Snap for 7915578 from 6af9b55d3814e42208d4bdc375944ec071af90ea to mainline-sdkext-release
Change-Id: I37bee790ff385b337d042839298b36668935ab49
diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 5ff7aef..7496c65 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@@ -730,6 +730,7 @@
report_off_body
reset
unlock
+ delete_all_keys
}
class keystore2_key
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index b923cdb..09799bd 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -51,8 +51,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd bdev_type:dir r_dir_perms;
+allow apexd bdev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -106,6 +107,8 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+allow apexd sysfs_block_type:dir r_dir_perms;
+allow apexd sysfs_block_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index 56acd4d..0c36aed 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -124,6 +124,7 @@
snapuserd_socket
soc_prop
speech_recognition_service
+ sysfs_block
sysfs_devfreq_cur
sysfs_devfreq_dir
sysfs_devices_cs_etm
@@ -148,4 +149,6 @@
vpn_management_service
watchdog_metadata_file
wifi_key
- zygote_config_prop))
+ zygote_config_prop
+ proc_vendor_sched
+ sysfs_vendor_sched))
diff --git a/prebuilts/api/31.0/private/genfs_contexts b/prebuilts/api/31.0/private/genfs_contexts
index 3499aa0..13bfb46 100644
--- a/prebuilts/api/31.0/private/genfs_contexts
+++ b/prebuilts/api/31.0/private/genfs_contexts
@@ -103,6 +103,7 @@
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
genfscon fusectl / u:object_r:fusectlfs:s0
@@ -116,6 +117,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -164,6 +166,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
diff --git a/prebuilts/api/31.0/private/init.te b/prebuilts/api/31.0/private/init.te
index 99afd84..f569e0c 100644
--- a/prebuilts/api/31.0/private/init.te
+++ b/prebuilts/api/31.0/private/init.te
@@ -38,6 +38,16 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
+# Allow init to modify the properties of loop devices.
+allow init sysfs_loop:dir r_dir_perms;
+allow init sysfs_loop:file rw_file_perms;
+
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
diff --git a/prebuilts/api/31.0/private/odrefresh.te b/prebuilts/api/31.0/private/odrefresh.te
index 7a64247..3db1ae8 100644
--- a/prebuilts/api/31.0/private/odrefresh.te
+++ b/prebuilts/api/31.0/private/odrefresh.te
@@ -21,9 +21,15 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/prebuilts/api/31.0/private/odsign.te b/prebuilts/api/31.0/private/odsign.te
index 0ff3b7b..c6c7808 100644
--- a/prebuilts/api/31.0/private/odsign.te
+++ b/prebuilts/api/31.0/private/odsign.te
@@ -54,6 +54,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 6c0b521..29f4f1a 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -37,6 +37,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index dbea278..e0700fe 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -169,6 +169,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
@@ -496,6 +499,7 @@
ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
@@ -848,6 +852,7 @@
ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool
# All vendor CPU abilist props are set by /vendor/build.prop
ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
@@ -1117,8 +1122,17 @@
telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int
persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
# System locale list filter configuration
ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
diff --git a/prebuilts/api/31.0/private/vold.te b/prebuilts/api/31.0/private/vold.te
index a802bdb..de0fde4 100644
--- a/prebuilts/api/31.0/private/vold.te
+++ b/prebuilts/api/31.0/private/vold.te
@@ -53,8 +53,9 @@
allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;
neverallow {
domain
diff --git a/prebuilts/api/31.0/public/attributes b/prebuilts/api/31.0/public/attributes
index 2e01f1e..b60c9cc 100644
--- a/prebuilts/api/31.0/public/attributes
+++ b/prebuilts/api/31.0/public/attributes
@@ -7,6 +7,9 @@
# in tools/checkfc.c
attribute dev_type;
+# Attribute for block devices.
+attribute bdev_type;
+
# All types used for processes.
attribute domain;
@@ -59,6 +62,9 @@
# All types used for sysfs files.
attribute sysfs_type;
+# Attribute for /sys/class/block files.
+attribute sysfs_block_type;
+
# All types use for debugfs files.
attribute debugfs_type;
diff --git a/prebuilts/api/31.0/public/device.te b/prebuilts/api/31.0/public/device.te
index 686f955..cc2ef57 100644
--- a/prebuilts/api/31.0/public/device.te
+++ b/prebuilts/api/31.0/public/device.te
@@ -6,16 +6,16 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
type camera_device, dev_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
+type dm_device, dev_type, bdev_type;
+type dm_user_device, dev_type, bdev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type;
+type loop_device, dev_type, bdev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type;
+type ram_device, dev_type, bdev_type;
type rtc_device, dev_type;
type vd_device, dev_type;
type vold_device, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type;
+type root_block_device, dev_type, bdev_type;
# factory reset protection block device
-type frp_block_device, dev_type;
+type frp_block_device, dev_type, bdev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
+type system_block_device, dev_type, bdev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
+type recovery_block_device, dev_type, bdev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
+type boot_block_device, dev_type, bdev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
+type userdata_block_device, dev_type, bdev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
+type cache_block_device, dev_type, bdev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type;
+type swap_block_device, dev_type, bdev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
+type metadata_block_device, dev_type, bdev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
+type misc_block_device, dev_type, bdev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
+type super_block_device, super_block_device_type, dev_type, bdev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
+type sdcard_block_device, dev_type, bdev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/prebuilts/api/31.0/public/file.te b/prebuilts/api/31.0/public/file.te
index 20348b5..dc788ac 100644
--- a/prebuilts/api/31.0/public/file.te
+++ b/prebuilts/api/31.0/public/file.te
@@ -77,6 +77,7 @@
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
+type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
@@ -85,6 +86,7 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
@@ -116,6 +118,10 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
+type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+ typeattribute sysfs_vendor_sched mlstrustedobject;
+')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type configfs, fs_type;
diff --git a/prebuilts/api/31.0/public/shell.te b/prebuilts/api/31.0/public/shell.te
index 29c07a4..70a7fb4 100644
--- a/prebuilts/api/31.0/public/shell.te
+++ b/prebuilts/api/31.0/public/shell.te
@@ -158,6 +158,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# allow shell to list /sys/class/block/ to get storage type for CTS
+allow shell sysfs_block:dir r_dir_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/private/access_vectors b/private/access_vectors
index 5ff7aef..7496c65 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -730,6 +730,7 @@
report_off_body
reset
unlock
+ delete_all_keys
}
class keystore2_key
diff --git a/private/apexd.te b/private/apexd.te
index b923cdb..09799bd 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -51,8 +51,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd bdev_type:dir r_dir_perms;
+allow apexd bdev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -106,6 +107,8 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+allow apexd sysfs_block_type:dir r_dir_perms;
+allow apexd sysfs_block_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 56acd4d..0c36aed 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -124,6 +124,7 @@
snapuserd_socket
soc_prop
speech_recognition_service
+ sysfs_block
sysfs_devfreq_cur
sysfs_devfreq_dir
sysfs_devices_cs_etm
@@ -148,4 +149,6 @@
vpn_management_service
watchdog_metadata_file
wifi_key
- zygote_config_prop))
+ zygote_config_prop
+ proc_vendor_sched
+ sysfs_vendor_sched))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3499aa0..13bfb46 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -103,6 +103,7 @@
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
genfscon fusectl / u:object_r:fusectlfs:s0
@@ -116,6 +117,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -164,6 +166,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
diff --git a/private/init.te b/private/init.te
index 99afd84..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -38,6 +38,16 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
+# Allow init to modify the properties of loop devices.
+allow init sysfs_loop:dir r_dir_perms;
+allow init sysfs_loop:file rw_file_perms;
+
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 7a64247..3db1ae8 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -21,9 +21,15 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/private/odsign.te b/private/odsign.te
index 0ff3b7b..c6c7808 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -54,6 +54,9 @@
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
+# Allow odsign to stop itself
+set_prop(odsign, ctl_odsign_prop)
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/property.te b/private/property.te
index 6c0b521..29f4f1a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -37,6 +37,7 @@
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
+system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index dbea278..e0700fe 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -169,6 +169,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to stopping odsign
+ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
+
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
@@ -496,6 +499,7 @@
ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
@@ -848,6 +852,7 @@
ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool
# All vendor CPU abilist props are set by /vendor/build.prop
ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
@@ -1117,8 +1122,17 @@
telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int
persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.volte_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.vt_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
+persist.dbg.wfc_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
# System locale list filter configuration
ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
diff --git a/private/vold.te b/private/vold.te
index a802bdb..de0fde4 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -53,8 +53,9 @@
allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
-# vold needs to be able to call earlyBootEnded()
+# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
allow vold keystore:keystore2 early_boot_ended;
+allow vold keystore:keystore2 delete_all_keys;
neverallow {
domain
diff --git a/public/attributes b/public/attributes
index 2e01f1e..b60c9cc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,6 +7,9 @@
# in tools/checkfc.c
attribute dev_type;
+# Attribute for block devices.
+attribute bdev_type;
+
# All types used for processes.
attribute domain;
@@ -59,6 +62,9 @@
# All types used for sysfs files.
attribute sysfs_type;
+# Attribute for /sys/class/block files.
+attribute sysfs_block_type;
+
# All types use for debugfs files.
attribute debugfs_type;
diff --git a/public/device.te b/public/device.te
index 686f955..cc2ef57 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,16 +6,16 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
type camera_device, dev_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
+type dm_device, dev_type, bdev_type;
+type dm_user_device, dev_type, bdev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type;
+type loop_device, dev_type, bdev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type;
+type ram_device, dev_type, bdev_type;
type rtc_device, dev_type;
type vd_device, dev_type;
type vold_device, dev_type;
@@ -73,51 +73,51 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type;
+type root_block_device, dev_type, bdev_type;
# factory reset protection block device
-type frp_block_device, dev_type;
+type frp_block_device, dev_type, bdev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
+type system_block_device, dev_type, bdev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
+type recovery_block_device, dev_type, bdev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
+type boot_block_device, dev_type, bdev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
+type userdata_block_device, dev_type, bdev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
+type cache_block_device, dev_type, bdev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type;
+type swap_block_device, dev_type, bdev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
+type metadata_block_device, dev_type, bdev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
+type misc_block_device, dev_type, bdev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
+type super_block_device, super_block_device_type, dev_type, bdev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
+type sdcard_block_device, dev_type, bdev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
diff --git a/public/file.te b/public/file.te
index 20348b5..dc788ac 100644
--- a/public/file.te
+++ b/public/file.te
@@ -77,6 +77,7 @@
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
+type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
@@ -85,6 +86,7 @@
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
@@ -116,6 +118,10 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
+type sysfs_vendor_sched, sysfs_type, fs_type;
+userdebug_or_eng(`
+ typeattribute sysfs_vendor_sched mlstrustedobject;
+')
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type configfs, fs_type;
diff --git a/public/shell.te b/public/shell.te
index 29c07a4..70a7fb4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -158,6 +158,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# allow shell to list /sys/class/block/ to get storage type for CTS
+allow shell sysfs_block:dir r_dir_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;