Merge "Revoke ftrace selinux access from dumpstate"
diff --git a/private/adbd.te b/private/adbd.te
index 0b42672..5bbf2dd 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -85,6 +85,9 @@
# Read device's serial number from system properties
get_prop(adbd, serialno_prop)
+# Read whether or not Test Harness Mode is enabled
+get_prop(adbd, test_harness_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/app.te b/private/app.te
index 876406f..4e433eb 100644
--- a/private/app.te
+++ b/private/app.te
@@ -10,6 +10,10 @@
# info etc.
allow appdomain priv_app_tmpfs:file read;
+# Allow apps to read the Test Harness Mode property. This property is used in
+# the implementation of ActivityManager.isDeviceInTestHarnessMode()
+get_prop(appdomain, test_harness_prop)
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 690b47f..4ae2071 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -19,6 +19,7 @@
apexd_tmpfs
biometric_service
bpf_progs_loaded_prop
+ bugreport_service
content_capture_service
content_suggestions_service
cpu_variant_prop
@@ -89,6 +90,8 @@
system_lmk_prop
system_suspend_hwservice
staging_data_file
+ testharness_service
+ test_harness_prop
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 88aca5b..1cf7efb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -213,6 +213,8 @@
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -242,6 +244,8 @@
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/service_contexts b/private/service_contexts
index 82c94f9..2ad99eb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -25,6 +25,7 @@
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
+bugreport u:object_r:bugreport_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
@@ -180,6 +181,7 @@
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
+testharness u:object_r:testharness_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 0baf4d6..bb69796 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -605,6 +605,9 @@
# reset during current boot.
get_prop(system_server, device_config_reset_performed_prop)
+# Read/write the property that enables Test Harness Mode
+set_prop(system_server, test_harness_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/public/init.te b/public/init.te
index 10a0c68..72c9c43 100644
--- a/public/init.te
+++ b/public/init.te
@@ -362,6 +362,17 @@
sysfs_zram
}:file rw_file_perms;
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+};
+
# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file w_file_perms;
diff --git a/public/property.te b/public/property.te
index f67a506..91d1a11 100644
--- a/public/property.te
+++ b/public/property.te
@@ -71,6 +71,7 @@
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
type test_boot_reason_prop, property_type;
+type test_harness_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
type vold_prop, property_type, core_property_type;
@@ -432,6 +433,7 @@
-system_prop
-system_radio_prop
-test_boot_reason_prop
+ -test_harness_prop
-time_prop
-traced_enabled_prop
-vendor_default_prop
diff --git a/public/property_contexts b/public/property_contexts
index e871b11..2b1b0e9 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -188,6 +188,7 @@
libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
ro.arch u:object_r:exported2_default_prop:s0 exact string
ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
diff --git a/public/recovery.te b/public/recovery.te
index 6cb391c..12eadee 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -85,6 +85,7 @@
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
+ allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index 9ddc7a4..21f7648 100644
--- a/public/service.te
+++ b/public/service.te
@@ -91,6 +91,7 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
+type bugreport_service, system_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
@@ -156,6 +157,7 @@
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
+type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index edba682..ada00d1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -24,6 +24,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
@@ -62,6 +63,7 @@
# Same process HALs installed by platform into /vendor
#
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
