Merge "Make font_fallback.xml unreadable" into main
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 7558604..d9c8d1d 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -7,6 +7,7 @@
( new_objects
archive_service
ota_build_prop
+ dtbo_block_device
snapuserd_log_data_file
hal_threadnetwork_service
virtual_camera_service
diff --git a/private/traced.te b/private/traced.te
index fc75239..d4e5bec 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -52,6 +52,11 @@
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
+# Allow setting debug properties which guard initialization of the Perfetto SDK
+# in SurfaceFlinger and HWUI's copy of Skia.
+# Required for the android.sdk_sysprop_guard data source.
+# TODO(b/281329340): remove this when no longer needed.
+set_prop(traced, debug_prop)
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 2a0bd37..3bed3c6 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -27,5 +27,9 @@
# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
neverallow vfio_handler virtualizationservice_data_file:file { open create };
+# Allow vfio_handler to search /dev/block for accessing dtbo.img
+allow vfio_handler block_device:dir search;
+allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+
# Only vfio_handler can add vfio_handler_service
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 0dcbe50..ddb2828 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -53,12 +53,6 @@
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
-# vold_prepare_subdirs asks apex_service for the list of APEXes
-# to prepapre apexdata dirs.
-binder_use(vold_prepare_subdirs)
-binder_call(vold_prepare_subdirs, apexd)
-allow vold_prepare_subdirs apex_service:service_manager find;
-
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs {
apex_appsearch_data_file
diff --git a/public/apexd.te b/public/apexd.te
index 0b8073e..53bc569 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -5,7 +5,7 @@
binder_use(apexd)
add_service(apexd, apex_service)
-neverallow { domain -init -apexd -system_server -update_engine -vold_prepare_subdirs} apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine -vold_prepare_subdirs} apexd:binder call;
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/public/device.te b/public/device.te
index 36299d3..4a824c9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -93,6 +93,10 @@
# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
+# dtbo block device, type used for getting DTBO information for AVF.
+# Documented at https://source.android.com/docs/core/architecture/dto/partitions
+type dtbo_block_device, dev_type;
+
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;