Merge "Allow graphics_config_writable_prop to be modified." into udc-dev
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index a663761..54078ba 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -55,6 +55,7 @@
permissive_mte_prop
persist_sysui_builder_extras_prop
prng_seeder
+ quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
rkpdapp
diff --git a/prebuilts/api/34.0/private/coredomain.te b/prebuilts/api/34.0/private/coredomain.te
index 83930a5..8abc646 100644
--- a/prebuilts/api/34.0/private/coredomain.te
+++ b/prebuilts/api/34.0/private/coredomain.te
@@ -14,6 +14,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/prebuilts/api/34.0/private/gmscore_app.te b/prebuilts/api/34.0/private/gmscore_app.te
index cd05a65..46b90c6 100644
--- a/prebuilts/api/34.0/private/gmscore_app.te
+++ b/prebuilts/api/34.0/private/gmscore_app.te
@@ -152,6 +152,11 @@
# Allow GMSCore to read RKP properties for the purpose of GTS testing.
get_prop(gmscore_app, remote_prov_prop)
+# Allow GmsCore to read Quick Start properties and prevent access from other
+# policies.
+get_prop(gmscore_app, quick_start_prop)
+neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file no_rw_file_perms;
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index d7523c6..c116d4b 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -533,6 +533,8 @@
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_tx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -947,6 +949,8 @@
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.cpu.pagesize.max u:object_r:build_prop:s0 exact enum 4096 16384 65536
+
ro.product.system.brand u:object_r:build_prop:s0 exact string
ro.product.system.device u:object_r:build_prop:s0 exact string
ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
@@ -1557,3 +1561,7 @@
# System UI notification properties
persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
+
+# Properties for Quick Start setup.
+ro.quick_start.oem_id u:object_r:quick_start_prop:s0 exact string
+ro.quick_start.device_id u:object_r:quick_start_prop:s0 exact string
diff --git a/prebuilts/api/34.0/private/sdk_sandbox.te b/prebuilts/api/34.0/private/sdk_sandbox.te
index 4806e6d..9d6abcb 100644
--- a/prebuilts/api/34.0/private/sdk_sandbox.te
+++ b/prebuilts/api/34.0/private/sdk_sandbox.te
@@ -297,6 +297,26 @@
-zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+# Only certain domains should be able to open and write to the SDK's data directory.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:dir ~{read getattr search};
+
+# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:file ~{append read write getattr lock map};
+
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/prebuilts/api/34.0/public/property.te b/prebuilts/api/34.0/public/property.te
index 076ced9..5ee8d60 100644
--- a/prebuilts/api/34.0/public/property.te
+++ b/prebuilts/api/34.0/public/property.te
@@ -170,6 +170,7 @@
system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
+system_vendor_config_prop(quick_start_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(recovery_usb_config_prop)
system_vendor_config_prop(sendbug_config_prop)
diff --git a/prebuilts/api/34.0/public/service.te b/prebuilts/api/34.0/public/service.te
index 27403ca..b32314d 100644
--- a/prebuilts/api/34.0/public/service.te
+++ b/prebuilts/api/34.0/public/service.te
@@ -80,7 +80,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a663761..54078ba 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -55,6 +55,7 @@
permissive_mte_prop
persist_sysui_builder_extras_prop
prng_seeder
+ quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
rkpdapp
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a5..8abc646 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index cd05a65..46b90c6 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -152,6 +152,11 @@
# Allow GMSCore to read RKP properties for the purpose of GTS testing.
get_prop(gmscore_app, remote_prov_prop)
+# Allow GmsCore to read Quick Start properties and prevent access from other
+# policies.
+get_prop(gmscore_app, quick_start_prop)
+neverallow { domain -init -dumpstate -vendor_init -gmscore_app } quick_start_prop:file no_rw_file_perms;
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/private/property_contexts b/private/property_contexts
index d7523c6..c116d4b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -533,6 +533,8 @@
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_tx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -947,6 +949,8 @@
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.cpu.pagesize.max u:object_r:build_prop:s0 exact enum 4096 16384 65536
+
ro.product.system.brand u:object_r:build_prop:s0 exact string
ro.product.system.device u:object_r:build_prop:s0 exact string
ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
@@ -1557,3 +1561,7 @@
# System UI notification properties
persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
+
+# Properties for Quick Start setup.
+ro.quick_start.oem_id u:object_r:quick_start_prop:s0 exact string
+ro.quick_start.device_id u:object_r:quick_start_prop:s0 exact string
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 4806e6d..9d6abcb 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -297,6 +297,26 @@
-zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+# Only certain domains should be able to open and write to the SDK's data directory.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:dir ~{read getattr search};
+
+# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:file ~{append read write getattr lock map};
+
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/public/property.te b/public/property.te
index 076ced9..5ee8d60 100644
--- a/public/property.te
+++ b/public/property.te
@@ -170,6 +170,7 @@
system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
+system_vendor_config_prop(quick_start_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(recovery_usb_config_prop)
system_vendor_config_prop(sendbug_config_prop)
diff --git a/public/service.te b/public/service.te
index 27403ca..b32314d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -80,7 +80,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;