Merge changes from topic "fix_missing_set_denials"
* changes:
Add build properties for attestation feature
Allow vendor_init to set properties for recovery/fastbootd USB IDs
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 454a873..d531647 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -9,6 +9,7 @@
apex_ready_prop
artd
bt_device
+ build_attestation_prop
credential_service
device_config_camera_native_prop
device_config_memory_safety_native_boot_prop
@@ -39,6 +40,7 @@
ondevicepersonalization_system_service
permissive_mte_prop
prng_seeder
+ recovery_usb_config_prop
remote_provisioning_service
rkpdapp
servicemanager_prop
diff --git a/private/incidentd.te b/private/incidentd.te
index c1314a8..e86b3bf 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -193,6 +193,9 @@
get_prop(incidentd, last_boot_reason_prop);
')
+# Allow incident to read the build properties for attestation feature
+get_prop(incidentd, build_attestation_prop);
+
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 6f51fe8..c9b6bfc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -703,6 +703,10 @@
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
+ro.recovery.usb.vid u:object_r:recovery_usb_config_prop:s0 exact string
+ro.recovery.usb.adb.pid u:object_r:recovery_usb_config_prop:s0 exact string
+ro.recovery.usb.fastboot.pid u:object_r:recovery_usb_config_prop:s0 exact string
+
ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
@@ -1064,6 +1068,11 @@
ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
+# build props for attestation feature are set by property_service
+ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
diff --git a/private/zygote.te b/private/zygote.te
index 0df84db..9c47468 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -195,6 +195,9 @@
allow zygote same_process_hal_file:file { execute read open getattr map };
+# Allow zygote to read build properties for attestation feature
+get_prop(zygote, build_attestation_prop)
+
# Allow the zygote to access storage properties to check if sdcardfs is enabled.
get_prop(zygote, storage_config_prop);
diff --git a/public/property.te b/public/property.te
index 710f404..c41aa91 100644
--- a/public/property.te
+++ b/public/property.te
@@ -130,6 +130,7 @@
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
system_vendor_config_prop(bluetooth_config_prop)
+system_vendor_config_prop(build_attestation_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
@@ -164,6 +165,7 @@
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(recovery_usb_config_prop)
system_vendor_config_prop(sendbug_config_prop)
system_vendor_config_prop(soc_prop)
system_vendor_config_prop(storage_config_prop)