zram_config_prop))
(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop))
-(typeattributeset exported3_system_prop_30_0 (exported3_system_prop boot_status_prop))
+(typeattributeset exported3_system_prop_30_0
+ ( exported3_system_prop
+ boot_status_prop
+ provisioned_prop
+ retaildemo_prop))
(typeattributeset exported_audio_prop_30_0 (exported_audio_prop audio_config_prop))
(typeattributeset exported_bluetooth_prop_30_0 (exported_bluetooth_prop))
(typeattributeset exported_camera_prop_30_0 (exported_camera_prop))
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 1655f00..f0ba02c 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -22,4 +22,12 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
+
+ # Needed for TCP protocol
+ allow fastbootd node:tcp_socket node_bind;
+ allow fastbootd port:tcp_socket name_bind;
+ allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Get fastbootd protocol property
+ get_prop(fastbootd, fastbootd_protocol_prop)
')
diff --git a/private/property.te b/private/property.te
index fd8ea3b..ca4dd65 100644
--- a/private/property.te
+++ b/private/property.te
@@ -4,6 +4,7 @@
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
+system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
@@ -368,3 +369,19 @@
usb_config_prop
usb_control_prop
}:property_service set;
+
+neverallow {
+ -init
+ -system_server
+} {
+ provisioned_prop
+ retaildemo_prop
+}:property_service set;
+
+neverallow {
+ -coredomain
+ -vendor_init
+} {
+ provisioned_prop
+ retaildemo_prop
+}:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 326c474..3f15983 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -94,6 +94,9 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+# Fastbootd protocol control property
+fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -515,10 +518,12 @@
dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
-persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
+persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string
+
persist.sys.theme u:object_r:theme_prop:s0 exact string
-sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
+sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int
+
sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
aac_drc_boost u:object_r:aac_drc_prop:s0 exact int
diff --git a/private/recovery.te b/private/recovery.te
index bb22914..47547e3 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -24,4 +24,13 @@
get_prop(recovery, storage_config_prop)
set_prop(recovery, gsid_prop)
+
+ # These are needed to allow recovery to manage network
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+ allow recovery self:global_capability_class_set net_admin;
+ allow recovery self:tcp_socket { create ioctl };
+ allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+ # Set fastbootd protocol property
+ set_prop(recovery, fastbootd_protocol_prop)
')
diff --git a/private/system_server.te b/private/system_server.te
index a049696..bd87ead 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -620,6 +620,8 @@
set_prop(system_server, audio_prop)
set_prop(system_server, boot_status_prop)
set_prop(system_server, surfaceflinger_color_prop)
+set_prop(system_server, provisioned_prop)
+set_prop(system_server, retaildemo_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
diff --git a/public/dumpstate.te b/public/dumpstate.te
index fd68bc7..d84e529 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -140,6 +140,10 @@
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_thermal)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/property.te b/public/property.te
index 108c78e..a13a361 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,7 +65,9 @@
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
+system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
diff --git a/public/sgdisk.te b/public/sgdisk.te
index 9d71249..e5a9152 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -17,6 +17,8 @@
allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
# Force a re-read of the partition table.
allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
+# Allow reading of the physical block size.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6c9a8b8..a344eaa 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -245,9 +245,11 @@
get_prop(vendor_init, boot_status_prop)
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, ota_prop)
+get_prop(vendor_init, provisioned_prop)
+get_prop(vendor_init, retaildemo_prop)
get_prop(vendor_init, theme_prop)
-get_prop(vendor_init, ota_prop)
###
### neverallow rules