Merge "Allow crosvm to write shell_data_file"
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 538c977..bd3668f 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,5 +5,5 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
-
+ device_config_vendor_system_native_prop
))
diff --git a/private/file.te b/private/file.te
index 5a843f9..1afa50f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -62,6 +62,7 @@
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
diff --git a/private/file_contexts b/private/file_contexts
index b4f42cf..af51799 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -589,6 +589,7 @@
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/property.te b/private/property.te
index 15a46a2..2a88cbf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -47,7 +47,6 @@
system_internal_prop(virtualizationservice_prop)
# Properties which can't be written outside system
-system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
###
diff --git a/private/property_contexts b/private/property_contexts
index 6abfacd..55b3159 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -352,6 +352,9 @@
# Boolean property used in AudioService to configure whether
# spatializer functionality should be initialized
ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# to enable head tracking for spatial audio
+ro.audio.headtracking_enabled u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 46e7be8..d30d3d9 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -33,6 +33,7 @@
allow sdk_sandbox game_service:service_manager find;
allow sdk_sandbox gpu_service:service_manager find;
allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox imms_service:service_manager find;
allow sdk_sandbox input_method_service:service_manager find;
@@ -89,6 +90,8 @@
allow sdk_sandbox vcn_management_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/system_server.te b/private/system_server.te
index 274da18..59a56b6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1364,12 +1364,14 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir create_dir_perms;
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:file create_file_perms;
diff --git a/private/toolbox.te b/private/toolbox.te
index a2b958d..1e53d72 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,7 @@
typeattribute toolbox coredomain;
init_daemon_domain(toolbox)
+
+# rm -rf in /data/misc/virtualizationservice
+allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
+allow toolbox virtualizationservice_data_file:file { getattr unlink };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index ceee544..26077f3 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,9 +176,7 @@
# permission. The protection level of the permission is `signature|development`
# so that it can only be granted to either platform-key signed apps or
# test-only apps having `android:testOnly="true"` in its manifest.
-userdebug_or_eng(`
- virtualizationservice_use(untrusted_app_all)
-')
+virtualizationservice_use(untrusted_app_all)
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 3171ee0..24007ed 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -56,6 +56,7 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir relabelfrom;
diff --git a/public/property.te b/public/property.te
index 8ddc774..58a4525 100644
--- a/public/property.te
+++ b/public/property.te
@@ -67,6 +67,7 @@
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
+system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)