Merge tag 'android-13.0.0_r38' into int/13/fp3
Android 13.0.0 Release 38 (TQ2A.230405.003)
* tag 'android-13.0.0_r38':
DO NOT MERGE Revert "Disallow untrusted apps to read ro.debuggable and ro.secure"
DO NOT MERGE Revert "Drop back-compatibility for hiding ro.debuggable and ro.secure"
DO NOT MERGE Revert "Hide ro.debuggable and ro.secure from ephemeral and isolated applications"
DO NOT MERGE Revert "Disallow untrusted apps to read ro.debuggable and ro.secure"
DO NOT MERGE Revert "Drop back-compatibility for hiding ro.debuggable and ro.secure"
DO NOT MERGE Revert "Hide ro.debuggable and ro.secure from ephemeral and isolated applications"
Change-Id: Ie9f35b8ad2a063f2067c181bd956be33b401dffb
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
index d916a13..a99b628 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
@@ -1378,7 +1378,6 @@
(typeattributeset build_config_prop_32_0 (build_config_prop))
(typeattributeset build_odm_prop_32_0 (build_odm_prop))
(typeattributeset build_prop_32_0 (build_prop))
-(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
(typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
(typeattributeset cache_backup_file_32_0 (cache_backup_file))
(typeattributeset cache_block_device_32_0 (cache_block_device))
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index ac288f0..3841fd5 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -815,7 +815,7 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
+ro.debuggable u:object_r:build_prop:s0 exact bool
ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -842,7 +842,7 @@
ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:userdebug_or_eng_prop:s0 exact int
+ro.secure u:object_r:build_prop:s0 exact int
ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
ro.product.system_ext.device u:object_r:build_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/untrusted_app_25.te b/prebuilts/api/33.0/private/untrusted_app_25.te
index b40fad0..4235d7e 100644
--- a/prebuilts/api/33.0/private/untrusted_app_25.te
+++ b/prebuilts/api/33.0/private/untrusted_app_25.te
@@ -52,6 +52,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_27.te b/prebuilts/api/33.0/private/untrusted_app_27.te
index dd9b4a8..c747af1 100644
--- a/prebuilts/api/33.0/private/untrusted_app_27.te
+++ b/prebuilts/api/33.0/private/untrusted_app_27.te
@@ -40,6 +40,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_29.te b/prebuilts/api/33.0/private/untrusted_app_29.te
index 0cc2bea..6bb2606 100644
--- a/prebuilts/api/33.0/private/untrusted_app_29.te
+++ b/prebuilts/api/33.0/private/untrusted_app_29.te
@@ -18,6 +18,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_30.te b/prebuilts/api/33.0/private/untrusted_app_30.te
index 7b23be7..e0a71ef 100644
--- a/prebuilts/api/33.0/private/untrusted_app_30.te
+++ b/prebuilts/api/33.0/private/untrusted_app_30.te
@@ -20,6 +20,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 46e9456..de529f5 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -129,7 +129,6 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
-get_prop({domain -untrusted_app_all userdebug_or_eng(`-isolated_app -ephemeral_app') }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -565,7 +564,6 @@
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
-neverallow { domain -init } userdebug_or_eng_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index deb166b..763a80a 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -73,7 +73,6 @@
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
-system_restricted_prop(userdebug_or_eng_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index d916a13..a99b628 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -1378,7 +1378,6 @@
(typeattributeset build_config_prop_32_0 (build_config_prop))
(typeattributeset build_odm_prop_32_0 (build_odm_prop))
(typeattributeset build_prop_32_0 (build_prop))
-(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
(typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
(typeattributeset cache_backup_file_32_0 (cache_backup_file))
(typeattributeset cache_block_device_32_0 (cache_block_device))
diff --git a/private/property_contexts b/private/property_contexts
index ac288f0..3841fd5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -815,7 +815,7 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
+ro.debuggable u:object_r:build_prop:s0 exact bool
ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -842,7 +842,7 @@
ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:userdebug_or_eng_prop:s0 exact int
+ro.secure u:object_r:build_prop:s0 exact int
ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
ro.product.system_ext.device u:object_r:build_prop:s0 exact string
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index b40fad0..4235d7e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -52,6 +52,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index dd9b4a8..c747af1 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,6 +40,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 0cc2bea..6bb2606 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -18,6 +18,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 7b23be7..e0a71ef 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -20,6 +20,3 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
diff --git a/public/domain.te b/public/domain.te
index 46e9456..de529f5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -129,7 +129,6 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
-get_prop({domain -untrusted_app_all userdebug_or_eng(`-isolated_app -ephemeral_app') }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -565,7 +564,6 @@
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
-neverallow { domain -init } userdebug_or_eng_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
diff --git a/public/property.te b/public/property.te
index deb166b..763a80a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -73,7 +73,6 @@
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
-system_restricted_prop(userdebug_or_eng_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)