Snap tm-dev to android13-tests-dev am: 5f2509a85a am: afc97a7c5e

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/20514546

Change-Id: I15bbe1635d1d5d3b2436cbef2e5fa5e9e5f54f55
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

prebuilts/api/30.0/public/attributes

@@ -91,15 +91,19 @@ attribute extended_core_property_type;
 
 # All properties defined by /system.
 attribute system_property_type;
+expandattribute system_property_type false;
 
 # All /system-defined properties used only in /system.
 attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
 
 # All /system-defined properties which can't be written outside /system.
 attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
 
 # All /system-defined properties with no restrictions.
 attribute system_public_property_type;
+expandattribute system_public_property_type false;
 
 # All properties defined by /product.
 # Currently there are no enforcements between /system and /product, so for now
@@ -111,15 +115,19 @@ define(`product_public_type',     `system_public_property_type')
 
 # All properties defined by /vendor.
 attribute vendor_property_type;
+expandattribute vendor_property_type false;
 
 # All /vendor-defined properties used only in /vendor.
 attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
 
 # All /vendor-defined properties which can't be written outside /vendor.
 attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
 
 # All /vendor-defined properties with no restrictions.
 attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
 
 # All service_manager types created by system_server
 attribute system_server_service;

prebuilts/api/31.0/private/mediatranscoding.te

@@ -19,6 +19,7 @@ hal_client_domain(mediatranscoding, hal_graphics_allocator)
 hal_client_domain(mediatranscoding, hal_configstore)
 hal_client_domain(mediatranscoding, hal_omx)
 hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
 
 allow mediatranscoding mediaserver_service:service_manager find;
 allow mediatranscoding mediametrics_service:service_manager find;

prebuilts/api/31.0/private/property.te

@@ -395,10 +395,12 @@ neverallow {
 
 # Allow the shell to set MTE props, so that non-root users with adb shell
 # access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
 neverallow {
   domain
   -init
   -shell
+  -system_app
 } {
   arm64_memtag_prop
 }:property_service set;

prebuilts/api/31.0/private/system_app.te

@@ -34,6 +34,7 @@ allow system_app wallpaper_file:file r_file_perms;
 allow system_app icon_file:file r_file_perms;
 
 # Write to properties
+set_prop(system_app, arm64_memtag_prop)
 set_prop(system_app, bluetooth_a2dp_offload_prop)
 set_prop(system_app, bluetooth_audio_hal_prop)
 set_prop(system_app, bluetooth_prop)

prebuilts/api/32.0/private/mediatranscoding.te

@@ -19,6 +19,7 @@ hal_client_domain(mediatranscoding, hal_graphics_allocator)
 hal_client_domain(mediatranscoding, hal_configstore)
 hal_client_domain(mediatranscoding, hal_omx)
 hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
 
 allow mediatranscoding mediaserver_service:service_manager find;
 allow mediatranscoding mediametrics_service:service_manager find;

prebuilts/api/32.0/private/property.te

@@ -396,10 +396,12 @@ neverallow {
 
 # Allow the shell to set MTE props, so that non-root users with adb shell
 # access can control the settings on their device.
+# Allow system apps to set MTE props, so Developer Options can set them.
 neverallow {
   domain
   -init
   -shell
+  -system_app
 } {
   arm64_memtag_prop
 }:property_service set;

prebuilts/api/32.0/private/system_app.te

@@ -34,6 +34,7 @@ allow system_app wallpaper_file:file r_file_perms;
 allow system_app icon_file:file r_file_perms;
 
 # Write to properties
+set_prop(system_app, arm64_memtag_prop)
 set_prop(system_app, bluetooth_a2dp_offload_prop)
 set_prop(system_app, bluetooth_audio_hal_prop)
 set_prop(system_app, bluetooth_prop)