Merge changes I04f3b9ea,I81c583b0 into main
* changes:
Remove SELinux rules for dexoptanalyzer.
Add neverallow rules to ensure successful kill by artd.
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 14b68ad..ed12f10 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -10,5 +10,4 @@
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
-/bin/oatdump u:object_r:oatdump_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index efeeff7..6874821 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -13,4 +13,5 @@
binderfs_logs_transaction_history
proc_compaction_proactiveness
proc_cgroups
+ sysfs_udc
))
diff --git a/private/file.te b/private/file.te
index f8a48cd..d30465b 100644
--- a/private/file.te
+++ b/private/file.te
@@ -38,6 +38,7 @@
type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
# /apex/com.android.art/bin/oatdump
+# TODO (b/350628688): Remove this once it's safe to do so.
type oatdump_exec, system_file_type, exec_type, file_type;
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ac59c9a..de2b139 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -136,6 +136,7 @@
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /class/udc u:object_r:sysfs_udc:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
diff --git a/private/property.te b/private/property.te
index 77fd497..7907dbc 100644
--- a/private/property.te
+++ b/private/property.te
@@ -68,12 +68,14 @@
system_internal_prop(suspend_debug_prop)
system_internal_prop(system_service_enable_prop)
+
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(fstype_prop)
system_restricted_prop(log_file_logger_prop)
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
+system_restricted_prop(page_size_prop)
# Properties which should only be written by vendor_init
system_vendor_config_prop(avf_virtualizationservice_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 601dc99..7a27625 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -415,6 +415,9 @@
audio.spatializer.pose_predictor_type u:object_r:audio_config_prop:s0 exact enum 0 1 2 3
audio.spatializer.prediction_duration_ms u:object_r:audio_config_prop:s0 exact int
+# Timestamp correction for MSD
+audio.timestamp.corrected_output_device u:object_r:audio_config_prop:s0 exact int
+
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
@@ -1022,6 +1025,9 @@
# Property for enabling 16k pages developer option.
ro.product.build.16k_page.enabled u:object_r:enable_16k_pages_prop:s0 exact bool
+# Property that indicates which page size the device boots by default.
+ro.product.page_size u:object_r:page_size_prop:s0 exact int
+
ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.force.debuggable u:object_r:build_prop:s0 exact bool
diff --git a/private/shell.te b/private/shell.te
index d613a94..6d6e06f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -262,6 +262,7 @@
get_prop(shell, build_attestation_prop)
# Allow shell to execute oatdump.
+# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;
# Allow shell access to socket for test
diff --git a/private/system_server.te b/private/system_server.te
index 7de8542..1c9f732 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1264,6 +1264,9 @@
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
+# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks.
+allow system_server sysfs_type:dir search;
+r_dir_file(system_server, sysfs_udc)
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
diff --git a/private/uprobestats.te b/private/uprobestats.te
index f6dd906..2c5711f 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -16,7 +16,7 @@
allow uprobestats sysfs_uprobe:dir { search };
# Allow uprobestats to popen oatdump.
-allow uprobestats oatdump_exec:file rx_file_perms;
+allow uprobestats system_file:file rx_file_perms;
# Allow uprobestats to write atoms to statsd
unix_socket_send(uprobestats, statsdw, statsd)
diff --git a/public/file.te b/public/file.te
index 9f75f05..b28ca85 100644
--- a/public/file.te
+++ b/public/file.te
@@ -105,6 +105,9 @@
type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
+starting_at_board_api(202504, `
+ type sysfs_udc, fs_type, sysfs_type;
+')
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;