Merge changes from topic "202404_sepolicy_mapping" into main
* changes:
Add 202404 mapping files
Vendor API level 202404 is now frozen
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index e0f6610..4806270 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -361,6 +361,7 @@
"notification": EXCEPTION_NO_FUZZER,
"oem_lock": EXCEPTION_NO_FUZZER,
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
+ "on_device_intelligence": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
"ot_daemon": []string{"ot_daemon_service_fuzzer"},
"overlay": EXCEPTION_NO_FUZZER,
diff --git a/private/property.te b/private/property.te
index e06c7e7..ae471d0 100644
--- a/private/property.te
+++ b/private/property.te
@@ -44,6 +44,7 @@
system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
+system_internal_prop(snapshotctl_prop)
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(system_audio_config_prop)
diff --git a/private/property_contexts b/private/property_contexts
index cb22d64..024d185 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1659,3 +1659,7 @@
crashrecovery.rescue_boot_start u:object_r:crashrecovery_prop:s0 exact int
persist.crashrecovery.enable_rescue u:object_r:crashrecovery_prop:s0 exact bool
persist.crashrecovery.last_factory_reset u:object_r:crashrecovery_prop:s0 exact int
+
+# Properties for controlling snapshotctl.
+sys.snapshotctl.map u:object_r:snapshotctl_prop:s0 exact string
+sys.snapshotctl.unmap u:object_r:snapshotctl_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index c4e7cbc..cce3be4 100644
--- a/private/service.te
+++ b/private/service.te
@@ -11,6 +11,7 @@
type logcat_service, system_server_service, service_manager_type;
type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
+type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
type rkpd_registrar_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 3138d90..e45f87c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -342,6 +342,7 @@
notification u:object_r:notification_service:s0
oem_lock u:object_r:oem_lock_service:s0
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
+on_device_intelligence u:object_r:on_device_intelligence_service:s0
otadexopt u:object_r:otadexopt_service:s0
ot_daemon u:object_r:ot_daemon_service:s0
overlay u:object_r:overlay_service:s0
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index fb2bbca..c92217d 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -43,3 +43,22 @@
allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
')
+
+# Allow to read /proc/bootconfig.
+allow snapshotctl proc_bootconfig:file r_file_perms;
+
+# Allow to control snapuserd.
+set_prop(snapshotctl, ctl_snapuserd_prop)
+
+# Allow to read snapuserd.* properties.
+get_prop(snapshotctl, snapuserd_prop)
+
+# Allow to talk to snapuserd.
+allow snapshotctl snapuserd_socket:sock_file write;
+allow snapshotctl snapuserd:unix_stream_socket { connectto };
+
+# Allow to read /dev/block/dm-* (device-mapper) nodes.
+allow snapshotctl dm_device:blk_file r_file_perms;
+
+# Allow to read dm-user control nodes.
+allow snapshotctl dm_user_device:dir search;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 3752e01..fda3fd1 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -71,3 +71,14 @@
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
io_uring_use(snapuserd)
+
+# Disallow other domains controlling snapuserd.
+neverallow {
+ domain
+ -fastbootd
+ -init
+ -recovery
+ -shell
+ -snapshotctl
+ -update_engine
+} ctl_snapuserd_prop:property_service set;