Merge "Selinux policy for new userspace reboot logging dir"
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 0082827..7968b79 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -29,7 +29,7 @@
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 558dd92..3c7758a 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -1059,6 +1059,7 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 91ee117..cfbd6e5 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
apex_info_file
debugfs_kprobes
gnss_device
+ hal_dumpstate_config_prop
keystore2_key_contexts_file
mediatranscoding_tmpfs
people_service
diff --git a/private/gsid.te b/private/gsid.te
index 3ff9d67..9d07adb 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -133,7 +133,10 @@
allowxperm gsid {
gsi_data_file
ota_image_data_file
-}:file ioctl FS_IOC_FIEMAP;
+}:file ioctl {
+ FS_IOC_FIEMAP
+ FS_IOC_GETFLAGS
+};
allow gsid system_server:binder call;
diff --git a/private/property.te b/private/property.te
index d62ea9c..2d3d861 100644
--- a/private/property.te
+++ b/private/property.te
@@ -446,3 +446,10 @@
-dumpstate
-appdomain
} camera_calibration_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -dumpstate
+ -hal_dumpstate_server
+ not_compatible_property(`-vendor_init')
+} hal_dumpstate_config_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 0c563fd..2397150 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -517,6 +517,7 @@
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
+persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
diff --git a/private/system_server.te b/private/system_server.te
index b7867a1..8191b6a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -29,7 +29,7 @@
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -930,7 +930,7 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir r_dir_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
allow system_server cgroup_v2:file rw_file_perms;
r_dir_file(system_server, proc_asound)
diff --git a/public/attributes b/public/attributes
index f5663a9..f1e9c92 100644
--- a/public/attributes
+++ b/public/attributes
@@ -108,9 +108,9 @@
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
define(`product_property_type', `system_property_type')
-define(`product_internal_type', `system_internal_property_type')
-define(`product_restricted_type', `system_restricted_property_type')
-define(`product_public_type', `system_public_property_type')
+define(`product_internal_property_type', `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type', `system_public_property_type')
# All properties defined by /vendor.
attribute vendor_property_type;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index b7676ed..9f854e3 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,8 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
+
hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 558dd92..3c7758a 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1059,6 +1059,7 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/property.te b/public/property.te
index 3c913b1..34ed999 100644
--- a/public/property.te
+++ b/public/property.te
@@ -169,6 +169,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)