Merge "Suppress spurious ipc_lock denials" into main
diff --git a/prebuilts/api/33.0/public/vold.te b/prebuilts/api/33.0/public/vold.te
index 53b2c49..b49f25f 100644
--- a/prebuilts/api/33.0/public/vold.te
+++ b/prebuilts/api/33.0/public/vold.te
@@ -328,6 +328,7 @@
neverallow vold {
domain
-hal_health_storage_server
+ -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index b10103e..595d53e 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -1,6 +1,9 @@
;; types removed from current policy
(type racoon)
(type racoon_exec)
+(type mtp_exec)
+(type ppp_device)
+(type ppp_exec)
;; mapping information from ToT policy's types to 34.0 policy's types.
(expandtypeattribute (DockObserver_service_34_0) true)
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index c1cd3ee..b9dfe5a 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -30,7 +30,6 @@
tv_ad_service
threadnetwork_service
device_config_aconfig_flags_prop
- proc_memhealth
virtual_device_native_service
next_boot_prop
binderfs_logs_stats
diff --git a/private/file_contexts b/private/file_contexts
index 765bb7b..cba5660 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -141,7 +141,6 @@
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
/dev/port u:object_r:port_device:s0
-/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
@@ -166,7 +165,6 @@
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
/dev/socket/ot-daemon(/.*)? u:object_r:ot_daemon_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
@@ -319,8 +317,6 @@
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/dmesgd u:object_r:dmesgd_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6a1caf3..e4baeee 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -20,7 +20,6 @@
genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /memhealth u:object_r:proc_memhealth:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
diff --git a/private/mtp.te b/private/mtp.te
deleted file mode 100644
index 732e111..0000000
--- a/private/mtp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mtp coredomain;
-
-init_daemon_domain(mtp)
diff --git a/private/ppp.te b/private/ppp.te
deleted file mode 100644
index 968b221..0000000
--- a/private/ppp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute ppp coredomain;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/property.te b/private/property.te
index a098d05..38e69bb 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(crashrecovery_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index be72223..aa15633 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -631,6 +631,7 @@
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.sco.managed_by_audio u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.le.dsa_transport_preference u:object_r:bluetooth_config_prop:s0 exact string
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -1630,3 +1631,14 @@
# Properties for ThreadNetworkService
threadnetwork.country_code u:object_r:threadnetwork_config_prop:s0 exact string
+
+# Properties for crashrecovery
+crashrecovery.attempting_factory_reset u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.attempting_reboot u:object_r:crashrecovery_prop:s0 exact bool
+crashrecovery.boot_mitigation_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.boot_mitigation_start u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.max_rescue_level_attempted u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_count u:object_r:crashrecovery_prop:s0 exact int
+crashrecovery.rescue_boot_start u:object_r:crashrecovery_prop:s0 exact int
+persist.crashrecovery.enable_rescue u:object_r:crashrecovery_prop:s0 exact bool
+persist.crashrecovery.last_factory_reset u:object_r:crashrecovery_prop:s0 exact int
diff --git a/private/system_server.te b/private/system_server.te
index ad45d0e..9ea2e9f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -260,7 +260,6 @@
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, uncrypt, uncrypt)
@@ -737,6 +736,7 @@
set_prop(system_server, locale_prop)
set_prop(system_server, timezone_metadata_prop)
set_prop(system_server, timezone_prop)
+set_prop(system_server, crashrecovery_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
@@ -1139,7 +1139,6 @@
allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_memhealth)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
@@ -1580,3 +1579,7 @@
# Allow system server to read pm.archiving.enabled prop
# TODO(azilio): Remove system property after archiving testing is completed.
get_prop(system_server, pm_archiving_enabled_prop)
+
+# Do not allow any domain other than init or system server to get or set the property
+neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
+neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 2a84dd0..32c0cd8 100644
--- a/public/file.te
+++ b/public/file.te
@@ -48,7 +48,6 @@
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
-type proc_memhealth, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
diff --git a/public/mtp.te b/public/mtp.te
index add63c0..4f3ce9a 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,11 +1,2 @@
# vpn tunneling protocol manager
type mtp, domain;
-type mtp_exec, system_file_type, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
-allow mtp self:global_capability_class_set net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/public/ppp.te b/public/ppp.te
index b736def..29900ea 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,23 +1,2 @@
# Point to Point Protocol daemon
type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, system_file_type, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net_type)
-
-allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:global_capability_class_set net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/public/vold.te b/public/vold.te
index c0fdf50..ad6ef83 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -338,6 +338,7 @@
neverallow vold {
domain
-hal_health_storage_server
+ -hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
-hwservicemanager