Merge "property_contexts: Drop COMPATIBLE_PROP guard"
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te
index 2fa4af6..ec5c57e 100644
--- a/prebuilts/api/29.0/private/adbd.te
+++ b/prebuilts/api/29.0/private/adbd.te
@@ -23,6 +23,10 @@
unix_socket_connect(adbd, recovery, recovery)
')
+# Control Perfetto traced and obtain traces from it.
+# Needed to allow port forwarding directly to traced.
+unix_socket_connect(adbd, traced_consumer, traced)
+
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
diff --git a/prebuilts/api/29.0/private/gpuservice.te b/prebuilts/api/29.0/private/gpuservice.te
index ebfff76..9e17d06 100644
--- a/prebuilts/api/29.0/private/gpuservice.te
+++ b/prebuilts/api/29.0/private/gpuservice.te
@@ -31,6 +31,10 @@
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
+# Needed for dumpstate to dumpsys gpu.
+allow gpuservice dumpstate:fd use;
+allow gpuservice dumpstate:fifo_file write;
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 111923f..f59b5de 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -89,6 +89,7 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
diff --git a/private/gsid.te b/private/gsid.te
index 5d7b043..3ff9d67 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -135,6 +135,8 @@
ota_image_data_file
}:file ioctl FS_IOC_FIEMAP;
+allow gsid system_server:binder call;
+
neverallow {
domain
-init
diff --git a/private/system_server.te b/private/system_server.te
index ebcc8f3..7c24598 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -301,6 +301,7 @@
hal_camera_server
hal_codec2_server
hal_face_server
+ hal_fingerprint_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/public/app.te b/public/app.te
index 235d3f8..e5b9fd6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -317,7 +317,7 @@
allow appdomain proc_meminfo:file r_file_perms;
# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
+allow appdomain app_fuse_file:file { getattr read append write map };
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index b64fcdc..1e895e4 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -81,6 +81,7 @@
hal_codec2_server
hal_drm_server
hal_face_server
+ hal_fingerprint_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/public/property_contexts b/public/property_contexts
index c1ed541..86f6f03 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -92,6 +92,7 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
@@ -285,18 +286,6 @@
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
-# r/o sanitizer properties, public-readable
-ro.sanitize.address u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.cfi u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.default-ub u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.fuzzer u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.hwaddress u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.integer_overflow u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.safe-stack u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.scudo u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.thread u:object_r:exported2_default_prop:s0 exact bool
-ro.sanitize.undefined u:object_r:exported2_default_prop:s0 exact bool
-
# vendor-init-settable|public-readable
aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 806944f..57d8e7e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -81,5 +81,6 @@
get_prop(update_engine_common, virtual_ab_prop)
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common metadata_file:dir search;
allow update_engine_common ota_metadata_file:dir rw_dir_perms;
allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/public/vold.te b/public/vold.te
index fd3ed84..e17113d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -204,6 +204,7 @@
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;