Merge "Suppress spurious ipc_lock denials" into main
diff --git a/prebuilts/api/33.0/public/vold.te b/prebuilts/api/33.0/public/vold.te
index 53b2c49..b49f25f 100644
--- a/prebuilts/api/33.0/public/vold.te
+++ b/prebuilts/api/33.0/public/vold.te
@@ -328,6 +328,7 @@
 neverallow vold {
   domain
   -hal_health_storage_server
+  -hal_keymaster_server
   -system_suspend_server
   -hal_bootctl_server
   -hwservicemanager
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index b10103e..595d53e 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1,6 +1,9 @@
 ;; types removed from current policy
 (type racoon)
 (type racoon_exec)
+(type mtp_exec)
+(type ppp_device)
+(type ppp_exec)
 
 ;; mapping information from ToT policy's types to 34.0 policy's types.
 (expandtypeattribute (DockObserver_service_34_0) true)
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index c1cd3ee..b9dfe5a 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -30,7 +30,6 @@
     tv_ad_service
     threadnetwork_service
     device_config_aconfig_flags_prop
-    proc_memhealth
     virtual_device_native_service
     next_boot_prop
     binderfs_logs_stats
diff --git a/private/file_contexts b/private/file_contexts
index 765bb7b..cba5660 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -141,7 +141,6 @@
 /dev/pmsg0		u:object_r:pmsg_device:s0
 /dev/pn544		u:object_r:nfc_device:s0
 /dev/port		u:object_r:port_device:s0
-/dev/ppp		u:object_r:ppp_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/pvrsrvkm		u:object_r:gpu_device:s0
 /dev/kmsg		u:object_r:kmsg_device:s0
@@ -166,7 +165,6 @@
 /dev/socket/statsdw	u:object_r:statsdw_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd	u:object_r:mtpd_socket:s0
 /dev/socket/ot-daemon(/.*)?  u:object_r:ot_daemon_socket:s0
 /dev/socket/pdx/system/buffer_hub	u:object_r:pdx_bufferhub_dir:s0
 /dev/socket/pdx/system/buffer_hub/client	u:object_r:pdx_bufferhub_client_endpoint_socket:s0
@@ -319,8 +317,6 @@
 /system/bin/dhcpcd      u:object_r:dhcp_exec:s0
 /system/bin/dhcpcd-6\.8\.2	u:object_r:dhcp_exec:s0
 /system/bin/dmesgd	u:object_r:dmesgd_exec:s0
-/system/bin/mtpd	u:object_r:mtp_exec:s0
-/system/bin/pppd	u:object_r:ppp_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/linker(64)? u:object_r:system_linker_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6a1caf3..e4baeee 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -20,7 +20,6 @@
 genfscon proc /locks u:object_r:proc_locks:s0
 genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /memhealth u:object_r:proc_memhealth:s0
 genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
diff --git a/private/mtp.te b/private/mtp.te
deleted file mode 100644
index 732e111..0000000
--- a/private/mtp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mtp coredomain;
-
-init_daemon_domain(mtp)
diff --git a/private/ppp.te b/private/ppp.te
deleted file mode 100644
index 968b221..0000000
--- a/private/ppp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute ppp coredomain;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/property.te b/private/property.te
index a098d05..38e69bb 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
 system_internal_prop(adbd_prop)
 system_internal_prop(apexd_payload_metadata_prop)
 system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(crashrecovery_prop)
 system_internal_prop(device_config_core_experiments_team_internal_prop)
 system_internal_prop(device_config_lmkd_native_prop)
 system_internal_prop(device_config_mglru_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index be72223..aa15633 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -631,6 +631,7 @@
 
 bluetooth.core.le.vendor_capabilities.enabled        u:object_r:bluetooth_config_prop:s0 exact bool
 bluetooth.sco.disable_enhanced_connection            u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.sco.managed_by_audio                       u:object_r:bluetooth_config_prop:s0 exact bool
 bluetooth.core.le.dsa_transport_preference           u:object_r:bluetooth_config_prop:s0 exact string
 
 persist.nfc.debug_enabled                      u:object_r:nfc_prop:s0 exact bool
@@ -1630,3 +1631,14 @@
 
 # Properties for ThreadNetworkService
 threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
+
+# Properties for crashrecovery
+crashrecovery.attempting_factory_reset u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.attempting_reboot u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.boot_mitigation_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.boot_mitigation_start u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.max_rescue_level_attempted u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_start u:object_r:crashrecovery_prop:s0 exact int
+persist.crashrecovery.enable_rescue u:object_r:crashrecovery_prop:s0 exact bool
+persist.crashrecovery.last_factory_reset u:object_r:crashrecovery_prop:s0 exact int
diff --git a/private/system_server.te b/private/system_server.te
index ad45d0e..9ea2e9f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -260,7 +260,6 @@
 
 # Talk to init and various daemons via sockets.
 unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
 unix_socket_connect(system_server, zygote, zygote)
 unix_socket_connect(system_server, uncrypt, uncrypt)
 
@@ -737,6 +736,7 @@
 set_prop(system_server, locale_prop)
 set_prop(system_server, timezone_metadata_prop)
 set_prop(system_server, timezone_prop)
+set_prop(system_server, crashrecovery_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
 
@@ -1139,7 +1139,6 @@
 allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_memhealth)
 r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
@@ -1580,3 +1579,7 @@
 # Allow system server to read pm.archiving.enabled prop
 # TODO(azilio): Remove system property after archiving testing is completed.
 get_prop(system_server, pm_archiving_enabled_prop)
+
+# Do not allow any domain other than init or system server to get or set the property
+neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
+neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 2a84dd0..32c0cd8 100644
--- a/public/file.te
+++ b/public/file.te
@@ -48,7 +48,6 @@
 type proc_lowmemorykiller, fs_type, proc_type;
 type proc_max_map_count, fs_type, proc_type;
 type proc_meminfo, fs_type, proc_type;
-type proc_memhealth, fs_type, proc_type;
 type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
diff --git a/public/mtp.te b/public/mtp.te
index add63c0..4f3ce9a 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,11 +1,2 @@
 # vpn tunneling protocol manager
 type mtp, domain;
-type mtp_exec, system_file_type, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
-allow mtp self:global_capability_class_set net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/public/ppp.te b/public/ppp.te
index b736def..29900ea 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,23 +1,2 @@
 # Point to Point Protocol daemon
 type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, system_file_type, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net_type)
-
-allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:global_capability_class_set net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/public/vold.te b/public/vold.te
index c0fdf50..ad6ef83 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -338,6 +338,7 @@
 neverallow vold {
   domain
   -hal_health_storage_server
+  -hal_keymaster_server
   -system_suspend_server
   -hal_bootctl_server
   -hwservicemanager