Merge "Make cross-user apps mlstrustedsubject."
diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
index ab731f1..86e8009 100644
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@@ -22,6 +22,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -38,6 +39,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/prebuilts/api/30.0/private/dexoptanalyzer.te b/prebuilts/api/30.0/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/prebuilts/api/30.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/30.0/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
diff --git a/private/app.te b/private/app.te
index a42b60e..5b079c2 100644
--- a/private/app.te
+++ b/private/app.te
@@ -49,5 +49,11 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+# Allow to read sendbug.preferred.domain
+get_prop(appdomain, sendbug_config_prop)
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
+
+# Allow to read persist.config.calibration_fac
+get_prop(appdomain, camera_calibration_prop)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 0138743..1599a3e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -70,7 +70,6 @@
exported2_radio_prop
exported2_system_prop
exported2_vold_prop
- exported3_default_prop
exported3_radio_prop
exported3_system_prop
fastbootd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 92ff8d7..2f0a252 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -35,6 +35,7 @@
build_odm_prop
build_prop
build_vendor_prop
+ camera_calibration_prop
camera_config_prop
cgroup_bpf
charger_config_prop
@@ -139,6 +140,7 @@
network_stack_service
network_watchlist_data_file
network_watchlist_service
+ oem_unlock_prop
overlayfs_file
packagemanager_config_prop
perfetto
@@ -157,6 +159,7 @@
secure_element_device
secure_element_service
secure_element_tmpfs
+ sendbug_config_prop
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
@@ -177,6 +180,7 @@
surfaceflinger_color_prop
surfaceflinger_prop
staging_data_file
+ storagemanager_config_prop
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
@@ -223,10 +227,14 @@
vold_service
vold_status_prop
vrflinger_vsync_service
+ vts_config_prop
+ vts_status_prop
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
watchdogd_tmpfs
+ wifi_config_prop
+ wifi_hal_prop
wm_trace_data_file
wpantund
wpantund_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index b54644f..6a6348a 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -6,9 +6,11 @@
(type exported_system_radio_prop)
(type exported_radio_prop)
(type exported_vold_prop)
+(type exported_wifi_prop)
(type exported2_config_prop)
(type exported2_radio_prop)
(type exported2_vold_prop)
+(type exported3_default_prop)
(type ffs_prop)
(type system_radio_prop)
@@ -1358,6 +1360,7 @@
(typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
(typeattributeset exported3_default_prop_30_0
( exported3_default_prop
+ camera_calibration_prop
camera_config_prop
charger_config_prop
drm_service_config_prop
@@ -1366,10 +1369,15 @@
lmkd_config_prop
media_config_prop
mediadrm_config_prop
+ oem_unlock_prop
packagemanager_config_prop
recovery_config_prop
+ sendbug_config_prop
+ storagemanager_config_prop
telephony_config_prop
tombstone_config_prop
+ vts_status_prop
+ wifi_config_prop
zram_config_prop))
(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop))
(typeattributeset exported3_system_prop_30_0
@@ -1387,7 +1395,8 @@
aaudio_config_prop
build_odm_prop
build_vendor_prop
- surfaceflinger_prop))
+ surfaceflinger_prop
+ vts_config_prop))
(typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_30_0
( exported_ffs_prop
@@ -1404,7 +1413,7 @@
usb_config_prop
usb_control_prop))
(typeattributeset exported_vold_prop_30_0 (exported_vold_prop vold_status_prop))
-(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop))
+(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop wifi_hal_prop))
(typeattributeset external_vibrator_service_30_0 (external_vibrator_service))
(typeattributeset face_service_30_0 (face_service))
(typeattributeset face_vendor_data_file_30_0 (face_vendor_data_file))
diff --git a/private/coredomain.te b/private/coredomain.te
index 6062bc0..edb2245 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -4,19 +4,21 @@
get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)
+get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
+get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
get_prop(coredomain, telephony_config_prop)
-
get_prop(coredomain, usb_config_prop)
get_prop(coredomain, usb_control_prop)
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
+get_prop(coredomain, vts_status_prop)
full_treble_only(`
neverallow {
@@ -39,6 +41,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -55,6 +58,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
diff --git a/private/domain.te b/private/domain.te
index 9cd064a..8ba992b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -75,7 +75,6 @@
# DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
get_prop(domain, exported2_system_prop)
- get_prop(domain, exported3_default_prop)
get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
@@ -84,7 +83,6 @@
# DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported2_system_prop)
- get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
diff --git a/private/file_contexts b/private/file_contexts
index eaefec3..a4d967e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -459,6 +459,18 @@
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
+# VendorDlkm files
+# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
+#
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
+
+#############################
+# OdmDlkm files
+# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
+#
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
+
+#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
# NOTE: For additional vendor file contexts for vendor overlay files,
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 89232bc..b1cd127 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -251,6 +251,8 @@
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -297,6 +299,8 @@
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b70a397..6ef3ade 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -53,8 +53,7 @@
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
-dontaudit gmscore_app wifi_prop:file r_file_perms;
-dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
# Access the network
diff --git a/private/gpuservice.te b/private/gpuservice.te
index c467383..2e4254c 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,5 +64,3 @@
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')
-
-get_prop(gpuservice, graphics_config_prop)
diff --git a/private/init.te b/private/init.te
index 7a2e0b3..49a98e0 100644
--- a/private/init.te
+++ b/private/init.te
@@ -59,3 +59,7 @@
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
+
+# Only init can write vts.native_server.on
+set_prop(init, vts_status_prop)
+neverallow { -init } vts_status_prop:property_service set;
diff --git a/private/priv_app.te b/private/priv_app.te
index d5b8d3f..57dcfc5 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -134,8 +134,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app wifi_prop:file read;
-dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/property.te b/private/property.te
index db43ae3..566c7f1 100644
--- a/private/property.te
+++ b/private/property.te
@@ -142,7 +142,6 @@
exported_system_prop
exported2_default_prop
exported2_system_prop
- exported3_default_prop
exported3_system_prop
usb_control_prop
-nfc_prop
@@ -218,12 +217,13 @@
neverallow {
domain
- -coredomain
+ -init
+ -dumpstate
-hal_wifi_server
-wificond
-vendor_init
} {
- exported_wifi_prop
+ wifi_hal_prop
}:property_service set;
# Prevent properties from being read
@@ -237,7 +237,6 @@
dalvik_config_prop
extended_core_property_type
exported2_system_prop
- exported3_default_prop
exported3_system_prop
systemsound_config_prop
-debug_prop
@@ -424,3 +423,29 @@
} {
localization_prop
}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -system_app
+} oem_unlock_prop:file no_rw_file_perms;
+
+neverallow {
+ -coredomain
+ -vendor_init
+} storagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} sendbug_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} camera_calibration_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index b89d4e4..de1e085 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -54,6 +54,7 @@
persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
+logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
@@ -179,12 +180,14 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
-# Common default properties for vendor and odm.
+# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
ro.hardware. u:object_r:vendor_default_prop:s0
ro.odm. u:object_r:vendor_default_prop:s0
ro.vendor. u:object_r:vendor_default_prop:s0
+ro.vendor_dlkm. u:object_r:vendor_default_prop:s0
+ro.odm_dlkm. u:object_r:vendor_default_prop:s0
odm. u:object_r:vendor_default_prop:s0
persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
@@ -263,6 +266,8 @@
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
+
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
@@ -341,6 +346,7 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -356,8 +362,6 @@
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
-persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
-
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
@@ -380,7 +384,6 @@
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
@@ -395,8 +398,6 @@
ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
-
ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
@@ -418,6 +419,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
@@ -444,13 +446,11 @@
ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
-ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
-
-ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
@@ -462,9 +462,7 @@
zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
-ro.zygote u:object_r:exported3_default_prop:s0 exact string
-
-sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
@@ -488,10 +486,6 @@
vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
-vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
-
-wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
-
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
@@ -525,13 +519,14 @@
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
# default contexts only accessible by coredomain
-init.svc. u:object_r:init_service_status_private_prop:s0 exact string
+init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
# vendor-init-readable init service props
init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
init.svc.console u:object_r:init_service_status_prop:s0 exact string
init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
+init.svc.statsd u:object_r:init_service_status_prop:s0 exact string
init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
@@ -618,6 +613,18 @@
ro.product.odm.model u:object_r:build_odm_prop:s0 exact string
ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
+# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+
+# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
+ro.odm_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.odm_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.odm_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.odm_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+
# All vendor build props are set by /vendor/build.prop
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
@@ -741,13 +748,18 @@
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
-ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
+ro.vts.coverage u:object_r:vts_config_prop:s0 exact int
-wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
-wifi.aware.interface u:object_r:exported_wifi_prop:s0 exact string
-wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
-wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
-wifi.interface u:object_r:exported_default_prop:s0 exact string
+vts.native_server.on u:object_r:vts_status_prop:s0 exact bool
+
+wifi.active.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.aware.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.interface u:object_r:wifi_hal_prop:s0 exact string
+wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
+
+ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
@@ -847,6 +859,8 @@
ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
# Graphics related properties
+ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
+
ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
diff --git a/private/shell.te b/private/shell.te
index 78909bf..b63a569 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -140,9 +140,6 @@
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-# Allow to read graphics related properties.
-get_prop(shell, graphics_config_prop)
-
# Allow to issue control commands to profcollectd binder service.
userdebug_or_eng(`
allow shell profcollectd:binder call;
diff --git a/private/system_app.te b/private/system_app.te
index a12d6c2..5a2a561 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -153,6 +153,9 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Settings app reads ro.oem_unlock_supported
+get_prop(system_app, oem_unlock_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 81988fd..fc4ba0d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -886,9 +886,6 @@
# Set persist.adb.tls_server.enable property
set_prop(system_server, system_adbd_prop)
-# Read ro.gfx.* properties
-get_prop(system_server, graphics_config_prop)
-
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -992,6 +989,8 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+get_prop(system_server, wifi_config_prop)
+
###
### Neverallow rules
###
@@ -1196,3 +1195,10 @@
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
neverallow { domain -init -system_server } boot_status_prop:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} wifi_config_prop:file no_rw_file_perms;
diff --git a/private/wificond.te b/private/wificond.te
index 1912256..8bf37ca 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,6 +1,6 @@
typeattribute wificond coredomain;
-set_prop(wificond, exported_wifi_prop)
+set_prop(wificond, wifi_hal_prop)
set_prop(wificond, wifi_prop)
set_prop(wificond, ctl_default_prop)
diff --git a/public/domain.te b/public/domain.te
index 33edfd0..a390cb3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -116,6 +116,7 @@
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
@@ -539,7 +540,6 @@
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
neverallow { domain -init } exported2_default_prop:property_service set;
- neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
')
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index ecc1359..fddfda1 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -7,7 +7,7 @@
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
-set_prop(hal_wifi, exported_wifi_prop)
+set_prop(hal_wifi, wifi_hal_prop)
set_prop(hal_wifi, wifi_prop)
# allow hal wifi set interfaces up and down and get the factory MAC
diff --git a/public/netd.te b/public/netd.te
index ceb1a27..55b6283 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -172,3 +172,5 @@
dontaudit netd self:capability sys_module;
dontaudit netd kernel:system module_request;
+
+dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/property.te b/public/property.te
index f4572c7..0dfbefe 100644
--- a/public/property.te
+++ b/public/property.te
@@ -76,6 +76,7 @@
system_restricted_prop(usb_prop)
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
+system_restricted_prop(vts_status_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -108,6 +109,7 @@
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
+system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(cpu_variant_prop)
@@ -116,7 +118,6 @@
system_vendor_config_prop(exported_camera_prop)
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(ffs_config_prop)
system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
@@ -126,9 +127,12 @@
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(sendbug_config_prop)
system_vendor_config_prop(storage_config_prop)
+system_vendor_config_prop(storagemanager_config_prop)
system_vendor_config_prop(surfaceflinger_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
@@ -140,7 +144,9 @@
system_vendor_config_prop(vendor_socket_hook_prop)
system_vendor_config_prop(virtual_ab_prop)
system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(vts_config_prop)
system_vendor_config_prop(vold_config_prop)
+system_vendor_config_prop(wifi_config_prop)
system_vendor_config_prop(zram_config_prop)
# Properties with no restrictions
@@ -161,7 +167,6 @@
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
-system_public_prop(exported_wifi_prop)
system_public_prop(ffs_control_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
@@ -180,6 +185,7 @@
system_public_prop(system_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
+system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
system_public_prop(zram_control_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 30eba23..df50b17 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -219,9 +219,7 @@
set_prop(vendor_init, exported_default_prop)
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, exported_wifi_prop)
set_prop(vendor_init, exported2_system_prop)
-set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, ffs_control_prop)
set_prop(vendor_init, incremental_prop)
@@ -239,6 +237,7 @@
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
set_prop(vendor_init, zram_control_prop)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1b2bc23..09b20d9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -65,7 +65,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0