Merge "Expose max.active.modem to be vendor inittable."
diff --git a/apex/com.android.i18n-file_contexts b/apex/com.android.i18n-file_contexts
index c8b6ba1..51d45a0 100644
--- a/apex/com.android.i18n-file_contexts
+++ b/apex/com.android.i18n-file_contexts
@@ -2,3 +2,4 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index fadc7db..e4719f5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -75,6 +75,7 @@
mirror_data_file
light_service
linkerconfig_file
+ lmkd_prop
media_variant_prop
metadata_bootstat_file
mnt_pass_through_file
diff --git a/private/lmkd.te b/private/lmkd.te
index 7246051..1e7bbde 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -4,3 +4,8 @@
# Set sys.lmk.* properties.
set_prop(lmkd, system_lmk_prop)
+
+# Set lmkd.* properties.
+set_prop(lmkd, lmkd_prop)
+
+neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 2dacd88..332c81d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -249,10 +249,8 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-# vendor-init-readable
persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact bool
-# vendor-init-settable
af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
@@ -437,10 +435,12 @@
ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.swap_util_max u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
+lmkd.reinit u:object_r:lmkd_prop:s0 exact int
ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
@@ -501,7 +501,6 @@
zram.force_writeback u:object_r:exported3_default_prop:s0 exact bool
-# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
@@ -515,13 +514,11 @@
sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
sys.vdso u:object_r:exported3_system_prop:s0 exact string
-# vendor-init-settable
persist.sys.zram_enabled u:object_r:exported2_system_prop:s0 exact bool
sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string
sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int
-# public-readable
aac_drc_boost u:object_r:exported2_default_prop:s0 exact int
aac_drc_cut u:object_r:exported2_default_prop:s0 exact int
aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
@@ -635,7 +632,6 @@
vold.decrypt u:object_r:vold_status_prop:s0 exact string
-# vendor-init-settable|public-readable
aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
aaudio.mixer_bursts u:object_r:exported_default_prop:s0 exact int
@@ -785,8 +781,6 @@
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-#
-# public-readable
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
ro.bootmode u:object_r:exported2_default_prop:s0 exact string
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1bad9c1..e944063 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -153,12 +153,13 @@
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
-user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
+user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
diff --git a/private/update_engine.te b/private/update_engine.te
index a76ab49..539399e 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -11,3 +11,6 @@
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
+
+# Allow to get the DSU status
+get_prop(update_engine, gsid_prop)
diff --git a/public/asan_extract.te b/public/asan_extract.te
index 22da8c1..d8a1b73 100644
--- a/public/asan_extract.te
+++ b/public/asan_extract.te
@@ -5,7 +5,7 @@
with_asan(`
type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type;
+ type asan_extract_exec, exec_type, file_type, system_file_type;
# Allow asan_extract to execute itself using #!/system/bin/sh
allow asan_extract shell_exec:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 8e6e150..0ab5f22 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -948,6 +948,23 @@
')
full_treble_only(`
+ # Do not allow coredomain to access entrypoint for files other
+ # than system_file_type and postinstall_file
+ neverallow coredomain {
+ file_type
+ -system_file_type
+ -postinstall_file
+ }:file entrypoint;
+ # Do not allow domains other than coredomain to access entrypoint
+ # for anything but vendor_file_type and init_exec for vendor_init.
+ neverallow { domain -coredomain } {
+ file_type
+ -vendor_file_type
+ -init_exec
+ }:file entrypoint;
+')
+
+full_treble_only(`
# Do not allow system components to execute files from vendor
# except for the ones whitelisted here.
neverallow {
diff --git a/public/lmkd.te b/public/lmkd.te
index 7c1e741..c9f2e64 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -57,6 +57,9 @@
# Read/Write /proc/pressure/memory
allow lmkd proc_pressure_mem:file rw_file_perms;
+# Allow lmkd to connect during reinit.
+allow lmkd lmkd_socket:sock_file write;
+
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
diff --git a/public/modprobe.te b/public/modprobe.te
index 1190409..2c7d64b 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -1,6 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
diff --git a/public/property.te b/public/property.te
index 8e5a7fc..62ad182 100644
--- a/public/property.te
+++ b/public/property.te
@@ -143,6 +143,7 @@
system_public_prop(exported_wifi_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
+system_public_prop(lmkd_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index cd96643..f95d096 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -226,6 +226,7 @@
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, incremental_prop)
+set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 7689ca5..61df9e0 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -4,6 +4,7 @@
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
+allow vendor_modprobe proc_cmdline:file r_file_perms;
allow vendor_modprobe self:global_capability_class_set sys_module;
allow vendor_modprobe kernel:key search;