Snap for 8618812 from db2d57055002fc4cb3d4ea99c7ee7b9540fcfb5c to mainline-tzdata4-release
Change-Id: I00fc1d88f6023e1ef5a3035d2904a5fc472505cb
diff --git a/apex/Android.bp b/apex/Android.bp
index 5d61303..8f11771 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -195,13 +195,6 @@
}
filegroup {
- name: "com.android.telephony-file_contexts",
- srcs: [
- "com.android.telephony-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.tzdata-file_contexts",
srcs: [
"com.android.tzdata-file_contexts",
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
deleted file mode 100644
index f3a65d4..0000000
--- a/apex/com.android.telephony-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 49bc5b3..386f11e 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -25,6 +25,10 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
+# Allow settings system properties that ART expects.
+set_prop(compos, dalvik_config_prop)
+set_prop(compos, device_config_runtime_native_boot_prop)
+
# Allow running odrefresh in its own domain
domain_auto_trans(compos, odrefresh_exec, odrefresh)
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c083547..c236637 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -35,7 +35,10 @@
# fail immediately. See b/210909688.
allow odrefresh compos:fd use;
-# Silently ignore the access to properties. Unlike on Android, parameters
-# should be passed from command line to avoid global state.
+# Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
+# in the output for later verification check.
+get_prop(odrefresh, dalvik_config_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Silently ignore the write to properties, e.g. for setting boot animation progress.
dontaudit odrefresh property_socket:sock_file write;
-dontaudit odrefresh dalvik_config_prop:file read;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 01aa5e4..6e795dc 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,6 +1,7 @@
# Declare ART properties for CompOS
system_public_prop(dalvik_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 68d6df5..6f65eff 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -152,7 +152,9 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
# ART properties for CompOS
-dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index d29a3d3..94a8fea 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -17,6 +17,7 @@
connectivity_native_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
+ device_config_vendor_system_native_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/prebuilts/api/33.0/private/composd.te b/prebuilts/api/33.0/private/composd.te
index 5f99a92..d007d66 100644
--- a/prebuilts/api/33.0/private/composd.te
+++ b/prebuilts/api/33.0/private/composd.te
@@ -31,6 +31,7 @@
# Read ART's properties
get_prop(composd, dalvik_config_prop)
+get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file ~unlink;
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 5a843f9..4161dc9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
@@ -62,6 +64,7 @@
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index b4f42cf..e21c18c 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -589,6 +589,7 @@
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -690,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
diff --git a/prebuilts/api/33.0/private/installd.te b/prebuilts/api/33.0/private/installd.te
index 251a14f..538641d 100644
--- a/prebuilts/api/33.0/private/installd.te
+++ b/prebuilts/api/33.0/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/prebuilts/api/33.0/private/property.te b/prebuilts/api/33.0/private/property.te
index 63081bf..41a4c2f 100644
--- a/prebuilts/api/33.0/private/property.te
+++ b/prebuilts/api/33.0/private/property.te
@@ -47,7 +47,6 @@
system_internal_prop(virtualizationservice_prop)
# Properties which can't be written outside system
-system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(system_user_mode_emulation_prop)
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index 46e7be8..193ab51 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -33,6 +33,7 @@
allow sdk_sandbox game_service:service_manager find;
allow sdk_sandbox gpu_service:service_manager find;
allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox imms_service:service_manager find;
allow sdk_sandbox input_method_service:service_manager find;
@@ -89,6 +90,8 @@
allow sdk_sandbox vcn_management_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
@@ -102,7 +105,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -151,3 +157,20 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index ec7bfe4..ba097f2 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -1362,12 +1365,14 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir create_dir_perms;
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:file create_file_perms;
diff --git a/prebuilts/api/33.0/private/untrusted_app.te b/prebuilts/api/33.0/private/untrusted_app.te
index 62d458d..63b095a 100644
--- a/prebuilts/api/33.0/private/untrusted_app.te
+++ b/prebuilts/api/33.0/private/untrusted_app.te
@@ -14,3 +14,10 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app sdk_sandbox_data_file:fd use;
+allow untrusted_app sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/prebuilts/api/33.0/private/vehicle_binding_util.te b/prebuilts/api/33.0/private/vehicle_binding_util.te
index 76d0756..f527944 100644
--- a/prebuilts/api/33.0/private/vehicle_binding_util.te
+++ b/prebuilts/api/33.0/private/vehicle_binding_util.te
@@ -8,8 +8,10 @@
# allow writing to kmsg during boot
allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
-# allow reading the binding property from vhal
+# allow reading the binding property from HIDL VHAL.
hwbinder_use(vehicle_binding_util)
+# allow reading the binding property from AIDL VHAL.
+binder_use(vehicle_binding_util)
hal_client_domain(vehicle_binding_util, hal_vehicle)
# allow executing vdc
diff --git a/prebuilts/api/33.0/private/vold_prepare_subdirs.te b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
index e1c8044..ddb2828 100644
--- a/prebuilts/api/33.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
@@ -56,6 +58,7 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir relabelfrom;
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index ea983fd..c5ba180 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -235,6 +235,9 @@
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
###
### neverallow rules
###
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index 6024f07..b18f142 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -67,6 +67,7 @@
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
+system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index d29a3d3..94a8fea 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -17,6 +17,7 @@
connectivity_native_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
+ device_config_vendor_system_native_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/private/composd.te b/private/composd.te
index 5f99a92..d007d66 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -31,6 +31,7 @@
# Read ART's properties
get_prop(composd, dalvik_config_prop)
+get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file ~unlink;
diff --git a/private/file.te b/private/file.te
index 5a843f9..4161dc9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
@@ -62,6 +64,7 @@
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
diff --git a/private/file_contexts b/private/file_contexts
index b4f42cf..e21c18c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -589,6 +589,7 @@
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -690,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
diff --git a/private/installd.te b/private/installd.te
index 251a14f..538641d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/property.te b/private/property.te
index 63081bf..41a4c2f 100644
--- a/private/property.te
+++ b/private/property.te
@@ -47,7 +47,6 @@
system_internal_prop(virtualizationservice_prop)
# Properties which can't be written outside system
-system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(system_user_mode_emulation_prop)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 46e7be8..193ab51 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -33,6 +33,7 @@
allow sdk_sandbox game_service:service_manager find;
allow sdk_sandbox gpu_service:service_manager find;
allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox imms_service:service_manager find;
allow sdk_sandbox input_method_service:service_manager find;
@@ -89,6 +90,8 @@
allow sdk_sandbox vcn_management_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
@@ -102,7 +105,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -151,3 +157,20 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/system_server.te b/private/system_server.te
index ec7bfe4..ba097f2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -1362,12 +1365,14 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir create_dir_perms;
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:file create_file_perms;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 62d458d..63b095a 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -14,3 +14,10 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app sdk_sandbox_data_file:fd use;
+allow untrusted_app sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/private/vehicle_binding_util.te b/private/vehicle_binding_util.te
index 76d0756..f527944 100644
--- a/private/vehicle_binding_util.te
+++ b/private/vehicle_binding_util.te
@@ -8,8 +8,10 @@
# allow writing to kmsg during boot
allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
-# allow reading the binding property from vhal
+# allow reading the binding property from HIDL VHAL.
hwbinder_use(vehicle_binding_util)
+# allow reading the binding property from AIDL VHAL.
+binder_use(vehicle_binding_util)
hal_client_domain(vehicle_binding_util, hal_vehicle)
# allow executing vdc
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e1c8044..ddb2828 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
@@ -56,6 +58,7 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir relabelfrom;
diff --git a/private/zygote.te b/private/zygote.te
index ea983fd..c5ba180 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -235,6 +235,9 @@
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index 6024f07..b18f142 100644
--- a/public/property.te
+++ b/public/property.te
@@ -67,6 +67,7 @@
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
+system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules