Merge "Revert "Add sys.usb.mtp.batchcancel to usb_config_prop"" into sc-dev
diff --git a/prebuilts/api/31.0/private/adbd.te b/prebuilts/api/31.0/private/adbd.te
index 3fc77a2..c2c6164 100644
--- a/prebuilts/api/31.0/private/adbd.te
+++ b/prebuilts/api/31.0/private/adbd.te
@@ -84,6 +84,10 @@
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
+# adb pull /vendor/framework/*
+allow adbd vendor_framework_file:dir r_dir_perms;
+allow adbd vendor_framework_file:file r_file_perms;
+
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
@@ -213,6 +217,9 @@
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file r_file_perms;
+# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
+allow adbd apex_info_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index 48fbcb8..b05fecb 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -18,6 +18,8 @@
allow apexd apex_ota_reserved_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
@@ -81,6 +83,9 @@
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
diff --git a/prebuilts/api/31.0/private/app.te b/prebuilts/api/31.0/private/app.te
index 94d24e0..2b3554f 100644
--- a/prebuilts/api/31.0/private/app.te
+++ b/prebuilts/api/31.0/private/app.te
@@ -14,6 +14,11 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process)
+get_prop(appdomain, device_config_runtime_native_prop)
+get_prop(appdomain, device_config_runtime_native_boot_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/prebuilts/api/31.0/private/app_zygote.te b/prebuilts/api/31.0/private/app_zygote.te
index 7f2236c..4ee3af7 100644
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ b/prebuilts/api/31.0/private/app_zygote.te
@@ -75,6 +75,10 @@
# Send unsolicited message to system_server
unix_socket_send(app_zygote, system_unsolzygote, system_server)
+# Allow the app_zygote to access the runtime feature flag properties.
+get_prop(app_zygote, device_config_runtime_native_prop)
+get_prop(app_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/private/audioserver.te b/prebuilts/api/31.0/private/audioserver.te
index 5047e2c..2d0b46d 100644
--- a/prebuilts/api/31.0/private/audioserver.te
+++ b/prebuilts/api/31.0/private/audioserver.te
@@ -36,6 +36,7 @@
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
+allow audioserver permission_checker_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index dd626ad..313acc7 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,7 @@
ab_update_gki_prop
adbd_config_prop
apc_service
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_info_file
diff --git a/prebuilts/api/31.0/private/dexoptanalyzer.te b/prebuilts/api/31.0/private/dexoptanalyzer.te
index 5f0a41e..d194acb 100644
--- a/prebuilts/api/31.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/31.0/private/dexoptanalyzer.te
@@ -47,3 +47,7 @@
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
+
+# Allow query ART device config properties
+get_prop(dexoptanalyzer, device_config_runtime_native_prop)
+get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/31.0/private/fastbootd.te b/prebuilts/api/31.0/private/fastbootd.te
index 0174faa..40b3945 100644
--- a/prebuilts/api/31.0/private/fastbootd.te
+++ b/prebuilts/api/31.0/private/fastbootd.te
@@ -41,4 +41,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+
+ # Needed for reading boot properties.
+ allow fastbootd proc_bootconfig:file r_file_perms;
')
diff --git a/prebuilts/api/31.0/private/file_contexts b/prebuilts/api/31.0/private/file_contexts
index 4a4867b..351cd7c 100644
--- a/prebuilts/api/31.0/private/file_contexts
+++ b/prebuilts/api/31.0/private/file_contexts
@@ -565,12 +565,12 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
@@ -671,6 +671,7 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
diff --git a/prebuilts/api/31.0/private/odrefresh.te b/prebuilts/api/31.0/private/odrefresh.te
index 3ea8ad2..7a64247 100644
--- a/prebuilts/api/31.0/private/odrefresh.te
+++ b/prebuilts/api/31.0/private/odrefresh.te
@@ -48,3 +48,7 @@
# Allow updating boot animation status.
set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/31.0/private/platform_app.te b/prebuilts/api/31.0/private/platform_app.te
index a112081..f746f1c 100644
--- a/prebuilts/api/31.0/private/platform_app.te
+++ b/prebuilts/api/31.0/private/platform_app.te
@@ -99,6 +99,9 @@
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
+# Allow platform apps to act as Perfetto producers.
+perfetto_producer(platform_app)
+
###
### Neverallow rules
###
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 2108a94..a8356c7 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -331,7 +331,13 @@
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-# Should always_debuggable be bool? It's checked against the string "1".
+# ART properties
+dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
+
+# A set of ART properties listed explicitly for compatibility purposes.
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
@@ -407,7 +413,6 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
-ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -495,8 +500,6 @@
ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
@@ -1063,6 +1066,7 @@
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1193,5 +1197,4 @@
ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
# dck properties
-ro.gms.dck.eligible_r2 u:object_r:dck_prop:s0 exact bool
-ro.gms.dck.eligible_r3 u:object_r:dck_prop:s0 exact bool
+ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
diff --git a/prebuilts/api/31.0/private/seapp_contexts b/prebuilts/api/31.0/private/seapp_contexts
index b8e42ea..1d38fd9 100644
--- a/prebuilts/api/31.0/private/seapp_contexts
+++ b/prebuilts/api/31.0/private/seapp_contexts
@@ -158,7 +158,6 @@
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
diff --git a/prebuilts/api/31.0/private/shell.te b/prebuilts/api/31.0/private/shell.te
index 5831d54..1dda977 100644
--- a/prebuilts/api/31.0/private/shell.te
+++ b/prebuilts/api/31.0/private/shell.te
@@ -114,6 +114,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read /apex/apex-info-list.xml
+allow shell apex_info_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -197,3 +200,6 @@
# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)
+
+# Allow shell read access to /apex/apex-info-list.xml for CTS.
+allow shell apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 48d5f9d..10b8177 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -169,6 +169,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# Allow system apps to act as Perfetto producers.
+perfetto_producer(system_app)
+
###
### Neverallow rules
###
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index c9f3f8e..f22eab9 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -44,11 +44,28 @@
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_FILLED_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_COMPRESS_BLOCKS
+ F2FS_IOC_COMPRESS_FILE
+ F2FS_IOC_DECOMPRESS_FILE
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ F2FS_IOC_RESERVE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+ FS_IOC_GETFLAGS
+};
+
+allowxperm system_server apk_tmp_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
};
# For Incremental Service to check incfs metrics
allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+# For f2fs-compression support
+allow system_server sysfs_fs_f2fs:dir r_dir_perms;
+allow system_server sysfs_fs_f2fs:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -689,6 +706,11 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
+
+# Allow query ART device config properties
+get_prop(system_server, device_config_runtime_native_boot_prop)
+get_prop(system_server, device_config_runtime_native_prop)
+
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
# PowerManager to read sys.boot.reason
@@ -1121,6 +1143,12 @@
# Allow system process to setup fs-verity for font files
allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
+
+# Allow system server to read profcollectd reports for upload.
+userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
+
###
### Neverallow rules
###
@@ -1259,6 +1287,8 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_appsearch_data_file:dir create_dir_perms;
+allow system_server apex_appsearch_data_file:file create_file_perms;
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
allow system_server apex_scheduling_data_file:dir create_dir_perms;
@@ -1374,6 +1404,3 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/prebuilts/api/31.0/private/system_server_startup.te b/prebuilts/api/31.0/private/system_server_startup.te
index 902941e..3301304 100644
--- a/prebuilts/api/31.0/private/system_server_startup.te
+++ b/prebuilts/api/31.0/private/system_server_startup.te
@@ -14,3 +14,7 @@
# Child of the zygote.
allow system_server_startup zygote:process sigchld;
+
+# Allow query ART device config properties
+get_prop(system_server_startup, device_config_runtime_native_boot_prop)
+get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/prebuilts/api/31.0/private/vold_prepare_subdirs.te b/prebuilts/api/31.0/private/vold_prepare_subdirs.te
index 1414f6c..956e94e 100644
--- a/prebuilts/api/31.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/31.0/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_module_data_file
apex_permission_data_file
@@ -32,6 +33,7 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_module_data_file
diff --git a/prebuilts/api/31.0/private/webview_zygote.te b/prebuilts/api/31.0/private/webview_zygote.te
index 3f217e1..10bcf1c 100644
--- a/prebuilts/api/31.0/private/webview_zygote.te
+++ b/prebuilts/api/31.0/private/webview_zygote.te
@@ -83,6 +83,10 @@
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+# Allow the webview_zygote to access the runtime feature flag properties.
+get_prop(webview_zygote, device_config_runtime_native_prop)
+get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/public/file.te b/prebuilts/api/31.0/public/file.te
index 2250482..20348b5 100644
--- a/prebuilts/api/31.0/public/file.te
+++ b/prebuilts/api/31.0/public/file.te
@@ -385,6 +385,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/31.0/public/installd.te b/prebuilts/api/31.0/public/installd.te
index eb13cfa..08060e3 100644
--- a/prebuilts/api/31.0/public/installd.te
+++ b/prebuilts/api/31.0/public/installd.te
@@ -160,6 +160,10 @@
#add for move app to sd card
get_prop(installd, storage_config_prop)
+# Allow installd to access apps installed on the Incremental File System
+# Accessing files on the Incremental File System uses fds opened in the context of vold.
+allow installd vold:fd use;
+
###
### Neverallow rules
###
diff --git a/prebuilts/api/31.0/public/mediaserver.te b/prebuilts/api/31.0/public/mediaserver.te
index 388001d..ad460e1 100644
--- a/prebuilts/api/31.0/public/mediaserver.te
+++ b/prebuilts/api/31.0/public/mediaserver.te
@@ -76,6 +76,7 @@
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
+allow mediaserver permission_checker_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
diff --git a/prebuilts/api/31.0/public/profman.te b/prebuilts/api/31.0/public/profman.te
index 8ff6271..c014d79 100644
--- a/prebuilts/api/31.0/public/profman.te
+++ b/prebuilts/api/31.0/public/profman.te
@@ -22,6 +22,10 @@
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
###
### neverallow rules
###
diff --git a/prebuilts/api/31.0/public/property.te b/prebuilts/api/31.0/public/property.te
index eca1a8c..57146a4 100644
--- a/prebuilts/api/31.0/public/property.te
+++ b/prebuilts/api/31.0/public/property.te
@@ -11,8 +11,6 @@
system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(device_config_runtime_native_boot_prop)
-system_internal_prop(device_config_runtime_native_prop)
system_internal_prop(firstboot_prop)
compatible_property_only(`
@@ -67,6 +65,8 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(init_service_status_prop)
diff --git a/prebuilts/api/31.0/public/uncrypt.te b/prebuilts/api/31.0/public/uncrypt.te
index 0f549c9..3b04671 100644
--- a/prebuilts/api/31.0/public/uncrypt.te
+++ b/prebuilts/api/31.0/public/uncrypt.te
@@ -32,8 +32,12 @@
r_dir_file(uncrypt, rootfs)
-# uncrypt reads /proc/cmdline
-allow uncrypt proc_cmdline:file r_file_perms;
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
diff --git a/private/adbd.te b/private/adbd.te
index 52070cb..c2c6164 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -217,6 +217,9 @@
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file r_file_perms;
+# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
+allow adbd apex_info_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 0174faa..40b3945 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -41,4 +41,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+
+ # Needed for reading boot properties.
+ allow fastbootd proc_bootconfig:file r_file_perms;
')
diff --git a/private/platform_app.te b/private/platform_app.te
index a112081..f746f1c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -99,6 +99,9 @@
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
+# Allow platform apps to act as Perfetto producers.
+perfetto_producer(platform_app)
+
###
### Neverallow rules
###
diff --git a/private/shell.te b/private/shell.te
index 5831d54..1dda977 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,6 +114,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read /apex/apex-info-list.xml
+allow shell apex_info_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -197,3 +200,6 @@
# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)
+
+# Allow shell read access to /apex/apex-info-list.xml for CTS.
+allow shell apex_info_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 48d5f9d..10b8177 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -169,6 +169,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# Allow system apps to act as Perfetto producers.
+perfetto_producer(system_app)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 0e57739..f22eab9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1143,6 +1143,12 @@
# Allow system process to setup fs-verity for font files
allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
+
+# Allow system server to read profcollectd reports for upload.
+userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
+
###
### Neverallow rules
###
@@ -1398,6 +1404,3 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/public/installd.te b/public/installd.te
index eb13cfa..08060e3 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -160,6 +160,10 @@
#add for move app to sd card
get_prop(installd, storage_config_prop)
+# Allow installd to access apps installed on the Incremental File System
+# Accessing files on the Incremental File System uses fds opened in the context of vold.
+allow installd vold:fd use;
+
###
### Neverallow rules
###