Merge "Allow mediaserver access to media_native flag namespace"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 7eac769..5472243 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -267,7 +267,7 @@
"healthconnect": EXCEPTION_NO_FUZZER,
"ions": EXCEPTION_NO_FUZZER,
"idmap": EXCEPTION_NO_FUZZER,
- "incident": EXCEPTION_NO_FUZZER,
+ "incident": []string{"incidentd_service_fuzzer"},
"incidentcompanion": EXCEPTION_NO_FUZZER,
"inputflinger": EXCEPTION_NO_FUZZER,
"input_method": EXCEPTION_NO_FUZZER,
@@ -302,7 +302,7 @@
"media.aaudio": EXCEPTION_NO_FUZZER,
"media.audio_flinger": EXCEPTION_NO_FUZZER,
"media.audio_policy": EXCEPTION_NO_FUZZER,
- "media.camera": EXCEPTION_NO_FUZZER,
+ "media.camera": []string{"camera_service_aidl_fuzzer"},
"media.camera.proxy": EXCEPTION_NO_FUZZER,
"media.log": EXCEPTION_NO_FUZZER,
"media.player": EXCEPTION_NO_FUZZER,
@@ -410,8 +410,8 @@
"sdk_sandbox": EXCEPTION_NO_FUZZER,
"SurfaceFlinger": EXCEPTION_NO_FUZZER,
"SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
- "suspend_control": EXCEPTION_NO_FUZZER,
- "suspend_control_internal": EXCEPTION_NO_FUZZER,
+ "suspend_control": []string{"suspend_service_fuzzer"},
+ "suspend_control_internal": []string{"suspend_service_internal_fuzzer"},
"system_config": EXCEPTION_NO_FUZZER,
"system_server_dumper": EXCEPTION_NO_FUZZER,
"system_update": EXCEPTION_NO_FUZZER,
diff --git a/private/app.te b/private/app.te
index 34cd2f0..754c802 100644
--- a/private/app.te
+++ b/private/app.te
@@ -48,11 +48,6 @@
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
diff --git a/private/domain.te b/private/domain.te
index 30ceb24..2cffdd8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -87,8 +87,13 @@
# Allow all domains to check whether MTE is set to permissive mode.
get_prop(domain, permissive_mte_prop);
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process), and MTE bootloader override to be
+# observed by everything
get_prop(domain, device_config_memory_safety_native_boot_prop);
get_prop(domain, device_config_memory_safety_native_prop);
+get_prop(domain, device_config_runtime_native_boot_prop);
+get_prop(domain, device_config_runtime_native_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
diff --git a/private/property_contexts b/private/property_contexts
index 102c111..c447483 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1203,7 +1203,6 @@
ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl_legacy u:object_r:graphics_config_prop:s0 exact string
ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string