Merge "Add media.resolution.limit.32bit to media_config_prop"
diff --git a/Android.mk b/Android.mk
index 66ff2e3..6fd84e9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -183,7 +183,7 @@
###########################################################
define build_policy
-$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
+$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
endef
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f33cff9..304f5a2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -46,6 +46,9 @@
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
+# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
+
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 72efc39..0fdb697 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -15,6 +15,7 @@
hal_uwb_service
hal_uwb_vendor_service
hal_wifi_hostapd_service
+ hypervisor_prop
locale_service
power_stats_service
snapuserd_prop
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index 16a57e2..5b11f26 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -5,6 +5,9 @@
allow compos_fd_server odrefresh:fd use;
allow compos_fd_server apex_art_data_file:file { getattr read };
allow compos_fd_server apex_art_staging_data_file:file { getattr read write };
+# Use a pipe to signal readiness
+allow compos_fd_server odrefresh:fifo_file write;
+
# TODO(b/196109647) - remove this when no longer needed by minijail
allow compos_fd_server odrefresh:fifo_file read;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 37a9a0c..4fad585 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -91,6 +91,9 @@
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)
+# For dumping hypervisor information.
+get_prop(dumpstate, hypervisor_prop)
+
# For dumping device-mapper and snapshot information.
allow dumpstate gsid_exec:file rx_file_perms;
set_prop(dumpstate, ctl_gsid_prop)
diff --git a/private/init.te b/private/init.te
index f569e0c..200780d 100644
--- a/private/init.te
+++ b/private/init.te
@@ -92,6 +92,9 @@
# Only init can write normal ro.boot. properties
neverallow { domain -init } bootloader_prop:property_service set;
+# Only init can write ro.boot.hypervisor properties
+neverallow { domain -init } hypervisor_prop:property_service set;
+
# Only init can write hal.instrumentation.enable
neverallow { domain -init } hal_instrumentation_prop:property_service set;
diff --git a/private/perfetto.te b/private/perfetto.te
index f9693da..174855f 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -8,6 +8,9 @@
tmpfs_domain(perfetto);
+# Allow init to start a trace (for perfetto_boottrace).
+init_daemon_domain(perfetto)
+
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
diff --git a/private/property.te b/private/property.te
index 659d1d4..32cdc75 100644
--- a/private/property.te
+++ b/private/property.te
@@ -29,6 +29,7 @@
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
+system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
diff --git a/private/property_contexts b/private/property_contexts
index c37655a..f4a0f78 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -82,6 +82,7 @@
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
+ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
ro.serialno u:object_r:serialno_prop:s0
@@ -677,6 +678,8 @@
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+# Properties specific to virtualized deployments of Android
+ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string
# These ro.X properties are set to values of ro.boot.X by property_service.
ro.baseband u:object_r:bootloader_prop:s0 exact string
@@ -882,6 +885,7 @@
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
diff --git a/private/radio.te b/private/radio.te
index 2758289..08365f0 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -9,6 +9,7 @@
set_prop(radio, radio_prop)
set_prop(radio, net_radio_prop)
set_prop(radio, telephony_status_prop)
+set_prop(radio, radio_cdma_ecm_prop)
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
diff --git a/private/system_server.te b/private/system_server.te
index ee4cfe2..66f9ba4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -20,7 +20,7 @@
# Create a socket for connections from zygotes.
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
-allow system_server zygote_tmpfs:file read;
+allow system_server zygote_tmpfs:file { map read };
allow system_server appdomain_tmpfs:file { getattr map read write };
# For Incremental Service to check if incfs is available
diff --git a/public/property.te b/public/property.te
index 1d3f358..2b2af6d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -69,6 +69,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)