Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / adbef0cf37d206ddbef8463d114459c1b026b8e3^2..adbef0cf37d206ddbef8463d114459c1b026b8e3 / .
commitadbef0cf37d206ddbef8463d114459c1b026b8e3[log] [tgz]
authorTreehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>Tue Oct 31 02:29:57 2023 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Oct 31 02:29:57 2023 +0000
treeeca53d3fcd82a40b63ae596823d18418da23bc9e
parent12665a97873467efea9ca76ea11b91442886c8c2 [diff]
parent8dff04056971926849aed976a76849de56633d09 [diff]
Merge "Revert "Suppress a denial on VM boot"" into main
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a7a2436..b053c7a 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go

@@ -517,19 +517,32 @@
 	Sepolicy *string `android:"path"`
 }
 
+type fileContextsTestProperties struct {
+	// Test data. File passed to `checkfc -t` to validate how contexts are resolved.
+	Test_data *string `android:"path"`
+}
+
 type contextsTestModule struct {
 	android.ModuleBase
 
-	// Name of the test tool. "checkfc" or "property_info_checker"
-	tool string
+	// The type of context.
+	context contextType
 
-	// Additional flags to be passed to the tool.
-	flags []string
-
-	properties    contextsTestProperties
-	testTimestamp android.OutputPath
+	properties     contextsTestProperties
+	fileProperties fileContextsTestProperties
+	testTimestamp  android.OutputPath
 }
 
+type contextType int
+
+const (
+	FileContext contextType = iota
+	PropertyContext
+	ServiceContext
+	HwServiceContext
+	VndServiceContext
+)
+
 // checkfc parses a context file and checks for syntax errors.
 // If -s is specified, the service backend is used to verify binder services.
 // If -l is specified, the service backend is used to verify hwbinder services.
@@ -538,15 +551,16 @@
 
 // file_contexts_test tests given file_contexts files with checkfc.
 func fileContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "checkfc" /* no flags: file_contexts file check */}
+	m := &contextsTestModule{context: FileContext}
 	m.AddProperties(&m.properties)
+	m.AddProperties(&m.fileProperties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
 }
 
 // property_contexts_test tests given property_contexts files with property_info_checker.
 func propertyContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "property_info_checker"}
+	m := &contextsTestModule{context: PropertyContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
@@ -554,7 +568,7 @@
 
 // hwservice_contexts_test tests given hwservice_contexts files with checkfc.
 func hwserviceContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-l" /* hwbinder services */}}
+	m := &contextsTestModule{context: HwServiceContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
@@ -563,7 +577,7 @@
 // service_contexts_test tests given service_contexts files with checkfc.
 func serviceContextsTestFactory() android.Module {
 	// checkfc -s: service_contexts test
-	m := &contextsTestModule{tool: "checkfc", flags: []string{"-s" /* binder services */}}
+	m := &contextsTestModule{context: ServiceContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
@@ -571,16 +585,16 @@
 
 // vndservice_contexts_test tests given vndservice_contexts files with checkfc.
 func vndServiceContextsTestFactory() android.Module {
-	m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+	m := &contextsTestModule{context: VndServiceContext}
 	m.AddProperties(&m.properties)
 	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
 	return m
 }
 
 func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
-	tool := m.tool
-	if tool != "checkfc" && tool != "property_info_checker" {
-		panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+	tool := "checkfc"
+	if m.context == PropertyContext {
+		tool = "property_info_checker"
 	}
 
 	if len(m.properties.Srcs) == 0 {
@@ -588,19 +602,50 @@
 		return
 	}
 
+	validateWithPolicy := true
 	if proptools.String(m.properties.Sepolicy) == "" {
-		ctx.PropertyErrorf("sepolicy", "can't be empty")
-		return
+		if m.context == FileContext {
+			if proptools.String(m.fileProperties.Test_data) == "" {
+				ctx.PropertyErrorf("test_data", "Either test_data or sepolicy should be provided")
+				return
+			}
+			validateWithPolicy = false
+		} else {
+			ctx.PropertyErrorf("sepolicy", "can't be empty")
+			return
+		}
+	}
+
+	flags := []string(nil)
+	switch m.context {
+	case FileContext:
+		if !validateWithPolicy {
+			flags = []string{"-t"}
+		}
+	case ServiceContext:
+		flags = []string{"-s" /* binder services */}
+	case HwServiceContext:
+		flags = []string{"-e" /* allow empty */, "-l" /* hwbinder services */}
+	case VndServiceContext:
+		flags = []string{"-e" /* allow empty */, "-v" /* vnd service */}
 	}
 
 	srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
-	sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
-
 	rule := android.NewRuleBuilder(pctx, ctx)
-	rule.Command().BuiltTool(tool).
-		Flags(m.flags).
-		Input(sepolicy).
-		Inputs(srcs)
+
+	if validateWithPolicy {
+		sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
+		rule.Command().BuiltTool(tool).
+			Flags(flags).
+			Input(sepolicy).
+			Inputs(srcs)
+	} else {
+		test_data := android.PathForModuleSrc(ctx, proptools.String(m.fileProperties.Test_data))
+		rule.Command().BuiltTool(tool).
+			Flags(flags).
+			Inputs(srcs).
+			Input(test_data)
+	}
 
 	m.testTimestamp = pathForModuleOut(ctx, "timestamp")
 	rule.Command().Text("touch").Output(m.testTimestamp)

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 44c3243..29273cf 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -392,6 +392,7 @@
 		"search":                       EXCEPTION_NO_FUZZER,
 		"search_ui":                    EXCEPTION_NO_FUZZER,
 		"secure_element":               EXCEPTION_NO_FUZZER,
+		"security_state":               EXCEPTION_NO_FUZZER,
 		"sec_key_att_app_id_provider":  EXCEPTION_NO_FUZZER,
 		"selection_toolbar":            EXCEPTION_NO_FUZZER,
 		"sensorservice":                EXCEPTION_NO_FUZZER,

diff --git a/contexts/Android.bp b/contexts/Android.bp
index f2bb9c0..ca51847 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp

@@ -390,6 +390,12 @@
 }
 
 file_contexts_test {
+    name: "plat_file_contexts_data_test",
+    srcs: [":file_contexts_files{.plat_private}"],
+    test_data: "plat_file_contexts_test",
+}
+
+file_contexts_test {
     name: "system_ext_file_contexts_test",
     srcs: [":system_ext_file_contexts"],
     sepolicy: ":precompiled_sepolicy",

diff --git a/tests/plat_file_contexts_test b/contexts/plat_file_contexts_test
similarity index 99%
rename from tests/plat_file_contexts_test
rename to contexts/plat_file_contexts_test
index 9d8d906..50d9de4 100644
--- a/tests/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test

@@ -209,6 +209,7 @@
 /dev/socket/pdx/system/vr/display/vsync                           pdx_display_vsync_endpoint_socket
 /dev/socket/prng_seeder                                           prng_seeder_socket
 /dev/socket/property_service                                      property_socket
+/dev/socket/property_service_for_system                           property_socket
 /dev/socket/racoon                                                racoon_socket
 /dev/socket/recovery                                              recovery_socket
 /dev/socket/rild                                                  rild_socket
@@ -279,6 +280,8 @@
 /dev/zero                                                         zero_device
 /dev/__properties__                                               properties_device
 /dev/__properties__/property_info                                 property_info
+/dev/__properties__/appcompat_override                            properties_device
+/dev/__properties__/appcompat_override/property_info              property_info
 
 /linkerconfig                                                     linkerconfig_file
 /linkerconfig/test                                                linkerconfig_file
@@ -419,6 +422,7 @@
 /system/bin/profcollectd                                          profcollectd_exec
 /system/bin/profcollectctl                                        profcollectd_exec
 /system/bin/storaged                                              storaged_exec
+/system/bin/virtual_camera                                        virtual_camera_exec
 /system/bin/virtual_touchpad                                      virtual_touchpad_exec
 /system/bin/hw/android.frameworks.bufferhub@1.0-service           fwk_bufferhub_exec
 /system/bin/hw/android.system.suspend-service                     system_suspend_exec
@@ -1226,6 +1230,8 @@
 /metadata/userspacereboot/test                                    userspace_reboot_metadata_file
 /metadata/watchdog                                                watchdog_metadata_file
 /metadata/watchdog/test                                           watchdog_metadata_file
+/metadata/repair-mode                                             repair_mode_metadata_file
+/metadata/repair-mode/test                                        repair_mode_metadata_file
 
 /mnt/asec                                                         asec_apk_file
 /mnt/asec/test                                                    asec_apk_file

diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index e483237..046f20f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts

@@ -72,7 +72,9 @@
 /dev/vsock		u:object_r:vsock_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
 /dev/__properties__/property_info   u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info   u:object_r:property_info:s0
 #############################
 # Linker configuration
 #

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index f4541a3..896590d 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te

@@ -32,11 +32,11 @@
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
 # /dev/socket

diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index fa6712f..069d06a 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil

@@ -59,6 +59,7 @@
     quick_start_prop
     recovery_usb_config_prop
     remote_provisioning_service
+    repair_mode_metadata_file
     rkpdapp
     servicemanager_prop
     shutdown_checkpoints_system_data_file

diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index ac2ab12..0caddf2 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts

@@ -841,6 +841,7 @@
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
 /metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 /metadata/watchdog(/.*)?    u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)?    u:object_r:repair_mode_metadata_file:s0
 
 #############################
 # asec containers

diff --git a/prebuilts/api/34.0/private/system_server.te b/prebuilts/api/34.0/private/system_server.te
index 98d859c..aff4a0a 100644
--- a/prebuilts/api/34.0/private/system_server.te
+++ b/prebuilts/api/34.0/private/system_server.te

@@ -1441,6 +1441,9 @@
 allow system_server watchdog_metadata_file:dir rw_dir_perms;
 allow system_server watchdog_metadata_file:file create_file_perms;
 
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
 allow system_server gsi_persistent_data_file:file create_file_perms;
 

diff --git a/prebuilts/api/34.0/public/file.te b/prebuilts/api/34.0/public/file.te
index da76aee..7cfd8ad 100644
--- a/prebuilts/api/34.0/public/file.te
+++ b/prebuilts/api/34.0/public/file.te

@@ -287,6 +287,8 @@
 type staged_install_file, file_type;
 # Metadata information within /metadata/watchdog
 type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;

diff --git a/private/app_zygote.te b/private/app_zygote.te
index e3869cd..46cea8e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te

@@ -34,6 +34,8 @@
 # Interaction between the app_zygote and its children.
 allow app_zygote isolated_app:process setpgid;
 
+allow app_zygote properties_device:dir mounton;
+
 # TODO (b/63631799) fix this access
 dontaudit app_zygote mnt_expand_file:dir getattr;
 

diff --git a/private/attributes b/private/attributes
index 77143a3..fe50b0d 100644
--- a/private/attributes
+++ b/private/attributes

@@ -13,4 +13,5 @@
 
 # All SDK sandbox domains
 attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 618bb11..ea4ed5d 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil

@@ -29,6 +29,7 @@
     fwk_altitude_service
     fwk_camera_service
     fwk_sensor_service
+    game_manager_config_prop
     grammatical_inflection_service
     graphics_config_writable_prop
     hal_bluetooth_service
@@ -63,6 +64,7 @@
     quick_start_prop
     recovery_usb_config_prop
     remote_provisioning_service
+    repair_mode_metadata_file
     rkpdapp
     servicemanager_prop
     shutdown_checkpoints_system_data_file

diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 2d1aea0..16ec303 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil

@@ -14,10 +14,12 @@
     virtual_camera_service
     ot_daemon_service
     remote_auth_service
+    security_state_service
     sysfs_sync_on_suspend
     threadnetwork_service
     device_config_aconfig_flags_prop
     proc_memhealth
     virtual_device_native_service
     next_boot_prop
+    binderfs_logs_stats
   ))

diff --git a/private/file_contexts b/private/file_contexts
index 3a9c04d..2481c07 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -200,7 +200,9 @@
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
 /dev/__properties__/property_info   u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info   u:object_r:property_info:s0
 #############################
 # Linker configuration
 #
@@ -561,7 +563,6 @@
 /data/gsi_persistent_data    u:object_r:gsi_persistent_data_file:s0
 /data/gsi/ota(/.*)?    u:object_r:ota_image_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
-/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tests(/.*)?	u:object_r:shell_test_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
@@ -636,8 +637,8 @@
 /data/misc/odrefresh(/.*)?      u:object_r:odrefresh_data_file:s0
 /data/misc/odsign(/.*)?         u:object_r:odsign_data_file:s0
 /data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
 /data/misc/perfetto-traces(/.*)?          u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
 /data/misc/perfetto-configs(/.*)?         u:object_r:perfetto_configs_data_file:s0
 /data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
 /data/misc/profcollectd(/.*)?   u:object_r:profcollectd_data_file:s0
@@ -680,6 +681,7 @@
 /data/vendor_ce/.*              u:object_r:vendor_data_file:s0
 /data/vendor_de                 u:object_r:vendor_userdir_file:s0
 /data/vendor_de/.*              u:object_r:vendor_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 
 # storaged proto files
 /data/misc_de/[0-9]+/storaged(/.*)?       u:object_r:storaged_data_file:s0
@@ -841,6 +843,7 @@
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
 /metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 /metadata/watchdog(/.*)?    u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)?    u:object_r:repair_mode_metadata_file:s0
 
 #############################
 # asec containers

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3ec6ab1..17db46a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -392,6 +392,7 @@
 genfscon binder /vndbinder u:object_r:vndbinder_device:s0
 genfscon binder /binder_logs u:object_r:binderfs_logs:s0
 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
 genfscon binder /features u:object_r:binderfs_features:s0
 
 genfscon inotifyfs / u:object_r:inotify:s0

diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 1021fd9..066d3d5 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te

@@ -29,3 +29,6 @@
 binder_use(ot_daemon)
 add_service(ot_daemon, ot_daemon_service)
 binder_call(ot_daemon, system_server)
+
+# Allow OT daemon to write to statsd
+unix_socket_send(ot_daemon, statsdw, statsd)

diff --git a/private/property.te b/private/property.te
index 8be4d01..e1b42a0 100644
--- a/private/property.te
+++ b/private/property.te

@@ -57,6 +57,7 @@
 system_internal_prop(sensors_config_prop)
 system_internal_prop(hypervisor_pvmfw_prop)
 system_internal_prop(hypervisor_virtualizationmanager_prop)
+system_internal_prop(game_manager_config_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)

diff --git a/private/property_contexts b/private/property_contexts
index 9d1439d..6c81c03 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -416,6 +416,7 @@
 ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
 ro.camera.disableJpegR        u:object_r:camera_config_prop:s0 exact bool
 ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableVirtualCamera      u:object_r:camera_config_prop:s0 exact bool
 
 ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
 
@@ -512,6 +513,7 @@
 keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
 
 media.c2.dmabuf.padding                      u:object_r:codec2_config_prop:s0 exact int
+media.c2.hal.selection                       u:object_r:codec2_config_prop:s0 exact enum aidl hidl
 
 media.recorder.show_manufacturer_and_model   u:object_r:media_config_prop:s0 exact bool
 media.resolution.limit.32bit                 u:object_r:media_config_prop:s0 exact int
@@ -1345,6 +1347,7 @@
 ro.surface_flinger.ignore_hdr_camera_layers               u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.clear_slots_with_set_layer_buffer      u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.prime_shader_cache.ultrahdr            u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.game_default_frame_rate_override       u:object_r:surfaceflinger_prop:s0 exact int
 
 ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
 ro.sf.lcd_density           u:object_r:surfaceflinger_prop:s0 exact int
@@ -1590,3 +1593,6 @@
 
 # Properties for sensor service
 sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
+
+# Propertues for game manager service
+persist.graphics.game_default_frame_rate.enabled  u:object_r:game_manager_config_prop:s0 exact bool

diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
index d45da88..bb15057 100644
--- a/private/sdk_sandbox_34.te
+++ b/private/sdk_sandbox_34.te

@@ -3,89 +3,7 @@
 ###
 ### This file defines the security policy for the sdk sandbox processes
 ### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
 
 net_domain(sdk_sandbox_34)
 app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
-    activity_service
-    activity_task_service
-    appops_service
-    audio_service
-    audioserver_service
-    batteryproperties_service
-    batterystats_service
-    cameraserver_service
-    connectivity_service
-    connmetrics_service
-    deviceidle_service
-    display_service
-    dropbox_service
-    ephemeral_app_api_service
-    font_service
-    game_service
-    gpu_service
-    graphicsstats_service
-    hardware_properties_service
-    hint_service
-    imms_service
-    input_method_service
-    input_service
-    IProxyService_service
-    ipsec_service
-    launcherapps_service
-    legacy_permission_service
-    light_service
-    locale_service
-    media_communication_service
-    mediadrmserver_service
-    mediaextractor_service
-    mediametrics_service
-    media_projection_service
-    media_router_service
-    mediaserver_service
-    media_session_service
-    memtrackproxy_service
-    midi_service
-    netpolicy_service
-    netstats_service
-    network_management_service
-    notification_service
-    package_service
-    permission_checker_service
-    permission_service
-    permissionmgr_service
-    platform_compat_service
-    power_service
-    procstats_service
-    radio_service
-    registry_service
-    restrictions_service
-    rttmanager_service
-    search_service
-    selection_toolbar_service
-    sensor_privacy_service
-    sensorservice_service
-    servicediscovery_service
-    settings_service
-    speech_recognition_service
-    statusbar_service
-    storagestats_service
-    surfaceflinger_service
-    telecom_service
-    tethering_service
-    textclassification_service
-    textservices_service
-    texttospeech_service
-    thermal_service
-    translation_service
-    tv_iapp_service
-    tv_input_service
-    uimode_service
-    vcn_management_service
-    webviewupdate_service
-}:service_manager find;
-

diff --git a/private/sdk_sandbox_audit.te b/private/sdk_sandbox_audit.te
new file mode 100644
index 0000000..bb531ca
--- /dev/null
+++ b/private/sdk_sandbox_audit.te

@@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+    cameraserver_service
+    ephemeral_app_api_service
+    mediadrmserver_service
+    radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+    property_type
+    -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+    property_type
+    -system_property_type
+}:dir rw_dir_perms;

diff --git a/private/sdk_sandbox_current.te b/private/sdk_sandbox_current.te
new file mode 100644
index 0000000..55e5bc1
--- /dev/null
+++ b/private/sdk_sandbox_current.te

@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+    activity_service
+    activity_task_service
+    appops_service
+    audio_service
+    audioserver_service
+    batteryproperties_service
+    batterystats_service
+    cameraserver_service
+    connectivity_service
+    connmetrics_service
+    deviceidle_service
+    display_service
+    dropbox_service
+    ephemeral_app_api_service
+    font_service
+    game_service
+    gpu_service
+    graphicsstats_service
+    hardware_properties_service
+    hint_service
+    imms_service
+    input_method_service
+    input_service
+    IProxyService_service
+    ipsec_service
+    launcherapps_service
+    legacy_permission_service
+    light_service
+    locale_service
+    media_communication_service
+    mediadrmserver_service
+    mediaextractor_service
+    mediametrics_service
+    media_projection_service
+    media_router_service
+    mediaserver_service
+    media_session_service
+    memtrackproxy_service
+    midi_service
+    netpolicy_service
+    netstats_service
+    network_management_service
+    notification_service
+    package_service
+    permission_checker_service
+    permission_service
+    permissionmgr_service
+    platform_compat_service
+    power_service
+    procstats_service
+    radio_service
+    registry_service
+    restrictions_service
+    rttmanager_service
+    search_service
+    selection_toolbar_service
+    sensor_privacy_service
+    sensorservice_service
+    servicediscovery_service
+    settings_service
+    speech_recognition_service
+    statusbar_service
+    storagestats_service
+    surfaceflinger_service
+    telecom_service
+    tethering_service
+    textclassification_service
+    textservices_service
+    texttospeech_service
+    thermal_service
+    translation_service
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
+

diff --git a/private/seapp_contexts b/private/seapp_contexts
index bc68209..74701df 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -13,6 +13,7 @@
 #       fromRunAs (boolean)
 #       isIsolatedComputeApp (boolean)
 #       isSdkSandboxNext (boolean)
+#       isSdkSandboxAudit (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@@ -49,10 +50,20 @@
 # to provide isolated processes with relaxed security restrictions.
 # An unspecified isIsolatedComputeApp defaults to false.
 #
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
 # isSdkSandboxNext=true means sdk sandbox processes will get
 # sdk_sandbox_next sepolicy applied to them.
 # An unspecified isSdkSandboxNext defaults to false.
 #
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
 # seapp_context_cmp()).
@@ -174,6 +185,7 @@
 user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
 user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
 user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user

diff --git a/private/service_contexts b/private/service_contexts
index a1fb06b..758cab6 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -368,6 +368,7 @@
 search_ui                                 u:object_r:search_ui_service:s0
 secure_element                            u:object_r:secure_element_service:s0
 sec_key_att_app_id_provider               u:object_r:sec_key_att_app_id_provider_service:s0
+security_state                            u:object_r:security_state_service:s0
 selection_toolbar                         u:object_r:selection_toolbar_service:s0
 sensorservice                             u:object_r:sensorservice_service:s0
 sensor_privacy                            u:object_r:sensor_privacy_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index f9627e3..efdeff4 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1435,6 +1435,9 @@
 allow system_server watchdog_metadata_file:dir rw_dir_perms;
 allow system_server watchdog_metadata_file:file create_file_perms;
 
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
 allow system_server gsi_persistent_data_file:file create_file_perms;
 
@@ -1539,3 +1542,11 @@
 
 # Allow system server to set dynamic ART properties.
 set_prop(system_server, dalvik_dynamic_config_prop)
+
+# Allow system server to read binderfs
+allow system_server binderfs_logs:dir r_dir_perms;
+allow system_server binderfs_logs_stats:file r_file_perms;
+
+# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
+set_prop(system_server, game_manager_config_prop)
+

diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 0556950..7b05af2 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te

@@ -83,6 +83,8 @@
 
 allow webview_zygote system_data_file:lnk_file r_file_perms;
 
+allow webview_zygote properties_device:dir mounton;
+
 # Send unsolicited message to system_server
 unix_socket_send(webview_zygote, system_unsolzygote, system_server)
 

diff --git a/private/zygote.te b/private/zygote.te
index 788dafe..4815ecc 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -76,6 +76,8 @@
     user_profile_data_file
     # /storage/emulated/$userId/Android/{data,obb}
     media_rw_data_file
+    # /dev/__properties__
+    properties_device
 }:dir { mounton search };
 
 # Traverse /data_mirror to get to the above directories while their normal paths

diff --git a/public/domain.te b/public/domain.te
index bed0d7d..ec8b247 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -337,10 +337,6 @@
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
 ###
 ### neverallow rules
 ###
@@ -440,6 +436,10 @@
 neverallow * init:binder *;
 neverallow * vendor_init:binder *;
 
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
+
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3748605..c52ca15 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -379,6 +379,7 @@
 allow dumpstate binderfs_logs:dir r_dir_perms;
 allow dumpstate binderfs_logs:file r_file_perms;
 allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
 
 use_apex_info(dumpstate)
 

diff --git a/public/file.te b/public/file.te
index 72f511b..9496c02 100644
--- a/public/file.te
+++ b/public/file.te

@@ -7,6 +7,7 @@
 type binderfs, fs_type;
 type binderfs_logs, fs_type;
 type binderfs_logs_proc, fs_type;
+type binderfs_logs_stats, fs_type;
 type binderfs_features, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type, proc_type;
@@ -289,6 +290,8 @@
 type staged_install_file, file_type;
 # Metadata information within /metadata/watchdog
 type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;

diff --git a/public/init.te b/public/init.te
index e552ec2..29dd42d 100644
--- a/public/init.te
+++ b/public/init.te

@@ -26,7 +26,7 @@
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
 # /dev/event-log-tags

diff --git a/public/service.te b/public/service.te
index e018e40..53c9e5f 100644
--- a/public/service.te
+++ b/public/service.te

@@ -212,6 +212,7 @@
 type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type search_ui_service, app_api_service, system_server_service, service_manager_type;
 type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type security_state_service, system_server_service, service_manager_type;
 type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 21bc87a..02882af 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c

@@ -228,6 +228,7 @@
                 { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                 { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+                { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
                 /*Outputs*/
                 { .name = "domain",         .dir = dir_out, .fn_validate = validate_domain  },

diff --git a/tools/checkfc.c b/tools/checkfc.c
index 05826f9..051e24b 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c

@@ -271,6 +271,19 @@
      printf("%s\n", result_str[result]);
 }
 
+static int warnings = 0;
+static int log_callback(int type, const char *fmt, ...) {
+    va_list ap;
+
+    if (type == SELINUX_WARNING) {
+        warnings += 1;
+    }
+    va_start(ap, fmt);
+    vfprintf(stderr, fmt, ap);
+    va_end(ap);
+    return 0;
+}
+
 static void do_test_data_and_die_on_error(struct selinux_opt opts[], unsigned int backend,
         char *paths[])
 {
@@ -329,7 +342,15 @@
 
     // Prints the coverage of file_contexts on the test data. It includes
     // warnings for rules that have not been hit by any test example.
+    union selinux_callback cb;
+    cb.func_log = log_callback;
+    selinux_set_callback(SELINUX_CB_LOG, cb);
     selabel_stats(global_state.sepolicy.sehnd[0]);
+    if (warnings) {
+        fprintf(stderr, "No test entries were found for the contexts above. " \
+                        "You may need to update %s.\n", paths[1]);
+        exit(1);
+    }
 }
 
 static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode,

diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
index ab474d6..4b4ee46 100644
--- a/vendor/hal_drm_clearkey.te
+++ b/vendor/hal_drm_clearkey.te

@@ -4,3 +4,4 @@
 init_daemon_domain(hal_drm_clearkey_aidl)
 
 hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
+allow hal_drm_clearkey_aidl mediacodec:fd use;