Merge "Exempt older vendor images from recent mls changes."
diff --git a/private/app.te b/private/app.te
index ab9cf3c..dacea29 100644
--- a/private/app.te
+++ b/private/app.te
@@ -59,3 +59,6 @@
# Allow to read persist.config.calibration_fac
get_prop(appdomain, camera_calibration_prop)
+
+# Allow to read db.log.detailed, db.log.slow_query_threshold*
+get_prop(appdomain, sqlite_log_prop)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9cc23b4..49a5a77 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1302,6 +1302,7 @@
build_config_prop
init_service_status_private_prop
setupwizard_prop
+ sqlite_log_prop
verity_status_prop
zygote_wrap_prop
))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 4e7d20d..f89f2e2 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
adbd_config_prop
apex_info_file
cgroup_v2
+ ctl_snapuserd_prop
debugfs_kprobes
device_config_profcollect_native_boot_prop
device_state_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 3450010..fe3e1ae 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -12,6 +12,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
diff --git a/private/file_contexts b/private/file_contexts
index abd9ad0..7f8aef3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -94,7 +94,7 @@
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dm-user/.+ u:object_r:dm_user_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index b30ee6c..de5f37e 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -11,6 +11,8 @@
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
+set_prop(flags_health_check, device_config_statsd_native_prop)
+set_prop(flags_health_check, device_config_statsd_native_boot_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
diff --git a/private/property.te b/private/property.te
index 9a600cf..480d3e3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,6 +1,9 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_statsd_native_prop)
+system_internal_prop(device_config_statsd_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
@@ -524,3 +527,13 @@
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -shell
+} sqlite_log_prop:property_service set;
+
+neverallow {
+ -coredomain
+ -appdomain
+} sqlite_log_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 576887b..18f6412 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -172,6 +172,11 @@
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+# Restrict access to control snapuserd
+ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -224,6 +229,8 @@
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
+persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -1026,6 +1033,8 @@
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -1070,3 +1079,7 @@
setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
+
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold.* u:object_r:sqlite_log_prop:s0 prefix int
diff --git a/private/shell.te b/private/shell.te
index b4d3505..0e94cd1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -127,6 +127,7 @@
set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
@@ -164,3 +165,6 @@
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
allow shell shell_key:keystore2_key { delete rebind use get_info update };
+
+# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
+set_prop(shell, sqlite_log_prop)
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 4632240..99ee90f 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -1,4 +1,6 @@
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
typeattribute snapuserd coredomain;
@@ -12,4 +14,5 @@
allow snapuserd dm_device:blk_file rw_file_perms;
# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index 1483156..444d82e 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -21,3 +21,7 @@
# Allow statsd to retrieve SF statistics over binder
binder_call(statsd, surfaceflinger);
+
+# Allow statsd to read its system properties
+get_prop(statsd, device_config_statsd_native_prop)
+get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/private/system_server.te b/private/system_server.te
index a60c327..78abdff 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -627,6 +627,8 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
+set_prop(system_server, device_config_statsd_native_prop)
+set_prop(system_server, device_config_statsd_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
diff --git a/private/update_engine.te b/private/update_engine.te
index a33e675..8e09154 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -9,6 +9,9 @@
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
+# Allow to start snapuserd for dm-user communication.
+set_prop(update_engine, ctl_snapuserd_prop)
+
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
@@ -17,3 +20,7 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+
+# Allow to communicate with the snapuserd service, for dm-user snapshots.
+allow update_engine snapuserd:unix_stream_socket connectto;
+allow update_engine snapuserd_socket:sock_file write;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 36d1283..fdd50d1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -148,6 +148,9 @@
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_identity)
+dump_hal(hal_face)
+dump_hal(hal_fingerprint)
+dump_hal(hal_gnss)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/init.te b/public/init.te
index 805d9c2..d966e68 100644
--- a/public/init.te
+++ b/public/init.te
@@ -27,7 +27,7 @@
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
-allow init { device socket_device }:dir relabelto;
+allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
diff --git a/public/property.te b/public/property.te
index cb3b91d..4afc2a0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -77,6 +77,7 @@
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
diff --git a/public/shell.te b/public/shell.te
index fa9079c..677d567 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -122,6 +122,8 @@
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell vendor_cgroup_desc_file:file r_file_perms;
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/snapuserd.te b/public/snapuserd.te
deleted file mode 100644
index 2dd2db2..0000000
--- a/public/snapuserd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index d110238..dd90fbc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -65,6 +65,10 @@
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file rw_file_perms;
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;