diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil index 26e944e47..b87c07bef 100644 --- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil +++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil @@ -44,6 +44,7 @@ device_config_configuration_prop emergency_affordance_service exported_camera_prop + fastbootd_protocol_prop file_integrity_service fwk_automotive_display_hwservice gmscore_app diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts index 7ec190bed..a6ea90a5b 100644 --- a/prebuilts/api/30.0/private/property_contexts +++ b/prebuilts/api/30.0/private/property_contexts @@ -97,6 +97,9 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0 sys.lmk. u:object_r:system_lmk_prop:s0 sys.trace. u:object_r:system_trace_prop:s0 +# Fastbootd protocol control property +fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp + # Boolean property set by system server upon boot indicating # if device is fully owned by organization instead of being # a personal device. diff --git a/prebuilts/api/30.0/public/fastbootd.te b/prebuilts/api/30.0/public/fastbootd.te index f10e6492d..878781721 100644 --- a/prebuilts/api/30.0/public/fastbootd.te +++ b/prebuilts/api/30.0/public/fastbootd.te @@ -120,6 +120,14 @@ recovery_only(` # Determine allocation scheme (whether B partitions needs to be # at the second half of super. get_prop(fastbootd, virtual_ab_prop) + + # Needed for TCP protocol + allow fastbootd node:tcp_socket node_bind; + allow fastbootd port:tcp_socket name_bind; + allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; + + # Get fastbootd protocol property + get_prop(fastbootd, fastbootd_protocol_prop) ') ### diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te index 9c87bf126..90ee2d309 100644 --- a/prebuilts/api/30.0/public/property.te +++ b/prebuilts/api/30.0/public/property.te @@ -14,6 +14,7 @@ system_internal_prop(device_config_sys_traced_prop) system_internal_prop(device_config_window_manager_native_boot_prop) system_internal_prop(device_config_configuration_prop) system_internal_prop(firstboot_prop) +system_internal_prop(fastbootd_protocol_prop) system_internal_prop(gsid_prop) system_internal_prop(init_perf_lsm_hooks_prop) system_internal_prop(init_svc_debug_prop) diff --git a/prebuilts/api/30.0/public/recovery.te b/prebuilts/api/30.0/public/recovery.te index 16b670f96..63a9cea62 100644 --- a/prebuilts/api/30.0/public/recovery.te +++ b/prebuilts/api/30.0/public/recovery.te @@ -154,6 +154,15 @@ recovery_only(` # Allow mounting /metadata for writing update states allow recovery metadata_file:dir { getattr mounton }; + + # These are needed to allow recovery to manage network + allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read }; + allow recovery self:global_capability_class_set net_admin; + allow recovery self:tcp_socket { create ioctl }; + allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; + + # Set fastbootd protocol property + set_prop(recovery, fastbootd_protocol_prop) ') ### diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index 26e944e47..b87c07bef 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -44,6 +44,7 @@ device_config_configuration_prop emergency_affordance_service exported_camera_prop + fastbootd_protocol_prop file_integrity_service fwk_automotive_display_hwservice gmscore_app diff --git a/private/property_contexts b/private/property_contexts index 7ec190bed..a6ea90a5b 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -97,6 +97,9 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0 sys.lmk. u:object_r:system_lmk_prop:s0 sys.trace. u:object_r:system_trace_prop:s0 +# Fastbootd protocol control property +fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp + # Boolean property set by system server upon boot indicating # if device is fully owned by organization instead of being # a personal device. diff --git a/public/fastbootd.te b/public/fastbootd.te index f10e6492d..878781721 100644 --- a/public/fastbootd.te +++ b/public/fastbootd.te @@ -120,6 +120,14 @@ recovery_only(` # Determine allocation scheme (whether B partitions needs to be # at the second half of super. get_prop(fastbootd, virtual_ab_prop) + + # Needed for TCP protocol + allow fastbootd node:tcp_socket node_bind; + allow fastbootd port:tcp_socket name_bind; + allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; + + # Get fastbootd protocol property + get_prop(fastbootd, fastbootd_protocol_prop) ') ### diff --git a/public/property.te b/public/property.te index 9c87bf126..90ee2d309 100644 --- a/public/property.te +++ b/public/property.te @@ -14,6 +14,7 @@ system_internal_prop(device_config_sys_traced_prop) system_internal_prop(device_config_window_manager_native_boot_prop) system_internal_prop(device_config_configuration_prop) system_internal_prop(firstboot_prop) +system_internal_prop(fastbootd_protocol_prop) system_internal_prop(gsid_prop) system_internal_prop(init_perf_lsm_hooks_prop) system_internal_prop(init_svc_debug_prop) diff --git a/public/recovery.te b/public/recovery.te index 16b670f96..63a9cea62 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -154,6 +154,15 @@ recovery_only(` # Allow mounting /metadata for writing update states allow recovery metadata_file:dir { getattr mounton }; + + # These are needed to allow recovery to manage network + allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read }; + allow recovery self:global_capability_class_set net_admin; + allow recovery self:tcp_socket { create ioctl }; + allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; + + # Set fastbootd protocol property + set_prop(recovery, fastbootd_protocol_prop) ') ###