Merge "sepolicy: Add context for ro.boot.product.vendor.sku"
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 03f8f19..6a7123b 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -149,10 +149,7 @@
inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
} else {
inputs = append(inputs, segroup.SystemPrivateSrcs()...)
-
- if ctx.Config().ProductCompatibleProperty() {
- inputs = append(inputs, segroup.SystemPublicSrcs()...)
- }
+ inputs = append(inputs, segroup.SystemPublicSrcs()...)
}
if proptools.Bool(m.properties.Reqd_mask) {
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te
index 2fa4af6..ec5c57e 100644
--- a/prebuilts/api/29.0/private/adbd.te
+++ b/prebuilts/api/29.0/private/adbd.te
@@ -23,6 +23,10 @@
unix_socket_connect(adbd, recovery, recovery)
')
+# Control Perfetto traced and obtain traces from it.
+# Needed to allow port forwarding directly to traced.
+unix_socket_connect(adbd, traced_consumer, traced)
+
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
diff --git a/prebuilts/api/29.0/private/gpuservice.te b/prebuilts/api/29.0/private/gpuservice.te
index ebfff76..9e17d06 100644
--- a/prebuilts/api/29.0/private/gpuservice.te
+++ b/prebuilts/api/29.0/private/gpuservice.te
@@ -31,6 +31,10 @@
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
+# Needed for dumpstate to dumpsys gpu.
+allow gpuservice dumpstate:fd use;
+allow gpuservice dumpstate:fifo_file write;
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 111923f..f59b5de 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -89,6 +89,7 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 6ae83a3..9c5deb0 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -40,6 +40,7 @@
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
+ device_config_configuration_prop
exported_camera_prop
file_integrity_service
fwk_automotive_display_hwservice
@@ -81,6 +82,7 @@
art_apex_dir
rebootescrow_hal_prop
service_manager_service
+ service_manager_vndservice
simpleperf
snapshotctl_log_data_file
socket_hook_prop
@@ -110,4 +112,5 @@
vendor_install_recovery
vendor_install_recovery_exec
vendor_socket_hook_prop
+ vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/private/file_contexts b/private/file_contexts
index 9da83a9..ef4e042 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -212,6 +212,7 @@
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/resize2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/ld\.mc u:object_r:rs_exec:s0
diff --git a/private/gsid.te b/private/gsid.te
index 5d7b043..3ff9d67 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -135,6 +135,8 @@
ota_image_data_file
}:file ioctl FS_IOC_FIEMAP;
+allow gsid system_server:binder call;
+
neverallow {
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index cba09a5..9175d10 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -203,6 +203,7 @@
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 13baa74..7c24598 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -301,6 +301,7 @@
hal_camera_server
hal_codec2_server
hal_face_server
+ hal_fingerprint_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
@@ -636,6 +637,7 @@
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
+set_prop(system_server, device_config_configuration_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -1058,7 +1060,7 @@
ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
`allow system_server self:process execmem;',
`neverallow system_server self:process execmem;')
-neverallow system_server ashmem_device:chr_file execute;
+neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
diff --git a/public/app.te b/public/app.te
index 4ceb4a6..e5b9fd6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -11,7 +11,7 @@
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
-allow appdomain ashmem_device:chr_file execute;
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
@@ -317,7 +317,7 @@
allow appdomain proc_meminfo:file r_file_perms;
# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
+allow appdomain app_fuse_file:file { getattr read append write map };
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index b64fcdc..1e895e4 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -81,6 +81,7 @@
hal_codec2_server
hal_drm_server
hal_face_server
+ hal_fingerprint_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index cf33ce7..6315d44 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -13,6 +13,7 @@
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/property.te b/public/property.te
index 8f4b7a3..cfaa190 100644
--- a/public/property.te
+++ b/public/property.te
@@ -12,6 +12,7 @@
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
+system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/public/property_contexts b/public/property_contexts
index 711ffe6..6e91c0a 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -92,6 +92,7 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
@@ -183,7 +184,7 @@
zram.force_writeback u:object_r:exported3_default_prop:s0 exact bool
# vendor-init-readable
-apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
persist.sys.theme u:object_r:theme_prop:s0 exact string
@@ -285,18 +286,6 @@
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
-# r/o sanitizer properties, public-readable
-ro.sanitize.address u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.cfi u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.default-ub u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.fuzzer u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.hwaddress u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.integer_overflow u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.safe-stack u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.scudo u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.thread u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.undefined u:object_r:exported2_default_prop:s0 exact bool
-
# vendor-init-settable|public-readable
aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 806944f..57d8e7e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -81,5 +81,6 @@
get_prop(update_engine_common, virtual_ab_prop)
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common metadata_file:dir search;
allow update_engine_common ota_metadata_file:dir rw_dir_perms;
allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/public/vndservice.te b/public/vndservice.te
index 0d309bf..efd9adf 100644
--- a/public/vndservice.te
+++ b/public/vndservice.te
@@ -1 +1,2 @@
+type service_manager_vndservice, vndservice_manager_type;
type default_android_vndservice, vndservice_manager_type;
diff --git a/public/vold.te b/public/vold.te
index fd3ed84..e17113d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -204,6 +204,7 @@
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts
index 4cca2fb..068056f 100644
--- a/vendor/vndservice_contexts
+++ b/vendor/vndservice_contexts
@@ -1 +1,2 @@
+manager u:object_r:service_manager_vndservice:s0
* u:object_r:default_android_vndservice:s0
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index 6e5c391..497e027 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -13,6 +13,8 @@
# Read vndservice_contexts
allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+add_service(vndservicemanager, service_manager_vndservice)
+
# Start lazy services
set_prop(vndservicemanager, ctl_interface_start_prop)