Snap for 11456215 from fc2386b055193b2bc622d1df0521dc64383d87cd to 24Q2-release

Change-Id: I8b106a0766c3545aff4b868b4bacba4c024c17e8
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index f75312a..7c0c662 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -1215,6 +1215,12 @@
 
 /metadata                                                         metadata_file
 /metadata/test                                                    metadata_file
+/metadata/aconfig                                                 aconfig_storage_metadata_file
+/metadata/aconfig/test                                            aconfig_storage_metadata_file
+/metadata/aconfig/flags                                           aconfig_storage_flags_metadata_file
+/metadata/aconfig/flags/test                                      aconfig_storage_flags_metadata_file
+/metadata/aconfig/boot                                            aconfig_storage_metadata_file
+/metadata/aconfig/boot/test                                       aconfig_storage_metadata_file
 /metadata/apex                                                    apex_metadata_file
 /metadata/apex/test                                               apex_metadata_file
 /metadata/vold                                                    vold_metadata_file
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5ea924a..ab8b8d5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,6 +258,9 @@
 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
 
+# Only privileged apps may find stats service
+neverallow all_untrusted_apps stats_service:service_manager find;
+
 # Do not allow untrusted app to read hidden system proprerties.
 # We do not include in the exclusions other normally untrusted applications such as mediaprovider
 #  due to the specific logging use cases.
diff --git a/private/app_zygote.te b/private/app_zygote.te
index b51f633..e3869cd 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -93,10 +93,6 @@
 # Allow app_zygote to access odsign verification status
 get_prop(app_zygote, odsign_prop)
 
-# /data/resource-cache
-allow app_zygote resourcecache_data_file:file r_file_perms;
-allow app_zygote resourcecache_data_file:dir r_dir_perms;
-
 #####
 ##### Neverallow
 #####
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1de001e..351d647 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -43,4 +43,6 @@
     vendor_microdroid_file
     threadnetwork_config_prop
     profiling_service
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
   ))
diff --git a/private/file_contexts b/private/file_contexts
index cba5660..7d9660b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -855,6 +855,8 @@
 /metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 /metadata/watchdog(/.*)?    u:object_r:watchdog_metadata_file:s0
 /metadata/repair-mode(/.*)?    u:object_r:repair_mode_metadata_file:s0
+/metadata/aconfig(/.*)?    u:object_r:aconfig_storage_metadata_file:s0
+/metadata/aconfig/flags(/.*)?    u:object_r:aconfig_storage_flags_metadata_file:s0
 
 #############################
 # asec containers
diff --git a/private/stats.te b/private/stats.te
index 5790faa..6261303 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -33,28 +33,3 @@
 # Allow statsd to call back to stats with status updates.
 binder_call(statsd, stats)
 
-###
-### neverallow rules
-###
-
-neverallow {
-  domain
-  -dumpstate
-  -gmscore_app
-  -gpuservice
-  -incidentd
-  -keystore
-  -mediametrics
-  -mediaserver
-  -platform_app
-  -priv_app
-  -rkpdapp
-  -shell
-  -stats
-  -statsd
-  -surfaceflinger
-  -system_app
-  -system_server
-  -traceur_app
-  -traced_probes
-} stats_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index e5ade71..b58315d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1456,6 +1456,9 @@
 allow system_server watchdog_metadata_file:dir rw_dir_perms;
 allow system_server watchdog_metadata_file:file create_file_perms;
 
+allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
+allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
+
 allow system_server repair_mode_metadata_file:dir rw_dir_perms;
 allow system_server repair_mode_metadata_file:file create_file_perms;
 
@@ -1512,6 +1515,11 @@
 neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
 neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
 
+# Only system server should access /metadata/aconfig
+# TODO: add storage daemon to neverallow exception when it is introduced
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
 neverallow { domain -system_server -init }
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 1e32c1f..0556950 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -93,10 +93,6 @@
 # Allow webview_zygote to access odsign verification status
 get_prop(zygote, odsign_prop)
 
-# /data/resource-cache
-allow webview_zygote resourcecache_data_file:file r_file_perms;
-allow webview_zygote resourcecache_data_file:dir r_dir_perms;
-
 #####
 ##### Neverallow
 #####
diff --git a/public/domain.te b/public/domain.te
index d630a24..e27da4f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -341,6 +341,12 @@
 # configured using server-configurable flags
 get_prop(domain, device_config_media_native_prop)
 
+# Allow everyone to read from flag value boot snapshot files and general pb files
+# The boot copy of the flag value files serves flag read traffic for all processes, thus
+# needs to be readable by everybody. Also, the metadata directory will contain pb file
+# that records where flag storage files are, so also needs to be readable by everbody.
+allow domain { aconfig_storage_metadata_file }:file r_file_perms;
+
 ###
 ### neverallow rules
 ###
@@ -623,6 +629,11 @@
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
+# Do not allow write access to the general aconfig pb file and boot flag value files except init
+# TODO: need to add storage daemon into this exception list once it is created
+neverallow { domain -init } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
+
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
diff --git a/public/file.te b/public/file.te
index 32c0cd8..b887406 100644
--- a/public/file.te
+++ b/public/file.te
@@ -295,6 +295,10 @@
 type watchdog_metadata_file, file_type;
 # Repair mode files within /metadata/repair-mode
 type repair_mode_metadata_file, file_type;
+# Aconfig storage file
+type aconfig_storage_metadata_file, file_type;
+# Aconfig storage flag value persistent copy
+type aconfig_storage_flags_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a9d1b5d..7a74e7c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -62,6 +62,8 @@
   -gsi_metadata_file_type
   -apex_metadata_file
   -userspace_reboot_metadata_file
+  -aconfig_storage_metadata_file
+  -aconfig_storage_flags_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -83,6 +85,8 @@
   -apex_metadata_file
   -apex_info_file
   -userspace_reboot_metadata_file
+  -aconfig_storage_metadata_file
+  -aconfig_storage_flags_metadata_file
   enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
@@ -101,6 +105,8 @@
   -gsi_metadata_file_type
   -apex_metadata_file
   -userspace_reboot_metadata_file
+  -aconfig_storage_metadata_file
+  -aconfig_storage_flags_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -119,6 +125,8 @@
   -gsi_metadata_file_type
   -apex_metadata_file
   -userspace_reboot_metadata_file
+  -aconfig_storage_metadata_file
+  -aconfig_storage_flags_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -136,6 +144,8 @@
   -gsi_metadata_file_type
   -apex_metadata_file
   -userspace_reboot_metadata_file
+  -aconfig_storage_metadata_file
+  -aconfig_storage_flags_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;