Merge "Allow system_server to read from postinstall scripts through STDIN." into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4607f9d..a0933b4 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -936,8 +936,10 @@
/data/misc/apexdata/com.android.tethering/test apex_tethering_data_file
/data/misc/apexdata/com.android.tethering/threadnetwork apex_tethering_data_file
/data/misc/apexdata/com.android.tethering/threadnetwork/test apex_tethering_data_file
-/data/misc/apexdata/com.android.uwb apex_system_server_data_file
-/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/test apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log apex_uwb_data_file
+/data/misc/apexdata/com.android.uwb/log/test apex_uwb_data_file
/data/misc/apexdata/com.android.wifi apex_system_server_data_file
/data/misc/apexdata/com.android.wifi/test apex_system_server_data_file
/data/misc/apexrollback apex_rollback_data_file
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index ca0f459..b93b56a 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,3 +1,8 @@
+;; This type may or may not already exist in vendor policy. Re-define it here - duplicate
+;; definitions in CIL will be ignored - so we can reference it in 202404.cil.
+(type vendor_hidraw_device)
+(typeattributeset dev_type (vendor_hidraw_device))
+
;; mapping information from ToT policy's types to 202404 policy's types.
(expandtypeattribute (DockObserver_service_202404) true)
(expandtypeattribute (IProxyService_service_202404) true)
@@ -1952,7 +1957,7 @@
(typeattributeset hidl_manager_hwservice_202404 (hidl_manager_hwservice))
(typeattributeset hidl_memory_hwservice_202404 (hidl_memory_hwservice))
(typeattributeset hidl_token_hwservice_202404 (hidl_token_hwservice))
-(typeattributeset hidraw_device_202404 (hidraw_device))
+(typeattributeset hidraw_device_202404 (hidraw_device vendor_hidraw_device))
(typeattributeset hint_service_202404 (hint_service))
(typeattributeset hw_random_device_202404 (hw_random_device))
(typeattributeset hw_timeout_multiplier_prop_202404 (hw_timeout_multiplier_prop))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 2a11a55..efeeff7 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -8,6 +8,7 @@
profcollectd_etr_prop
fs_bpf_lmkd_memevents_rb
fs_bpf_lmkd_memevents_prog
+ fstype_prop
binderfs_logs_transactions
binderfs_logs_transaction_history
proc_compaction_proactiveness
diff --git a/private/dumpstate.te b/private/dumpstate.te
index a64f7c7..a60b6a5 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -368,6 +368,12 @@
allow dumpstate nfc_logs_data_file:dir r_dir_perms;
allow dumpstate nfc_logs_data_file:file r_file_perms;
+# For uwb
+allow dumpstate apex_module_data_file:dir search;
+allow dumpstate apex_system_server_data_file:dir search;
+allow dumpstate apex_uwb_data_file:dir r_dir_perms;
+allow dumpstate apex_uwb_data_file:file r_file_perms;
+
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
allow dumpstate gpu_device:dir r_dir_perms;
@@ -561,3 +567,21 @@
-traceur_app
-dumpstate
} dumpstate_service:service_manager find;
+
+# only dumpstate, system_server and related others to access apex_uwb_data_file
+neverallow {
+ domain
+ -dumpstate
+ -system_server
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_uwb_data_file:dir no_rw_file_perms;
+neverallow {
+ domain
+ -dumpstate
+ -system_server
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_uwb_data_file:file no_rw_file_perms;
diff --git a/private/file.te b/private/file.te
index 54016aa..f8a48cd 100644
--- a/private/file.te
+++ b/private/file.te
@@ -86,6 +86,9 @@
# /data/misc/apexdata/com.android.tethering
type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# /data/misc/apexdata/com.android.uwb
+type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
@@ -205,4 +208,4 @@
type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/misc_ce/userId/storage_area_keys
-type storage_area_key_file, file_type, data_file_type, core_data_file_type;
\ No newline at end of file
+type storage_area_key_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index b82b4f0..ffc06f2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -638,7 +638,7 @@
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_tethering_data_file:s0
-/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_uwb_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/property.te b/private/property.te
index 3b7fad3..a55bfb2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -69,6 +69,7 @@
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
+system_restricted_prop(fstype_prop)
system_restricted_prop(log_file_logger_prop)
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 81370c0..d22ee7d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -973,6 +973,7 @@
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
+ro.fstype.data u:object_r:fstype_prop:s0 exact string
ro.build.characteristics u:object_r:build_prop:s0 exact string
ro.build.date u:object_r:build_prop:s0 exact string
diff --git a/private/system_server.te b/private/system_server.te
index fadaa28..406c146 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1465,6 +1465,8 @@
allow system_server apex_system_server_data_file:file create_file_perms;
allow system_server apex_tethering_data_file:dir create_dir_perms;
allow system_server apex_tethering_data_file:file create_file_perms;
+allow system_server apex_uwb_data_file:dir create_dir_perms;
+allow system_server apex_uwb_data_file:file create_file_perms;
# Legacy labels that we still need to support (b/217581286)
allow system_server {
apex_appsearch_data_file
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 6944a41..72157ad 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -15,6 +15,10 @@
# Let vendor_init use apex.<name>.ready to start services from vendor APEX
get_prop(vendor_init, apex_ready_prop)
+# Let vendor_init read ro.fstype.data to process init.rc triggers
+# for this property
+get_prop(vendor_init, fstype_prop)
+
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type