Merge "Revert "Coredomain can't execute vendor code.""
diff --git a/Android.mk b/Android.mk
index ba99f59..ffcff1e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -262,6 +262,7 @@
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
# b/37755687
@@ -288,6 +289,7 @@
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
@@ -336,6 +338,7 @@
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -451,6 +454,7 @@
$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(nonplat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(nonplat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
$(transform-policy-to-conf)
@@ -882,6 +886,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
+ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true)
+plat_pcfiles += $(LOCAL_PATH)/public/property_contexts
+endif
plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp
$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
@@ -1281,6 +1288,7 @@
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
diff --git a/OWNERS b/OWNERS
index 4bd7e34..c15fa63 100644
--- a/OWNERS
+++ b/OWNERS
@@ -4,3 +4,4 @@
dcashman@google.com
jbires@google.com
sspatil@google.com
+jgalenson@google.com
diff --git a/definitions.mk b/definitions.mk
index 45240e7..8a8c9c6 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -9,6 +9,7 @@
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
+ -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
$(PRIVATE_TGT_RECOVERY) \
-s $^ > $@
endef
diff --git a/private/adbd.te b/private/adbd.te
index 2f6a450..9dcfc81 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -55,6 +55,7 @@
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
set_prop(adbd, ffs_prop)
+set_prop(adbd, exported_ffs_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
diff --git a/private/bug_map b/private/bug_map
index d493c55..8b31001 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -4,3 +4,4 @@
crash_dump app_data_file dir 68319037
crash_dump bluetooth_data_file dir 68319037
crash_dump vendor_overlay_file dir 68319037
+statsd statsd capability 71537285
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 2370dc1..dcb3216 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -487,7 +487,9 @@
(typeattributeset proc_meminfo_26_0 (proc_meminfo))
(typeattributeset proc_misc_26_0 (proc_misc))
(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0 (proc_net))
+(typeattributeset proc_net_26_0
+ ( proc_net
+ proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
(typeattributeset proc_security_26_0 (proc_security))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b38eb15..5b30be0 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -10,6 +10,24 @@
crossprofileapps_service
e2fs
e2fs_exec
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_overlay_prop
+ exported_pm_prop
+ exported_radio_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_radio_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
@@ -61,6 +79,7 @@
traced_producer_socket
traced_tmpfs
update_engine_log_data_file
+ vendor_default_prop
vendor_init
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/coredomain.te b/private/coredomain.te
index 0ca4913..244c83c 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1 +1,2 @@
get_prop(coredomain, pm_prop)
+get_prop(coredomain, exported_pm_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 1829b1c..f05d318 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -288,6 +288,7 @@
/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29bd0c4..d05d386 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,7 @@
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 2c4a809..99c09da 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -37,3 +37,4 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
+set_prop(mediaprovider, exported_ffs_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 1706224..de9fce1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -9,7 +9,10 @@
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
net.dns u:object_r:net_dns_prop:s0
-sys.usb.config u:object_r:system_radio_prop:s0
+# TODO(b/36001741): Rename to sys.usb.config when exact match is supported and
+# so an exact-matching spec isn't considered as a duplicate of a
+# prefix-matching spec having the same property name.
+sys.usb.conf u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
@@ -45,6 +48,7 @@
persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
+ro.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
@@ -86,6 +90,9 @@
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
+# TODO(b/36001741): Copy into exported_property_contexts when exact match is
+# supported and so an exact-matching spec isn't considered as a duplicate of a
+# prefix-matching spec having the same property name.
ro.build.fingerprint u:object_r:fingerprint_prop:s0
ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
@@ -120,3 +127,10 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# Common vendor default properties.
+init.svc.vendor. u:object_r:vendor_default_prop:s0
+ro.hardware. u:object_r:vendor_default_prop:s0
+ro.vendor. u:object_r:vendor_default_prop:s0
+persist.vendor. u:object_r:vendor_default_prop:s0
+vendor. u:object_r:vendor_default_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 062b6de..af29c56 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -48,6 +48,7 @@
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
econtroller u:object_r:radio_service:s0
+euicc_card_controller u:object_r:radio_service:s0
lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
diff --git a/private/statsd.te b/private/statsd.te
index 6b7f8cd..fee1881 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -13,10 +13,15 @@
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
allow statsd shell_exec:file rx_file_perms;
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
+userdebug_or_eng(`
+ allow statsd su:fifo_file read;
+')
+
# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
allow statsd stats_data_file:dir create_dir_perms;
allow statsd stats_data_file:file create_file_perms;
@@ -25,6 +30,7 @@
binder_call(statsd, appdomain)
binder_call(statsd, incidentd)
binder_call(statsd, statscompanion_service)
+binder_call(statsd, system_server)
# Allow logd access.
read_logd(statsd)
@@ -50,6 +56,10 @@
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_power)
+
###
### neverallow rules
###
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f28e3fe..694bb2f 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -46,6 +46,9 @@
# Set properties.
set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, exported_system_prop)
+set_prop(surfaceflinger, exported2_system_prop)
+set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
diff --git a/private/system_app.te b/private/system_app.te
index 0381c4f..7b8f3bf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -34,13 +34,18 @@
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
+set_prop(system_app, exported_system_prop)
+set_prop(system_app, exported2_system_prop)
+set_prop(system_app, exported3_system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
+set_prop(system_app, exported_system_radio_prop)
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
+auditallow system_app exported_system_radio_prop:property_service set;
# ctl interface
set_prop(system_app, ctl_default_prop)
diff --git a/private/system_server.te b/private/system_server.te
index c29d1b2..973b017 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -468,18 +468,24 @@
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, exported_system_prop)
+set_prop(system_server, exported2_system_prop)
+set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
set_prop(system_server, system_radio_prop)
+set_prop(system_server, exported_system_radio_prop)
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
+set_prop(system_server, exported_overlay_prop)
set_prop(system_server, pm_prop)
+set_prop(system_server, exported_pm_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -696,6 +702,7 @@
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
proc_loadavg
proc_meminfo
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 7bdcd84..58e510e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set dac_override;
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
diff --git a/private/zygote.te b/private/zygote.te
index 9ec0e4a..b592591 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -110,6 +110,7 @@
# Let the zygote access overlays so it can initialize the AssetManager.
get_prop(zygote, overlay_prop)
+get_prop(zygote, exported_overlay_prop)
###
### neverallow rules
diff --git a/public/app.te b/public/app.te
index 3b04955..582995a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -171,11 +171,13 @@
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file({ appdomain -ephemeral_app}, proc_net)
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
+# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
+# Exclude isolated app which may not use network sockets.
+r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
diff --git a/public/charger.te b/public/charger.te
index ed69867..33f3254 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -38,3 +38,6 @@
# charger needs to tell init to continue the boot
# process when running in charger mode.
set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported2_system_prop)
+set_prop(charger, exported3_system_prop)
diff --git a/public/domain.te b/public/domain.te
index 70d8ae2..e64b644 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -85,7 +85,57 @@
# For now, everyone can access core property files
# Device specific properties are not granted by default
-get_prop(domain, core_property_type)
+not_compatible_property(`
+ get_prop(domain, core_property_type)
+ get_prop(domain, exported_dalvik_prop)
+ get_prop(domain, exported_ffs_prop)
+ get_prop(domain, exported_system_radio_prop)
+ get_prop(domain, exported2_config_prop)
+ get_prop(domain, exported2_radio_prop)
+ get_prop(domain, exported2_system_prop)
+ get_prop(domain, exported2_vold_prop)
+ get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_system_prop)
+ get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+ get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+ get_prop({coredomain appdomain shell}, exported_ffs_prop)
+ get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_config_prop)
+ get_prop({coredomain appdomain shell}, exported2_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_system_prop)
+ get_prop({coredomain appdomain shell}, exported2_vold_prop)
+ get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_system_prop)
+ userdebug_or_eng(`
+ get_prop(su, core_property_type)
+ get_prop(su, exported_dalvik_prop)
+ get_prop(su, exported_ffs_prop)
+ get_prop(su, exported_system_radio_prop)
+ get_prop(su, exported2_config_prop)
+ get_prop(su, exported2_radio_prop)
+ get_prop(su, exported2_system_prop)
+ get_prop(su, exported2_vold_prop)
+ get_prop(su, exported3_default_prop)
+ get_prop(su, exported3_system_prop)
+ ')
+ get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
+# Public readable properties
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_radio_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, exported_vold_prop)
+get_prop(domain, exported2_default_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, logd_prop)
+
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
@@ -459,10 +509,22 @@
neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
+compatible_property_only(`
+ neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+')
+
# Only core domains are allowed to access package_manager properties
neverallow { domain -init -system_server } pm_prop:property_service set;
neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+compatible_property_only(`
+ neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
+ neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
+')
+
# Do not allow reading device's serial number from system properties except form
# a few whitelisted domains.
neverallow {
diff --git a/public/dumpstate.te b/public/dumpstate.te
index dd7c1ab..da5a90c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -220,6 +220,7 @@
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
diff --git a/public/file.te b/public/file.te
index e8e87b8..9d74f85 100644
--- a/public/file.te
+++ b/public/file.te
@@ -12,6 +12,7 @@
type usermodehelper, fs_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
type proc_abi, fs_type;
type proc_asound, fs_type;
diff --git a/public/healthd.te b/public/healthd.te
index fdbba0a..8a1d3ec 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -53,3 +53,6 @@
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported2_system_prop)
+set_prop(healthd, exported3_system_prop)
diff --git a/public/property.te b/public/property.te
index be84d4a..bfb7f76 100644
--- a/public/property.te
+++ b/public/property.te
@@ -53,6 +53,27 @@
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
+# Properties for whitelisting
+type exported_config_prop, property_type;
+type exported_dalvik_prop, property_type;
+type exported_default_prop, property_type;
+type exported_dumpstate_prop, property_type;
+type exported_ffs_prop, property_type;
+type exported_overlay_prop, property_type;
+type exported_pm_prop, property_type;
+type exported_radio_prop, property_type;
+type exported_system_prop, property_type;
+type exported_system_radio_prop, property_type;
+type exported_vold_prop, property_type;
+type exported2_config_prop, property_type;
+type exported2_default_prop, property_type;
+type exported2_radio_prop, property_type;
+type exported2_system_prop, property_type;
+type exported2_vold_prop, property_type;
+type exported3_default_prop, property_type;
+type exported3_system_prop, property_type;
+type vendor_default_prop, property_type;
+
allow property_type tmpfs:filesystem associate;
###
@@ -92,3 +113,53 @@
-system_radio_prop
-vold_prop
}:file no_rw_file_perms;
+
+compatible_property_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_radio_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_radio_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ }:file no_w_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ exported_dalvik_prop
+ exported_ffs_prop
+ exported_system_radio_prop
+ exported2_config_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -debug_prop
+ -fingerprint_prop
+ -logd_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:file no_rw_file_perms;
+')
diff --git a/public/property_contexts b/public/property_contexts
new file mode 100644
index 0000000..b63eec1
--- /dev/null
+++ b/public/property_contexts
@@ -0,0 +1,268 @@
+# vendor-init-readable
+persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int
+persist.radio.multisim.config u:object_r:exported2_radio_prop:s0 exact string
+
+# vendor-init-settable
+af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
+camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
+camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
+dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapminfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapstartsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.isa.arm.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitinitialsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitmaxsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitprithreadweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jitthreshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jittransitionweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jniopts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.lockprof.threshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.stack-trace-dir u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
+drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
+keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
+media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
+persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.rcs.supported u:object_r:exported3_default_prop:s0 exact int
+persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+ro.adb.secure u:object_r:exported3_default_prop:s0 exact int
+ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
+ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
+ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
+ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
+ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
+ro.com.google.clientidbase u:object_r:exported3_default_prop:s0 exact string
+ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
+ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
+ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
+ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
+ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
+ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
+ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
+ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
+ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
+ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
+ro.url.legal u:object_r:exported3_default_prop:s0 exact string
+ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.zygote u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
+sys.usb.ffs.max_read u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.ffs.max_write u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
+sys.usb.state u:object_r:exported2_system_prop:s0 exact string
+telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
+tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
+vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
+
+# vendor-init-readable|vendor-init-actionable
+sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
+
+# vendor-init-settable|vendor-init-actionable
+sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string
+sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int
+
+# public-readable
+aac_drc_boost u:object_r:exported2_default_prop:s0 exact int
+aac_drc_cut u:object_r:exported2_default_prop:s0 exact int
+aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
+aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
+aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
+dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
+persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+ro.arch u:object_r:exported2_default_prop:s0 exact string
+ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
+ro.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
+ro.boot.console u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string
+ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string
+ro.boot.mode u:object_r:exported2_default_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
+ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
+ro.bootimage.build.date u:object_r:exported2_default_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:exported2_default_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:exported2_default_prop:s0 exact string
+ro.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.build.date u:object_r:exported2_default_prop:s0 exact string
+ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
+ro.build.description u:object_r:exported2_default_prop:s0 exact string
+ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.host u:object_r:exported2_default_prop:s0 exact string
+ro.build.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.product u:object_r:exported2_default_prop:s0 exact string
+ro.build.system_root_image u:object_r:exported2_default_prop:s0 exact bool
+ro.build.tags u:object_r:exported2_default_prop:s0 exact string
+ro.build.user u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
+ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
+ro.crypto.type u:object_r:exported_vold_prop:s0 exact string
+ro.debuggable u:object_r:exported2_default_prop:s0 exact int
+ro.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.product.brand u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abi u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abilist u:object_r:exported2_default_prop:s0 exact string
+ro.product.device u:object_r:exported2_default_prop:s0 exact string
+ro.product.manufacturer u:object_r:exported2_default_prop:s0 exact string
+ro.product.model u:object_r:exported2_default_prop:s0 exact string
+ro.product.name u:object_r:exported2_default_prop:s0 exact string
+ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
+ro.revision u:object_r:exported2_default_prop:s0 exact string
+service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
+sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+
+# vendor-init-settable|public-readable
+aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.mixer_bursts u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
+gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
+media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+ro.board.platform u:object_r:exported_default_prop:s0 exact string
+ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.carrier u:object_r:exported_default_prop:s0 exact string
+ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
+ro.frp.pst u:object_r:exported_default_prop:s0 exact string
+ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
+ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
+ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
+ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
+ro.hardware.input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
+ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
+ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
+ro.hardware.power u:object_r:exported_default_prop:s0 exact string
+ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
+ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
+ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.type u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
+ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+ro.kernel.qemu u:object_r:exported_default_prop:s0 exact int
+ro.kernel.qemu.gles u:object_r:exported_default_prop:s0 exact int
+ro.product.board u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string
+ro.product.first_api_level u:object_r:exported_default_prop:s0 exact int
+ro.product.vendor.brand u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.vndk.version u:object_r:exported_default_prop:s0 exact string
+ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
+wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
+wifi.interface u:object_r:exported_default_prop:s0 exact string
+
+# vendor-init-actionable|public-readable
+ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
+ro.bootmode u:object_r:exported2_default_prop:s0 exact string
+ro.build.type u:object_r:exported2_default_prop:s0 exact string
+sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
diff --git a/public/radio.te b/public/radio.te
index 094d39b..b66514c 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -19,6 +19,8 @@
# Property service
set_prop(radio, radio_prop)
+set_prop(radio, exported_radio_prop)
+set_prop(radio, exported2_radio_prop)
set_prop(radio, net_radio_prop)
# ctl interface
diff --git a/public/recovery.te b/public/recovery.te
index 05cc195..57ad202 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -115,6 +115,7 @@
# Set sys.usb.ffs.ready when starting minadbd for sideload.
set_prop(recovery, ffs_prop)
+ set_prop(recovery, exported_ffs_prop)
# Read ro.boot.bootreason
get_prop(recovery, bootloader_boot_reason_prop)
diff --git a/public/rild.te b/public/rild.te
index 5bcde72..8cafd23 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -23,6 +23,8 @@
# property service
set_prop(rild, radio_prop)
+set_prop(rild, exported_radio_prop)
+set_prop(rild, exported2_radio_prop)
allow rild tty_device:chr_file rw_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 81f4bf0..916af1c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -57,6 +57,7 @@
set_prop(shell, ctl_bugreport_prop)
set_prop(shell, ctl_dumpstate_prop)
set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
diff --git a/public/te_macros b/public/te_macros
index 18e5e61..8ef1e45 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -471,6 +471,23 @@
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9aaa538..01e30a8 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -217,3 +217,26 @@
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
+
+set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_config_prop)
+set_prop(vendor_init, exported_dalvik_prop)
+set_prop(vendor_init, exported_default_prop)
+set_prop(vendor_init, exported_ffs_prop)
+set_prop(vendor_init, exported_overlay_prop)
+set_prop(vendor_init, exported_pm_prop)
+set_prop(vendor_init, exported_radio_prop)
+set_prop(vendor_init, exported_system_radio_prop)
+set_prop(vendor_init, exported2_config_prop)
+set_prop(vendor_init, exported2_system_prop)
+set_prop(vendor_init, exported2_vold_prop)
+set_prop(vendor_init, exported3_default_prop)
+set_prop(vendor_init, logd_prop)
+set_prop(vendor_init, log_tag_prop)
+set_prop(vendor_init, log_prop)
+set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, wifi_log_prop)
+
+get_prop(vendor_init, exported2_radio_prop)
+get_prop(vendor_init, exported3_system_prop)
diff --git a/public/vold.te b/public/vold.te
index 303307b..f754db7 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -124,6 +124,8 @@
# Property Service
set_prop(vold, vold_prop)
+set_prop(vold, exported_vold_prop)
+set_prop(vold, exported2_vold_prop)
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
diff --git a/tools/fc_sort/fc_sort.c b/tools/fc_sort/fc_sort.c
index bfe28ca..c7a4c90 100644
--- a/tools/fc_sort/fc_sort.c
+++ b/tools/fc_sort/fc_sort.c
@@ -38,6 +38,7 @@
char *path;
char *file_type;
char *context;
+ char *extra;
bool_t meta;
int stem_len;
int str_len;
@@ -487,6 +488,30 @@
return 1;
}
+ /* Get rid of whitespace after the context. */
+ for (; i < line_len; i++) {
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+ /* Parse out the extra from the line. */
+ start = i;
+ finish = line_len;
+ while (start < finish && (!isspace(line_buf[i - 1])))
+ finish--;
+
+ if (start < finish && line_buf[start] != '#') {
+ temp->extra = (char*)strndup(&line_buf[start], finish - start);
+ if (!(temp->extra)) {
+ file_context_node_destroy(temp);
+ free(temp);
+ free(line_buf);
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ fc_free_file_context_node_list(head);
+ return 1;
+ }
+ }
+
/* Set all the data about the regular
* expression. */
fc_fill_data(temp);
@@ -577,7 +602,14 @@
}
/* Output the context. */
- fprintf(out_file, "%s\n", current->context);
+ fprintf(out_file, "%s", current->context);
+
+ /* Output the extra, if there is one. */
+ if (current->extra) {
+ fprintf(out_file, "\t%s", current->extra);
+ }
+
+ fprintf(out_file, "\n");
current = current->next;
}