Merge "Revert "Revert "Let crash_dump read /proc/$PID."""
diff --git a/METADATA b/METADATA
index 313792c..cdcfa70 100644
--- a/METADATA
+++ b/METADATA
@@ -1,3 +1,6 @@
third_party {
- license_type: UNENCUMBERED
+ # would be UNENCUMBERED save for
+ # tests/combine_maps.py
+ # build/soong/
+ license_type: NOTICE
}
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf0fa67..aff3a0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -228,6 +228,7 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 8340c76..fb0fa44 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1914,7 +1914,9 @@
(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_29_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_29_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_29_0 (vendor_shell))
(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index a2ae272..3830fc0 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2185,7 +2185,9 @@
(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_30_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_30_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_30_0 (vendor_shell))
(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 9db6e48..2a960e5 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -12,6 +12,7 @@
apex_art_staging_data_file
apex_info_file
app_hibernation_service
+ appcompat_data_file
arm64_memtag_prop
authorization_service
cgroup_desc_api_file
@@ -78,6 +79,7 @@
snapuserd
snapuserd_exec
snapuserd_socket
+ soc_prop
speech_recognition_service
sysfs_devices_cs_etm
sysfs_uhid
diff --git a/private/domain.te b/private/domain.te
index 062a51e..0908661 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,6 +54,10 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
@@ -467,6 +471,7 @@
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
+ -vendor_public_framework_file
-vendor_public_lib_file
-vendor_task_profiles_file
-vndk_sp_file
diff --git a/private/file_contexts b/private/file_contexts
index 89c67fc..1e16169 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -561,6 +561,7 @@
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
+/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index fe1d08e..a0b74b6 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -64,10 +64,11 @@
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir r_dir_perms;
+allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir rw_dir_perms;
+allow gsid vfat:dir create_dir_perms;
allow gsid vfat:file create_file_perms;
allow gsid sdcard_block_device:blk_file r_file_perms;
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
diff --git a/private/kernel.te b/private/kernel.te
index 70ca912..5341163 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -30,3 +30,4 @@
allow kernel snapuserd_exec:file relabelto;
allow kernel kmsg_device:chr_file write;
+allow kernel gsid:fd use;
diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,6 +4,7 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
+ r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/netd.te b/private/netd.te
index 27663d3..670a4bf 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -20,6 +20,7 @@
set_prop(netd, ctl_mdnsd_prop)
set_prop(netd, netd_stable_secret_prop)
+get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
get_prop(netd, hwservicemanager_prop)
get_prop(netd, device_config_netd_native_prop)
diff --git a/private/priv_app.te b/private/priv_app.te
index 9fd319f..4c1d782 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -232,6 +232,7 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/property_contexts b/private/property_contexts
index 6b2b883..5b832dc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1067,6 +1067,11 @@
partition.product.verified u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
@@ -1097,3 +1102,7 @@
db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
+
+# SOC related props
+ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
+ro.soc.model u:object_r:soc_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index e6038b1..0cdf43d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -174,3 +174,6 @@
# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
+
+# Allow shell to read the dm-verity props on user builds.
+get_prop(shell, verity_status_prop)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 37601b9..8549bd5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,6 +100,7 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/system_app.te b/private/system_app.te
index 4284835..8938931 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -149,6 +149,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index 6767cd1..4eb2d38 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -500,6 +500,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/appcompat.
+allow system_server appcompat_data_file:dir rw_dir_perms;
+allow system_server appcompat_data_file:file create_file_perms;
+
# Manage /data/misc/emergencynumberdb
allow system_server emergency_data_file:dir create_dir_perms;
allow system_server emergency_data_file:file create_file_perms;
@@ -868,6 +872,7 @@
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir { remove_name rmdir };
# /oem access
r_dir_file(system_server, oemfs)
@@ -946,9 +951,8 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 23fed52..1a3bcc6 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -108,6 +108,8 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -190,7 +192,10 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials
diff --git a/public/app.te b/public/app.te
index 5eb20d8..39d67af 100644
--- a/public/app.te
+++ b/public/app.te
@@ -120,8 +120,8 @@
r_dir_file(appdomain, vendor_framework_file)
# Allow apps read / execute access to vendor public libraries.
-allow appdomain vendor_public_lib_file:dir r_dir_perms;
-allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
diff --git a/public/charger.te b/public/charger.te
index f57853a..37359e3 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,6 +7,7 @@
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;
diff --git a/public/credstore.te b/public/credstore.te
index db16a8d..a2376d2 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -14,3 +14,4 @@
allow credstore dropbox_service:service_manager find;
r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)
diff --git a/public/dhcp.te b/public/dhcp.te
index 67fd038..1d875ab 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,6 +4,7 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
diff --git a/public/domain.te b/public/domain.te
index 3f33b5b..7c2e3fe 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -118,6 +118,7 @@
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
@@ -986,6 +987,7 @@
-same_process_hal_file
-vndk_sp_file
-vendor_app_file
+ -vendor_public_framework_file
-vendor_public_lib_file
}:file execute;
')
@@ -1318,10 +1320,12 @@
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
@@ -1346,7 +1350,7 @@
neverallow {
coredomain
-appdomain
- } vendor_public_lib_file:file { execute execute_no_trans };
+ } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')
# Vendor domian must not have access to /mnt/product.
diff --git a/public/drmserver.te b/public/drmserver.te
index a24ad41..eede0fc 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -61,4 +61,5 @@
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 10c0302..47071ed 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -134,6 +134,7 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
diff --git a/public/file.te b/public/file.te
index dceb96e..39581c4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -224,6 +224,9 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Type for all vendor public libraries for system. These libs should only be exposed to
+# system. ABI stability of these libs is vendor's responsibility.
+type vendor_public_framework_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -377,6 +380,7 @@
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
+type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 7295c24..d48c5f8 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -39,3 +39,4 @@
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7de6a13..e699a6b 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,6 +16,10 @@
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5987491..bb1bd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,6 +20,10 @@
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 99b6065..444cfda 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -14,6 +14,7 @@
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 4cb0c5a..f0cf075 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,6 +11,8 @@
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 79a0667..36bcc65 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -13,6 +13,7 @@
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/public/healthd.te b/public/healthd.te
index 8673846..05acb84 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,6 +11,7 @@
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
diff --git a/public/init.te b/public/init.te
index 59e6b4e..e546ece 100644
--- a/public/init.te
+++ b/public/init.te
@@ -103,7 +103,6 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -132,6 +131,8 @@
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/inputflinger.te b/public/inputflinger.te
index c3f4da8..b62c06d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,3 +13,4 @@
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)
diff --git a/public/installd.te b/public/installd.te
index b9c7b3e..61c8bce 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,6 +26,7 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
diff --git a/public/keystore.te b/public/keystore.te
index 8c64090..c6e0daa 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -23,6 +23,7 @@
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules
diff --git a/public/lmkd.te b/public/lmkd.te
index c9f2e64..de6052d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,9 +26,11 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
diff --git a/public/logd.te b/public/logd.te
index b0acb14..8187179 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,6 +4,7 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1f34030..06f7928 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,7 @@
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 0e56b07..468c0d0 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,6 +12,7 @@
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
diff --git a/public/mediaserver.te b/public/mediaserver.te
index d32b9d9..388001d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,6 +9,7 @@
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
diff --git a/public/performanced.te b/public/performanced.te
index 7dcb5ea..d694fda 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,3 +28,4 @@
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)
diff --git a/public/property.te b/public/property.te
index 151983f..37884f0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -141,6 +141,7 @@
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(sendbug_config_prop)
+system_vendor_config_prop(soc_prop)
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(storagemanager_config_prop)
system_vendor_config_prop(surfaceflinger_prop)
diff --git a/public/racoon.te b/public/racoon.te
index 6888740..e4b299e 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,6 +12,7 @@
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 1ae3770..bb1c919 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,6 +2,7 @@
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
diff --git a/public/shell.te b/public/shell.te
index 1e73e49..39ed2f6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -125,6 +125,7 @@
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0bdf632..16dca64 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,6 +16,8 @@
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
@@ -233,6 +235,7 @@
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, soc_prop)
set_prop(vendor_init, surfaceflinger_color_prop)
set_prop(vendor_init, usb_control_prop)
set_prop(vendor_init, userspace_reboot_config_prop)