Merge cherrypicks of [16615268] into rvc-platform-release. am: 5b74cfce8d
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/16674945
Change-Id: Ib82e90c661d43cf46cfb33a40ccae08c28ddca1d
diff --git a/Android.mk b/Android.mk
index 33a08ee..d29c7b2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -741,6 +741,8 @@
userdebug_plat_policy.conf :=
+$(call dist-for-goals,droidcore,$(LOCAL_BUILT_MODULE))
+
#################################
include $(CLEAR_VARS)
diff --git a/prebuilts/api/30.0/private/gsid.te b/prebuilts/api/30.0/private/gsid.te
index 3ff9d67..9d07adb 100644
--- a/prebuilts/api/30.0/private/gsid.te
+++ b/prebuilts/api/30.0/private/gsid.te
@@ -133,7 +133,10 @@
allowxperm gsid {
gsi_data_file
ota_image_data_file
-}:file ioctl FS_IOC_FIEMAP;
+}:file ioctl {
+ FS_IOC_FIEMAP
+ FS_IOC_GETFLAGS
+};
allow gsid system_server:binder call;
diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 5881255..82d7e3b 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -6,7 +6,7 @@
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
-allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+r_dir_file(mediaprovider_app, mnt_pass_through_file)
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
diff --git a/prebuilts/api/30.0/private/system_suspend.te b/prebuilts/api/30.0/private/system_suspend.te
index d33dc8e..da85f65 100644
--- a/prebuilts/api/30.0/private/system_suspend.te
+++ b/prebuilts/api/30.0/private/system_suspend.te
@@ -16,6 +16,10 @@
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
+# For adding `dumpsys syspend_control` output to bugreport
+allow system_suspend dumpstate:fd use;
+allow system_suspend dumpstate:fifo_file write;
+
neverallow {
domain
-atrace # tracing
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 0609d92..778a21a 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -143,7 +143,12 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_thermal)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/prebuilts/api/30.0/public/installd.te b/prebuilts/api/30.0/public/installd.te
index c8cc89d..b55eae0 100644
--- a/prebuilts/api/30.0/public/installd.te
+++ b/prebuilts/api/30.0/public/installd.te
@@ -175,6 +175,9 @@
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
###
### Neverallow rules
###
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index bfc718e..6c48279 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -113,6 +113,8 @@
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
+ro.cdma.home.operator.alpha u:object_r:exported3_default_prop:s0 exact string
+ro.cdma.home.operator.numeric u:object_r:exported3_default_prop:s0 exact string
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -406,6 +408,9 @@
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
+ro.vendor.product.cpu.abilist u:object_r:exported_default_prop:s0 exact string
+ro.vendor.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
+ro.vendor.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
@@ -478,3 +483,5 @@
# Graphics related properties
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+
+ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
diff --git a/private/bug_map b/private/bug_map
index eaa1593..78517d1 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -25,6 +25,7 @@
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+system_server apex_art_data_file file b/194054685
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
diff --git a/private/gsid.te b/private/gsid.te
index 3ff9d67..9d07adb 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -133,7 +133,10 @@
allowxperm gsid {
gsi_data_file
ota_image_data_file
-}:file ioctl FS_IOC_FIEMAP;
+}:file ioctl {
+ FS_IOC_FIEMAP
+ FS_IOC_GETFLAGS
+};
allow gsid system_server:binder call;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 5881255..82d7e3b 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -6,7 +6,7 @@
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
-allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+r_dir_file(mediaprovider_app, mnt_pass_through_file)
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d33dc8e..da85f65 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -16,6 +16,10 @@
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
+# For adding `dumpsys syspend_control` output to bugreport
+allow system_suspend dumpstate:fd use;
+allow system_suspend dumpstate:fifo_file write;
+
neverallow {
domain
-atrace # tracing
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0609d92..778a21a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -143,7 +143,12 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_thermal)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/installd.te b/public/installd.te
index c8cc89d..b55eae0 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -175,6 +175,9 @@
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
###
### Neverallow rules
###
diff --git a/public/property_contexts b/public/property_contexts
index bfc718e..6c48279 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -113,6 +113,8 @@
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
+ro.cdma.home.operator.alpha u:object_r:exported3_default_prop:s0 exact string
+ro.cdma.home.operator.numeric u:object_r:exported3_default_prop:s0 exact string
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -406,6 +408,9 @@
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
+ro.vendor.product.cpu.abilist u:object_r:exported_default_prop:s0 exact string
+ro.vendor.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
+ro.vendor.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
@@ -478,3 +483,5 @@
# Graphics related properties
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+
+ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
