Merge "Fix dumpstate denials related to ot_daemon" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9e047df..9118cba 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -51,6 +51,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index d9767ed..54dc1f3 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -150,6 +150,8 @@
/dev/gnss10 gnss_device
/dev/graphics graphics_device
/dev/graphics/test graphics_device
+/dev/hidraw0 hidraw_device
+/dev/hidraw1 hidraw_device
/dev/hw_random hw_random_device
/dev/hwbinder hwbinder_device
/dev/input input_device
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ea10df5..5ea924a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -295,3 +295,6 @@
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *;
+
+# Do not allow untrusted app access to hidraw devices.
+neverallow all_untrusted_apps hidraw_device:chr_file *;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 5bbfecc..2c9961d 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -16,8 +16,10 @@
hal_macsec_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
+ hidraw_device
virtual_camera_service
ot_daemon_service
+ pm_archiving_enabled_prop
remote_auth_service
security_state_service
setupwizard_mode_prop
diff --git a/private/file_contexts b/private/file_contexts
index 32092da..3cfbaf0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -127,6 +127,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hidraw[0-9]+ u:object_r:hidraw_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
diff --git a/private/property.te b/private/property.te
index d599751..ff0b693 100644
--- a/private/property.te
+++ b/private/property.te
@@ -711,3 +711,10 @@
-system_app
-device_as_webcam
} usb_uvc_enabled_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} pm_archiving_enabled_prop:property_service set;
+
diff --git a/private/property_contexts b/private/property_contexts
index a8ac38a..4166c55 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1607,5 +1607,9 @@
# Properties for sensor service
sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
-# Propertues for game manager service
+# Properties for game manager service
persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
+
+# Properties for app archiving
+pm.archiving.enabled u:object_r:pm_archiving_enabled_prop:s0 exact bool
+
diff --git a/private/service_contexts b/private/service_contexts
index 90fb943..2209c6a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -29,6 +29,7 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
+android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 055c9f9..88c3a62 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -165,6 +165,9 @@
# Settings app reads ro.usb.uvc.enabled
get_prop(system_app, usb_uvc_enabled_prop)
+# Settings and Launcher apps read pm.archiving.enabled
+get_prop(system_app, pm_archiving_enabled_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 8c26cc7..bab31ae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -480,6 +480,8 @@
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
allow system_server uhid_device:chr_file rw_file_perms;
+allow system_server hidraw_device:dir r_dir_perms;
+allow system_server hidraw_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 4a824c9..f842d33 100644
--- a/public/device.te
+++ b/public/device.te
@@ -64,6 +64,7 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
+type hidraw_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
diff --git a/public/property.te b/public/property.te
index 44b0aef..b072b5b 100644
--- a/public/property.te
+++ b/public/property.te
@@ -198,6 +198,7 @@
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
system_vendor_config_prop(setupwizard_mode_prop)
+system_vendor_config_prop(pm_archiving_enabled_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)