Merge "Add property to skip idle for zram writeback"
diff --git a/apex/Android.bp b/apex/Android.bp
index 8eedfab..19a44c7 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -63,6 +63,13 @@
}
filegroup {
+ name: "com.android.ipsec-file_contexts",
+ srcs: [
+ "com.android.ipsec-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.i18n-file_contexts",
srcs: [
"com.android.i18n-file_contexts",
@@ -77,6 +84,13 @@
}
filegroup {
+ name: "com.android.mediaprovider-file_contexts",
+ srcs: [
+ "com.android.mediaprovider-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.media.swcodec-file_contexts",
srcs: [
"com.android.media.swcodec-file_contexts",
diff --git a/apex/com.android.bluetooth.updatable-file_contexts b/apex/com.android.bluetooth.updatable-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.bluetooth.updatable-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.cronet-file_contexts b/apex/com.android.cronet-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.cronet-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.incremental-file_contexts b/apex/com.android.incremental-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.incremental-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.mediaprovider-file_contexts b/apex/com.android.mediaprovider-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.mediaprovider-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index f3a65d4..2d59dda 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@@ -1 +1,2 @@
(/.*)? u:object_r:system_file:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.telephony-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/prebuilts/api/29.0/private/dexoptanalyzer.te b/prebuilts/api/29.0/private/dexoptanalyzer.te
index 59554c8..2c0e1a4 100644
--- a/prebuilts/api/29.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/29.0/private/dexoptanalyzer.te
@@ -22,7 +22,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 69c11d6..2d52f59 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -363,6 +363,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index c447715..5eddc4e 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1143,7 +1143,7 @@
(typeattributeset default_android_hwservice_29_0 (default_android_hwservice))
(typeattributeset default_android_service_29_0 (default_android_service))
(typeattributeset default_android_vndservice_29_0 (default_android_vndservice))
-(typeattributeset default_prop_29_0 (default_prop))
+(typeattributeset default_prop_29_0 (default_prop apk_verity_prop))
(typeattributeset dev_cpu_variant_29_0 (dev_cpu_variant))
(typeattributeset device_29_0 (device))
(typeattributeset device_config_activity_manager_native_boot_prop_29_0 (device_config_activity_manager_native_boot_prop))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 88e6efd..eda155b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ app_integrity_service
app_search_service
auth_service
ashmem_libcutils_device
@@ -26,8 +27,13 @@
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
iorap_prefetcherd_tmpfs
+ mediatranscoding_service
+ mediatranscoding
+ mediatranscoding_exec
+ mediatranscoding_tmpfs
linker_prop
mock_ota_prop
+ module_sdkext_prop
ota_metadata_file
ota_prop
art_apex_dir
@@ -35,9 +41,11 @@
system_group_file
system_jvmti_agent_prop
system_passwd_file
+ tethering_service
timezonedetector_service
userspace_reboot_prop
userspace_reboot_exported_prop
+ vehicle_hal_prop
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
new file mode 100644
index 0000000..98cda20
--- /dev/null
+++ b/private/derive_sdk.te
@@ -0,0 +1,12 @@
+
+# Domain for derive_sdk
+type derive_sdk, domain, coredomain;
+type derive_sdk_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_sdk)
+
+# Read /apex
+allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+
+# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
+set_prop(derive_sdk, module_sdkext_prop)
+neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
diff --git a/private/domain.te b/private/domain.te
index 2389ec9..2b53563 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,6 +45,9 @@
# Allow to read properties for linker
get_prop(domain, linker_prop);
+# Read access to sdkext props
+get_prop(domain, module_sdkext_prop)
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
diff --git a/private/file_contexts b/private/file_contexts
index 2ec5b2f..69b6c58 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -239,6 +239,7 @@
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
+/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/installd.te b/private/installd.te
index 28f81a4..c89ba8b 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -37,6 +37,9 @@
get_prop(installd, device_config_runtime_native_prop)
get_prop(installd, device_config_runtime_native_boot_prop)
+# Allow installd to access apk verity feature flag (for legacy case).
+get_prop(installd, apk_verity_prop)
+
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/iorapd.te b/private/iorapd.te
index ba8ece3..7f9bcee 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -4,3 +4,6 @@
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
+
+# Allow iorapd to access the runtime native boot feature flag properties.
+get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index d74ab95..c55e54a 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -2,6 +2,7 @@
init_daemon_domain(mediaserver)
tmpfs_domain(mediaserver)
+allow mediaserver appdomain_tmpfs:file { getattr map read write };
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
@@ -10,3 +11,4 @@
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)
+allow mediaserver mediatranscoding_service:service_manager find;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
new file mode 100644
index 0000000..e0ad84c
--- /dev/null
+++ b/private/mediatranscoding.te
@@ -0,0 +1,3 @@
+typeattribute mediatranscoding coredomain;
+
+init_daemon_domain(mediatranscoding)
diff --git a/private/platform_app.te b/private/platform_app.te
index 45de3cb..72bfe71 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,6 +68,7 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app tethering_service:service_manager find;
userdebug_or_eng(`
allow platform_app platform_compat_service:service_manager find;
')
diff --git a/private/priv_app.te b/private/priv_app.te
index a9e9980..c776907 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -52,6 +52,7 @@
allow priv_app radio_service:service_manager find;
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
+allow priv_app tethering_service:service_manager find;
# Allow privileged apps to interact with gpuservice
binder_call(priv_app, gpuservice)
diff --git a/private/property_contexts b/private/property_contexts
index d909dfc..b2b6abc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -224,3 +224,7 @@
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
+
+# Module properties
+com.android.sdkext. u:object_r:module_sdkext_prop:s0
+persist.com.android.sdkext. u:object_r:module_sdkext_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index fa52a05..bb486e8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
+app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
@@ -118,6 +119,7 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.transcoding u:object_r:mediatranscoding_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
@@ -196,6 +198,7 @@
telephony.registry u:object_r:registry_service:s0
telephony_ims u:object_r:radio_service:s0
testharness u:object_r:testharness_service:s0
+tethering u:object_r:tethering_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index fa59ef8..89a185d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -110,6 +110,8 @@
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
+# signull allowed for kill(pid, 0) existence test.
+allow system_server appdomain:process { signull };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
@@ -639,6 +641,9 @@
# Read the property that mocks an OTA
get_prop(system_server, mock_ota_prop)
+# Read the property as feature flag for protecting apks with fs-verity.
+get_prop(system_server, apk_verity_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -1010,6 +1015,9 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to scan /apex for flattened APEXes
+allow system_server apex_mnt_dir:dir r_dir_perms;
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
diff --git a/public/init.te b/public/init.te
index 2d0db1e..8031809 100644
--- a/public/init.te
+++ b/public/init.te
@@ -382,6 +382,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
new file mode 100644
index 0000000..386535b
--- /dev/null
+++ b/public/mediatranscoding.te
@@ -0,0 +1,26 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding, domain;
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+
+binder_use(mediatranscoding)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+allow mediatranscoding system_server:fd use;
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/property.te b/public/property.te
index 33e2ed4..6716332 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,6 +60,7 @@
# Properties which can't be written outside system
system_restricted_prop(linker_prop)
+system_restricted_prop(module_sdkext_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
@@ -98,6 +99,7 @@
# Properties with no restrictions
system_public_prop(audio_prop)
+system_public_prop(apk_verity_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
@@ -138,6 +140,7 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
+system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -234,6 +237,7 @@
neverallow { domain -coredomain } {
system_property_type
+ system_internal_property_type
-system_restricted_property_type
-system_public_property_type
}:file no_rw_file_perms;
@@ -243,25 +247,20 @@
-system_public_property_type
}:property_service set;
-neverallow { domain -coredomain } {
- system_internal_property_type
-}:file no_rw_file_perms;
-
-neverallow coredomain {
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
vendor_property_type
+ vendor_internal_property_type
-vendor_restricted_property_type
-vendor_public_property_type
}:file no_rw_file_perms;
-neverallow coredomain {
+neverallow { coredomain -init } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
-neverallow coredomain {
- vendor_internal_property_type
-}:file no_rw_file_perms;
-
')
# There is no need to perform ioctl or advisory locking operations on
@@ -617,6 +616,7 @@
-heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
+ -module_sdkext_prop
-system_lmk_prop
-linker_prop
-log_prop
diff --git a/public/property_contexts b/public/property_contexts
index 5a026cc..6eb2d70 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -98,6 +98,7 @@
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
ro.af.client_heap_size_kbyte u:object_r:exported3_default_prop:s0 exact int
+ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
@@ -157,6 +158,7 @@
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
+ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
diff --git a/public/service.te b/public/service.te
index f746727..dfae57b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
+type mediatranscoding_service, app_api_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
@@ -44,6 +45,7 @@
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
+type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -191,6 +193,7 @@
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type wpantund_service, system_api_service, service_manager_type;
+type tethering_service, system_server_service, service_manager_type;
###
### HAL Services
diff --git a/public/te_macros b/public/te_macros
index 88e71d8..9672227 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -772,7 +772,7 @@
define(`system_internal_prop', `
define_prop($1, system, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -785,7 +785,7 @@
define(`system_restricted_prop', `
define_prop($1, system, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -804,7 +804,7 @@
define(`product_internal_prop', `
define_prop($1, product, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -817,7 +817,7 @@
define(`product_restricted_prop', `
define_prop($1, product, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -836,7 +836,8 @@
define(`vendor_internal_prop', `
define_prop($1, vendor, internal)
treble_sysprop_neverallow(`
- neverallow coredomain $1:file no_rw_file_perms;
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
')
')
@@ -849,7 +850,8 @@
define(`vendor_restricted_prop', `
define_prop($1, vendor, restricted)
treble_sysprop_neverallow(`
- neverallow coredomain $1:property_service set;
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
')
')
diff --git a/public/update_engine.te b/public/update_engine.te
index 8aafe34..a6be3d3 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -36,8 +36,16 @@
binder_use(update_engine)
add_service(update_engine, update_engine_service)
-# Allow update_engine to call the callback function provided by priv_app.
+# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
+# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow update_engine priv_app:binder { call transfer };
+ auditallow priv_app update_engine:binder transfer;
+ auditallow update_engine priv_app:fd use;
+')
+
+binder_call(update_engine, gmscore_app)
# Allow update_engine to call the callback function provided by system_server.
binder_call(update_engine, system_server)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 710ff71..a756dc1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -221,6 +221,7 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
+ -module_sdkext_prop
-userspace_reboot_exported_prop
-userspace_reboot_prop
})
@@ -229,6 +230,7 @@
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
+set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
set_prop(vendor_init, cpu_variant_prop)
@@ -253,6 +255,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)