Merge "Add sepolicy config for tethering_u_or_later_native namespace" into udc-dev
diff --git a/apex/Android.bp b/apex/Android.bp
index 24eca7f..c2a006b 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -239,13 +239,6 @@
}
filegroup {
- name: "com.android.tethering.inprocess-file_contexts",
- srcs: [
- "com.android.tethering.inprocess-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.extservices-file_contexts",
srcs: [
"com.android.extservices-file_contexts",
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index f1aa92b..ada6c3b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/art_boot u:object_r:art_boot_exec:s0
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index cc60b70..a3fc35d 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/art_boot u:object_r:art_boot_exec:s0
/bin/art_exec u:object_r:art_exec_exec:s0
/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
diff --git a/apex/com.android.tethering.inprocess-file_contexts b/apex/com.android.tethering.inprocess-file_contexts
deleted file mode 100644
index af366d8..0000000
--- a/apex/com.android.tethering.inprocess-file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/bin/for-system/clatd u:object_r:clatd_exec:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/prebuilts/api/34.0/private/app.te b/prebuilts/api/34.0/private/app.te
index 528d673..6914fd3 100644
--- a/prebuilts/api/34.0/private/app.te
+++ b/prebuilts/api/34.0/private/app.te
@@ -262,6 +262,9 @@
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/prebuilts/api/34.0/private/art_boot.te b/prebuilts/api/34.0/private/art_boot.te
new file mode 100644
index 0000000..1b088d6
--- /dev/null
+++ b/prebuilts/api/34.0/private/art_boot.te
@@ -0,0 +1,9 @@
+# ART boot oneshot service
+type art_boot, domain, coredomain;
+type art_boot_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(art_boot)
+
+# Allow ART to set its config properties at boot, mainly to be able to propagate
+# experiment flags to properties that only may change at boot.
+set_prop(art_boot, dalvik_config_prop_type)
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 54078ba..13dd259 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,8 @@
( new_objects
adaptive_haptics_prop
apex_ready_prop
+ art_boot
+ art_boot_exec
artd
bt_device
build_attestation_prop
@@ -60,7 +62,6 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
- setupwizard_esim_prop
shutdown_checkpoints_system_data_file
stats_config_data_file
sysfs_fs_fuse_features
diff --git a/prebuilts/api/34.0/private/coredomain.te b/prebuilts/api/34.0/private/coredomain.te
index 8abc646..83930a5 100644
--- a/prebuilts/api/34.0/private/coredomain.te
+++ b/prebuilts/api/34.0/private/coredomain.te
@@ -14,7 +14,6 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index 2cffdd8..f98a285 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -539,6 +539,10 @@
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+# Allow ART to set its config properties in its oneshot boot service, in
+# addition to the common init and vendor_init access.
+neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
+
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index 1ea3268..258c6b4 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -264,6 +264,8 @@
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/drmserver32 u:object_r:drmserver_exec:s0
+/system/bin/drmserver64 u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
diff --git a/prebuilts/api/34.0/private/mediaprovider_app.te b/prebuilts/api/34.0/private/mediaprovider_app.te
index 1f84eca..7ad8feb 100644
--- a/prebuilts/api/34.0/private/mediaprovider_app.te
+++ b/prebuilts/api/34.0/private/mediaprovider_app.te
@@ -35,9 +35,6 @@
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
diff --git a/prebuilts/api/34.0/private/property.te b/prebuilts/api/34.0/private/property.te
index 042bd4f..5889e57 100644
--- a/prebuilts/api/34.0/private/property.te
+++ b/prebuilts/api/34.0/private/property.te
@@ -599,10 +599,6 @@
-init
} setupwizard_prop:property_service set;
-neverallow {
- domain
- -init
-} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index f85f22e..d7818ee 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -667,6 +667,7 @@
ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.assistant_vol_min u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
@@ -1204,7 +1205,6 @@
ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl_legacy u:object_r:graphics_config_prop:s0 exact string
ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
@@ -1453,8 +1453,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_all.te b/prebuilts/api/34.0/private/sdk_sandbox_all.te
index 9a3f05f..6e7ba50 100644
--- a/prebuilts/api/34.0/private/sdk_sandbox_all.te
+++ b/prebuilts/api/34.0/private/sdk_sandbox_all.te
@@ -28,6 +28,9 @@
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
###
### neverallow rules
###
@@ -64,7 +67,7 @@
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_next.te b/prebuilts/api/34.0/private/sdk_sandbox_next.te
new file mode 100644
index 0000000..87884a9
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_next.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts
index fbdd93f..4454bd7 100644
--- a/prebuilts/api/34.0/private/seapp_contexts
+++ b/prebuilts/api/34.0/private/seapp_contexts
@@ -12,6 +12,7 @@
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
+# isSdkSandboxNext (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -64,6 +68,7 @@
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -165,6 +170,7 @@
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/prebuilts/api/34.0/private/system_server.te b/prebuilts/api/34.0/private/system_server.te
index 123d20f..98d859c 100644
--- a/prebuilts/api/34.0/private/system_server.te
+++ b/prebuilts/api/34.0/private/system_server.te
@@ -1209,6 +1209,7 @@
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
+ allow system_server user_profile_data_file:dir w_dir_perms;
allow system_server user_profile_data_file:file create_file_perms;
')
# Allow system server to load JVMTI agents under control of a property.
diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index 56c3142..1da3f51 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -1285,3 +1285,7 @@
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
diff --git a/prebuilts/api/34.0/public/modprobe.te b/prebuilts/api/34.0/public/modprobe.te
index 2c7d64b..910aebd 100644
--- a/prebuilts/api/34.0/public/modprobe.te
+++ b/prebuilts/api/34.0/public/modprobe.te
@@ -4,6 +4,9 @@
allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
+allow modprobe system_dlkm_file:dir search;
+allow modprobe system_dlkm_file:file r_file_perms;
+allow modprobe system_dlkm_file:system module_load;
recovery_only(`
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
diff --git a/prebuilts/api/34.0/public/property.te b/prebuilts/api/34.0/public/property.te
index 5ee8d60..323108e 100644
--- a/prebuilts/api/34.0/public/property.te
+++ b/prebuilts/api/34.0/public/property.te
@@ -8,7 +8,6 @@
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(firstboot_prop)
@@ -68,6 +67,7 @@
system_restricted_prop(composd_vm_art_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
+system_restricted_prop(device_config_media_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
@@ -88,7 +88,6 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
-system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
@@ -147,7 +146,6 @@
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(composd_vm_vendor_prop)
system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(debugfs_restriction_prop)
system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
@@ -210,6 +208,7 @@
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_config_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
diff --git a/prebuilts/api/34.0/public/vendor_init.te b/prebuilts/api/34.0/public/vendor_init.te
index 3942c27..9dd9898 100644
--- a/prebuilts/api/34.0/public/vendor_init.te
+++ b/prebuilts/api/34.0/public/vendor_init.te
@@ -235,6 +235,7 @@
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_config_prop)
set_prop(vendor_init, dalvik_dynamic_config_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
diff --git a/private/app.te b/private/app.te
index 528d673..6914fd3 100644
--- a/private/app.te
+++ b/private/app.te
@@ -262,6 +262,9 @@
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/private/art_boot.te b/private/art_boot.te
new file mode 100644
index 0000000..1b088d6
--- /dev/null
+++ b/private/art_boot.te
@@ -0,0 +1,9 @@
+# ART boot oneshot service
+type art_boot, domain, coredomain;
+type art_boot_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(art_boot)
+
+# Allow ART to set its config properties at boot, mainly to be able to propagate
+# experiment flags to properties that only may change at boot.
+set_prop(art_boot, dalvik_config_prop_type)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 54078ba..13dd259 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,8 @@
( new_objects
adaptive_haptics_prop
apex_ready_prop
+ art_boot
+ art_boot_exec
artd
bt_device
build_attestation_prop
@@ -60,7 +62,6 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
- setupwizard_esim_prop
shutdown_checkpoints_system_data_file
stats_config_data_file
sysfs_fs_fuse_features
diff --git a/private/coredomain.te b/private/coredomain.te
index 8abc646..83930a5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,7 +14,6 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/domain.te b/private/domain.te
index 2cffdd8..f98a285 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -539,6 +539,10 @@
# Do not allow reading the last boot timestamp from system properties
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+# Allow ART to set its config properties in its oneshot boot service, in
+# addition to the common init and vendor_init access.
+neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
+
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/private/file_contexts b/private/file_contexts
index 1ea3268..258c6b4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -264,6 +264,8 @@
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/drmserver32 u:object_r:drmserver_exec:s0
+/system/bin/drmserver64 u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 1f84eca..7ad8feb 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -35,9 +35,6 @@
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
diff --git a/private/property.te b/private/property.te
index 042bd4f..5889e57 100644
--- a/private/property.te
+++ b/private/property.te
@@ -599,10 +599,6 @@
-init
} setupwizard_prop:property_service set;
-neverallow {
- domain
- -init
-} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index f85f22e..d7818ee 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -667,6 +667,7 @@
ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.assistant_vol_min u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
@@ -1204,7 +1205,6 @@
ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl_legacy u:object_r:graphics_config_prop:s0 exact string
ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
@@ -1453,8 +1453,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 9a3f05f..6e7ba50 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -28,6 +28,9 @@
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
###
### neverallow rules
###
@@ -64,7 +67,7 @@
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
new file mode 100644
index 0000000..87884a9
--- /dev/null
+++ b/private/sdk_sandbox_next.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index fbdd93f..4454bd7 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -12,6 +12,7 @@
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
+# isSdkSandboxNext (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -64,6 +68,7 @@
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -165,6 +170,7 @@
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 123d20f..98d859c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1209,6 +1209,7 @@
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
+ allow system_server user_profile_data_file:dir w_dir_perms;
allow system_server user_profile_data_file:file create_file_perms;
')
# Allow system server to load JVMTI agents under control of a property.
diff --git a/public/domain.te b/public/domain.te
index 56c3142..1da3f51 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1285,3 +1285,7 @@
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
diff --git a/public/modprobe.te b/public/modprobe.te
index 2c7d64b..910aebd 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -4,6 +4,9 @@
allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
+allow modprobe system_dlkm_file:dir search;
+allow modprobe system_dlkm_file:file r_file_perms;
+allow modprobe system_dlkm_file:system module_load;
recovery_only(`
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
diff --git a/public/property.te b/public/property.te
index 5ee8d60..323108e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -8,7 +8,6 @@
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(firstboot_prop)
@@ -68,6 +67,7 @@
system_restricted_prop(composd_vm_art_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
+system_restricted_prop(device_config_media_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
@@ -88,7 +88,6 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
-system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
@@ -147,7 +146,6 @@
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(composd_vm_vendor_prop)
system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(debugfs_restriction_prop)
system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
@@ -210,6 +208,7 @@
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_config_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3942c27..9dd9898 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -235,6 +235,7 @@
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_config_prop)
set_prop(vendor_init, dalvik_dynamic_config_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index e57a6b3..0d7a4d1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -214,6 +214,7 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },