Merge "Hide some denials." into pi-dev
diff --git a/Android.mk b/Android.mk
index 83631f5..bb04286 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1567,7 +1567,7 @@
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -1638,6 +1638,7 @@
built_sepolicy_neverallows :=
built_plat_svc :=
built_vendor_svc :=
+built_plat_sepolicy :=
mapping_policy :=
my_target_arch :=
plat_pub_policy.cil :=
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 81308db..ef8e266 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -36,6 +36,7 @@
exported2_system_prop
exported2_vold_prop
exported3_default_prop
+ exported3_radio_prop
exported3_system_prop
fingerprint_vendor_data_file
fs_bpf
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5ae9e6c..5dd0f16 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -19,6 +19,7 @@
exported2_system_prop
exported2_vold_prop
exported3_default_prop
+ exported3_radio_prop
exported3_system_prop
exported_config_prop
exported_dalvik_prop
diff --git a/public/domain.te b/public/domain.te
index 61b58b6..7835e3a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -95,6 +95,7 @@
get_prop(domain, exported2_system_prop)
get_prop(domain, exported2_vold_prop)
get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
@@ -108,6 +109,7 @@
get_prop({coredomain appdomain shell}, exported2_system_prop)
get_prop({coredomain appdomain shell}, exported2_vold_prop)
get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
userdebug_or_eng(`
get_prop(su, core_property_type)
@@ -119,6 +121,7 @@
get_prop(su, exported2_system_prop)
get_prop(su, exported2_vold_prop)
get_prop(su, exported3_default_prop)
+ get_prop(su, exported3_radio_prop)
get_prop(su, exported3_system_prop)
')
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
@@ -1332,3 +1335,12 @@
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 86f41cb..31859aa 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -27,6 +27,7 @@
set_prop(hal_telephony_server, radio_prop)
set_prop(hal_telephony_server, exported_radio_prop)
set_prop(hal_telephony_server, exported2_radio_prop)
+set_prop(hal_telephony_server, exported3_radio_prop)
allow hal_telephony_server tty_device:chr_file rw_file_perms;
diff --git a/public/property.te b/public/property.te
index a099e87..64f309d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -73,6 +73,7 @@
type exported2_system_prop, property_type;
type exported2_vold_prop, property_type;
type exported3_default_prop, property_type;
+type exported3_radio_prop, property_type;
type exported3_system_prop, property_type;
type vendor_default_prop, property_type;
@@ -164,6 +165,7 @@
} {
exported_radio_prop
exported2_radio_prop
+ exported3_radio_prop
radio_prop
}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
index 291cf14..bc2395e 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -1,6 +1,5 @@
# vendor-init-readable
persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int
-persist.radio.multisim.config u:object_r:exported2_radio_prop:s0 exact string
# vendor-init-settable
af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
@@ -67,6 +66,7 @@
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
diff --git a/public/radio.te b/public/radio.te
index 4998a61..8fb5ad6 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -21,6 +21,7 @@
set_prop(radio, radio_prop)
set_prop(radio, exported_radio_prop)
set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
set_prop(radio, net_radio_prop)
# ctl interface
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dd7479f..6a13f69 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -172,6 +172,7 @@
set_prop(vendor_init, exported2_system_prop)
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
+set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index ac8c808..5f419d1 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -19,7 +19,7 @@
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)