Merge "Add SELinux policy for edgetpu_native device_config prop"
diff --git a/apex/Android.bp b/apex/Android.bp
index 403eafa..2dcae6f 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -267,9 +267,9 @@
}
filegroup {
- name: "com.android.healthconnect-file_contexts",
+ name: "com.android.healthfitness-file_contexts",
srcs: [
- "com.android.healthconnect-file_contexts",
+ "com.android.healthfitness-file_contexts",
],
}
diff --git a/apex/com.android.healthconnect-file_contexts b/apex/com.android.healthfitness-file_contexts
similarity index 100%
rename from apex/com.android.healthconnect-file_contexts
rename to apex/com.android.healthfitness-file_contexts
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 8e11850..e04e158 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -224,6 +224,7 @@
"dataloader_manager": EXCEPTION_NO_FUZZER,
"dbinfo": EXCEPTION_NO_FUZZER,
"device_config": EXCEPTION_NO_FUZZER,
+ "device_config_updatable": EXCEPTION_NO_FUZZER,
"device_policy": EXCEPTION_NO_FUZZER,
"device_identifiers": EXCEPTION_NO_FUZZER,
"deviceidle": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a751c21..238cb96 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -16,6 +16,7 @@
device_config_edgetpu_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
+ device_config_updatable_service
device_config_vendor_system_native_prop
devicelock_service
fwk_altitude_service
@@ -47,10 +48,13 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
+ stats_config_data_file
system_net_netd_service
timezone_metadata_prop
tuner_config_prop
tuner_server_ctl_prop
+ ublk_block_device
+ ublk_control_device
usb_uvc_enabled_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
diff --git a/private/file_contexts b/private/file_contexts
index 4c3f108..6166065 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -81,6 +81,7 @@
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/by-name/zoned_device u:object_r:zoned_block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/ublkb[0-9]+ u:object_r:ublk_block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
@@ -95,6 +96,7 @@
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
+/dev/ublk-control u:object_r:ublk_control_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -646,7 +648,7 @@
/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_config_data_file:s0
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
diff --git a/private/property_contexts b/private/property_contexts
index 7c9f81f..c980696 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -508,6 +508,7 @@
persist.bluetooth.snooplogfilter.profiles.pbap u:object_r:bluetooth_prop:s0 exact enum empty disabled fullfilter header magic
persist.bluetooth.snooplogfilter.profiles.rfcomm.enabled u:object_r:bluetooth_prop:s0 exact bool
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.leaudio.allow_list u:object_r:bluetooth_prop:s0 exact string
bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index 6af5eab..db48f62 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -203,6 +203,7 @@
dataloader_manager u:object_r:dataloader_manager_service:s0
dbinfo u:object_r:dbinfo_service:s0
device_config u:object_r:device_config_service:s0
+device_config_updatable u:object_r:device_config_updatable_service:s0
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index b366070..a39eaa2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -222,9 +222,9 @@
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
+# Delete /data/misc/stats-service/ directories.
+allow system_server stats_config_data_file:dir { open read remove_name search write };
+allow system_server stats_config_data_file:file unlink;
# Read metric file & upload to statsd
allow system_server odsign_data_file:dir search;
diff --git a/public/device.te b/public/device.te
index ead7fbc..066600e 100644
--- a/public/device.te
+++ b/public/device.te
@@ -10,7 +10,9 @@
type bt_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
+type ublk_block_device, dev_type;
type dm_user_device, dev_type;
+type ublk_control_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
diff --git a/public/file.te b/public/file.te
index 8d33a9d..1e13e53 100644
--- a/public/file.te
+++ b/public/file.te
@@ -446,6 +446,7 @@
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
+type stats_config_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/service.te b/public/service.te
index 3d3d98a..68fd9e2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -9,6 +9,7 @@
type cameraserver_service, service_manager_type;
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
+type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index 31d033f..e1c24c6 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -19,9 +19,16 @@
allow statsd su:fifo_file read;
')
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+# Create, read, and write into
+# /data/misc/stats-active-metric
+# /data/misc/stats-data
+# /data/misc/stats-metadata
+# /data/misc/stats-service
+# /data/misc/train-info
allow statsd stats_data_file:dir create_dir_perms;
allow statsd stats_data_file:file create_file_perms;
+allow statsd stats_config_data_file:dir create_dir_perms;
+allow statsd stats_config_data_file:file create_file_perms;
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
@@ -83,7 +90,10 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *;
+
# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index f167e65..7d9119e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -47,6 +47,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service.example u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0