Snap for 7316203 from f3c5b6aeace16a5419167fae0d403cfcb97651c3 to rvc-platform-release
Change-Id: I97423d492f308a866bcc1406ffdc7e683586dcf8
diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te
index be4f0f7..5531ad4 100644
--- a/prebuilts/api/30.0/private/adbd.te
+++ b/prebuilts/api/30.0/private/adbd.te
@@ -87,8 +87,9 @@
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
-# Set service.adb.tls.port, persist.adb.wifi. properties
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -102,6 +103,9 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
+# Read service.adb.tcp.port property
+get_prop(adbd, adbd_config_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index 9882d8f..c14ec22 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+get_prop(appdomain, adbd_config_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index fdea691..e4aaef5 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -8,6 +8,7 @@
aidl_lazy_test_server
aidl_lazy_test_server_exec
aidl_lazy_test_service
+ adbd_config_prop
adbd_prop
apex_module_data_file
apex_permission_data_file
@@ -88,6 +89,7 @@
ota_metadata_file
ota_prop
prereboot_data_file
+ proc_locks
art_apex_dir
rebootescrow_hal_prop
securityfs
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index 89232bc..d05e907 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -13,6 +13,7 @@
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
diff --git a/prebuilts/api/30.0/private/gmscore_app.te b/prebuilts/api/30.0/private/gmscore_app.te
index 2355326..b7c9235 100644
--- a/prebuilts/api/30.0/private/gmscore_app.te
+++ b/prebuilts/api/30.0/private/gmscore_app.te
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 335c1b6..5881255 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -27,6 +27,10 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
diff --git a/prebuilts/api/30.0/private/netd.te b/prebuilts/api/30.0/private/netd.te
index 41473b7..6e637c1 100644
--- a/prebuilts/api/30.0/private/netd.te
+++ b/prebuilts/api/30.0/private/netd.te
@@ -17,6 +17,7 @@
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow netd self:key_socket create;
+get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
# Allow netd to write to statsd.
diff --git a/prebuilts/api/30.0/private/priv_app.te b/prebuilts/api/30.0/private/priv_app.te
index 44c81ee..c5f7013 100644
--- a/prebuilts/api/30.0/private/priv_app.te
+++ b/prebuilts/api/30.0/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index 7908bb1..a4fab1f 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -48,7 +48,6 @@
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -100,6 +99,9 @@
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 213b3c8..3c1d192 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -902,6 +902,7 @@
allow system_server {
proc_cmdline
proc_loadavg
+ proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
diff --git a/prebuilts/api/30.0/private/vendor_init.te b/prebuilts/api/30.0/private/vendor_init.te
index 6a68f1f..83f001d 100644
--- a/prebuilts/api/30.0/private/vendor_init.te
+++ b/prebuilts/api/30.0/private/vendor_init.te
@@ -5,3 +5,6 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 91257e2..7ed8baa 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -36,6 +36,7 @@
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index 9a93518..43b09db 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -132,6 +132,7 @@
system_vendor_config_prop(virtual_ab_prop)
# Properties with no restrictions
+system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index 4607ef3..bfc718e 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -151,6 +151,7 @@
ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
diff --git a/private/adbd.te b/private/adbd.te
index be4f0f7..5531ad4 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -87,8 +87,9 @@
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
-# Set service.adb.tls.port, persist.adb.wifi. properties
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -102,6 +103,9 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
+# Read service.adb.tcp.port property
+get_prop(adbd, adbd_config_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/app.te b/private/app.te
index 9882d8f..c14ec22 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+get_prop(appdomain, adbd_config_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index fdea691..e4aaef5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -8,6 +8,7 @@
aidl_lazy_test_server
aidl_lazy_test_server_exec
aidl_lazy_test_service
+ adbd_config_prop
adbd_prop
apex_module_data_file
apex_permission_data_file
@@ -88,6 +89,7 @@
ota_metadata_file
ota_prop
prereboot_data_file
+ proc_locks
art_apex_dir
rebootescrow_hal_prop
securityfs
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 89232bc..d05e907 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -13,6 +13,7 @@
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 2355326..b7c9235 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 335c1b6..5881255 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -27,6 +27,10 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
diff --git a/private/netd.te b/private/netd.te
index 41473b7..6e637c1 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -17,6 +17,7 @@
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow netd self:key_socket create;
+get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
# Allow netd to write to statsd.
diff --git a/private/priv_app.te b/private/priv_app.te
index 44c81ee..c5f7013 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
diff --git a/private/property_contexts b/private/property_contexts
index 7908bb1..a4fab1f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -48,7 +48,6 @@
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -100,6 +99,9 @@
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
diff --git a/private/system_server.te b/private/system_server.te
index 213b3c8..3c1d192 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -902,6 +902,7 @@
allow system_server {
proc_cmdline
proc_loadavg
+ proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 6a68f1f..83f001d 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -5,3 +5,6 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
diff --git a/public/file.te b/public/file.te
index 91257e2..7ed8baa 100644
--- a/public/file.te
+++ b/public/file.te
@@ -36,6 +36,7 @@
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
diff --git a/public/property.te b/public/property.te
index 9a93518..43b09db 100644
--- a/public/property.te
+++ b/public/property.te
@@ -132,6 +132,7 @@
system_vendor_config_prop(virtual_ab_prop)
# Properties with no restrictions
+system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
diff --git a/public/property_contexts b/public/property_contexts
index 4607ef3..bfc718e 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -151,6 +151,7 @@
ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
