Snap for 9239618 from 708fcb40c952498706ec138ee324b6a4c98e7db0 to tm-platform-release
Change-Id: I6339b2235e89793b028ab6325757947ab69e5467
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index a07f5ae..c1fc736 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/prebuilts/api/33.0/private/crash_dump.te b/prebuilts/api/33.0/private/crash_dump.te
index 90ffeb5..82ca403 100644
--- a/prebuilts/api/33.0/private/crash_dump.te
+++ b/prebuilts/api/33.0/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
-diced
-init
-kernel
diff --git a/prebuilts/api/33.0/private/flags_health_check.te b/prebuilts/api/33.0/private/flags_health_check.te
index 54ecd45..58275ff 100644
--- a/prebuilts/api/33.0/private/flags_health_check.te
+++ b/prebuilts/api/33.0/private/flags_health_check.te
@@ -24,6 +24,7 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/prebuilts/api/33.0/private/heapprofd.te b/prebuilts/api/33.0/private/heapprofd.te
index 246f936..36d2938 100644
--- a/prebuilts/api/33.0/private/heapprofd.te
+++ b/prebuilts/api/33.0/private/heapprofd.te
@@ -41,11 +41,14 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
r_dir_file(heapprofd, shell_test_data_file)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(heapprofd, apex_art_data_file)
+allow heapprofd apex_module_data_file:dir { getattr search };
+
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 1b2360d..4eda4a1 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -257,6 +257,7 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -728,7 +729,8 @@
# GWP-ASan props. Separate from other libc.debug.* props, because we want users
# to be able to set them from `adb shell` even on release devices.
-libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 0f72c7f..6d3bc78 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -396,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
@@ -752,6 +753,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/prebuilts/api/33.0/private/traced_perf.te b/prebuilts/api/33.0/private/traced_perf.te
index 96a7263..811bf48 100644
--- a/prebuilts/api/33.0/private/traced_perf.te
+++ b/prebuilts/api/33.0/private/traced_perf.te
@@ -28,10 +28,12 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(traced_perf, apex_art_data_file)
+allow traced_perf apex_module_data_file:dir { getattr search };
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index 41245c2..b1c3d44 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -229,6 +229,10 @@
# Allow zygote to read qemu.sf.lcd_density
get_prop(zygote, qemu_sf_lcd_density_prop)
+# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
+# preloaded classes
+get_prop(zygote, persist_wm_debug_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 47b63e6..8d3e556 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -149,6 +150,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_input_processor)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_nfc)
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index a235634..42fe979 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -68,6 +68,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -274,6 +274,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index a07f5ae..c1fc736 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 90ffeb5..82ca403 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
-diced
-init
-kernel
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 54ecd45..58275ff 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -24,6 +24,7 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 246f936..36d2938 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -41,11 +41,14 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
r_dir_file(heapprofd, shell_test_data_file)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(heapprofd, apex_art_data_file)
+allow heapprofd apex_module_data_file:dir { getattr search };
+
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/property_contexts b/private/property_contexts
index 1b2360d..4eda4a1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -257,6 +257,7 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -728,7 +729,8 @@
# GWP-ASan props. Separate from other libc.debug.* props, because we want users
# to be able to set them from `adb shell` even on release devices.
-libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
diff --git a/private/system_server.te b/private/system_server.te
index 0f72c7f..6d3bc78 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -396,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
@@ -752,6 +753,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 96a7263..811bf48 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,10 +28,12 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(traced_perf, apex_art_data_file)
+allow traced_perf apex_module_data_file:dir { getattr search };
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
diff --git a/private/zygote.te b/private/zygote.te
index 41245c2..b1c3d44 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -229,6 +229,10 @@
# Allow zygote to read qemu.sf.lcd_density
get_prop(zygote, qemu_sf_lcd_density_prop)
+# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
+# preloaded classes
+get_prop(zygote, persist_wm_debug_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 47b63e6..8d3e556 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -149,6 +150,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_input_processor)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_nfc)
diff --git a/public/property.te b/public/property.te
index a235634..42fe979 100644
--- a/public/property.te
+++ b/public/property.te
@@ -68,6 +68,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -274,6 +274,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 79c55de..e940681 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -18,7 +18,8 @@
import policy
import re
import sys
-import distutils.ccompiler
+
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
#############################################################
# Tests
@@ -158,7 +159,7 @@
(options, args) = parser.parse_args()
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index a3bf661..64a9e95 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,9 +20,9 @@
from policy import MatchPathPrefix
import re
import sys
-import distutils.ccompiler
DEBUG=False
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
'''
Use file_contexts and policy to verify Treble requirements
@@ -375,7 +375,7 @@
parser.usage)
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
