Merge "Run freeze test on trunk* builds" into main
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 08a4f64..638f202 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -242,7 +242,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "system_ext_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":property_contexts_files{.system_ext_private}"],
+ recovery: true,
+ stem: "system_ext_property_contexts",
}
property_contexts {
@@ -250,7 +257,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "product_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":property_contexts_files{.product_private}"],
+ recovery: true,
+ stem: "product_property_contexts",
}
property_contexts {
@@ -262,7 +276,18 @@
":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "vendor_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":property_contexts_files{.plat_vendor}",
+ ":property_contexts_files{.vendor}",
+ ":property_contexts_files{.reqd_mask}",
+ ],
+ recovery: true,
+ stem: "vendor_property_contexts",
}
property_contexts {
@@ -270,7 +295,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.odm}"],
device_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "odm_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":property_contexts_files{.odm}"],
+ recovery: true,
+ stem: "odm_property_contexts",
}
service_contexts {
@@ -292,7 +324,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+service_contexts {
+ name: "system_ext_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":service_contexts_files{.system_ext_private}"],
+ recovery: true,
+ stem: "system_ext_service_contexts",
}
service_contexts {
@@ -300,7 +339,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+service_contexts {
+ name: "product_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":service_contexts_files{.product_private}"],
+ recovery: true,
+ stem: "product_service_contexts",
}
service_contexts {
@@ -312,7 +358,18 @@
":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+service_contexts {
+ name: "vendor_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":service_contexts_files{.plat_vendor}",
+ ":service_contexts_files{.vendor}",
+ ":service_contexts_files{.reqd_mask}",
+ ],
+ recovery: true,
+ stem: "vendor_service_contexts",
}
service_contexts {
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0e2b01c..434fb13 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -204,6 +204,7 @@
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
+ proc_allocinfo
proc_asound
proc_kmsg
proc_loadavg
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 5e3bce5..a1c9ed3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -394,6 +394,7 @@
# Read files in /proc
allow dumpstate {
+ proc_allocinfo
proc_bootconfig
proc_buddyinfo
proc_cmdline
@@ -539,6 +540,9 @@
vm_data_file
}:dir getattr;
+#suppress denials for dumpstate to call vitualizationservice.
+dontaudit dumpstate virtualizationservice:binder { call };
+
# Allow dumpstate to talk to bufferhubd over binder
binder_call(dumpstate, bufferhubd);
diff --git a/private/file.te b/private/file.te
index fbabd03..6fb9baa 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,3 +1,6 @@
+# /proc/allocinfo
+type proc_allocinfo, fs_type, proc_type;
+
# /proc/config.gz
type config_gz, fs_type, proc_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3ff1012..62d6c1a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,6 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /allocinfo u:object_r:proc_allocinfo:s0
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
diff --git a/private/init.te b/private/init.te
index 23c464c..35d7647 100644
--- a/private/init.te
+++ b/private/init.te
@@ -539,6 +539,7 @@
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_allocinfo
proc_bootconfig
proc_cmdline
proc_diskstats
@@ -574,6 +575,7 @@
# init chmod/chown access to /proc files.
allow init {
+ proc_allocinfo
proc_cmdline
proc_bootconfig
proc_kmsg
diff --git a/private/property_contexts b/private/property_contexts
index 643a179..121d0fa 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -801,6 +801,7 @@
ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.hw_wrapped_keys.kdf u:object_r:vold_config_prop:s0 exact string
ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
diff --git a/private/system_app.te b/private/system_app.te
index 93be46f..9a70375 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -70,6 +70,9 @@
# Allow developer settings to check 16k pages boot option status
get_prop(system_app, enable_16k_pages_prop)
+# Allow developer settings to check virtualization capabilities
+get_prop(system_app, hypervisor_prop)
+
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
