Merge remote-tracking branch 'upstream/master' into arl-test-script-u…

…pdates
project-chip · Aug 29, 2024 · 1d7c2fe · 1d7c2fe
2 parents f297256 + 401a2a0
commit 1d7c2fe
Show file tree

Hide file tree

Showing 28 changed files with 116 additions and 82 deletions.
diff --git a/docs/ERROR_CODES.md b/docs/ERROR_CODES.md
@@ -118,6 +118,7 @@ This file was **AUTOMATICALLY** generated by
 | 165       | 0xA5  | `CHIP_ERROR_ACCESS_DENIED`                         |
 | 166       | 0xA6  | `CHIP_ERROR_UNKNOWN_RESOURCE_ID`                   |
 | 167       | 0xA7  | `CHIP_ERROR_VERSION_MISMATCH`                      |
+| 168       | 0xA8  | `CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL`              |
 | 171       | 0xAB  | `CHIP_ERROR_EVENT_ID_FOUND`                        |
 | 172       | 0xAC  | `CHIP_ERROR_INTERNAL`                              |
 | 173       | 0xAD  | `CHIP_ERROR_OPEN_FAILED`                           |
@@ -252,6 +253,7 @@ This file was **AUTOMATICALLY** generated by
 | 1426      | 0x592 | `DATA_VERSION_MISMATCH`    |
 | 1428      | 0x594 | `TIMEOUT`                  |
 | 1436      | 0x59C | `BUSY`                     |
+| 1437      | 0x59D | `ACCESS_RESTRICTED`        |
 | 1475      | 0x5C3 | `UNSUPPORTED_CLUSTER`      |
 | 1477      | 0x5C5 | `NO_UPSTREAM_SUBSCRIPTION` |
 | 1478      | 0x5C6 | `NEEDS_TIMED_INTERACTION`  |

diff --git a/examples/fabric-admin/device_manager/DeviceSynchronization.cpp b/examples/fabric-admin/device_manager/DeviceSynchronization.cpp
@@ -72,6 +72,13 @@ void DeviceSynchronizer::OnAttributeData(const ConcreteDataAttributePath & path,
     VerifyOrDie(path.mEndpointId == kRootEndpointId);
     VerifyOrDie(path.mClusterId == Clusters::BasicInformation::Id);
 
+    CHIP_ERROR error = status.ToChipError();
+    if (CHIP_NO_ERROR != error)
+    {
+        ChipLogError(NotSpecified, "Response Failure: %" CHIP_ERROR_FORMAT, error.Format());
+        return;
+    }
+
     switch (path.mAttributeId)
     {
     case Clusters::BasicInformation::Attributes::UniqueID::Id:

diff --git a/integrations/docker/images/base/chip-build/Dockerfile b/integrations/docker/images/base/chip-build/Dockerfile
@@ -123,6 +123,14 @@ RUN set -x \
     ruff \
     && : # last line
 
+#TODO Issue #35280: this is only added as a workaround to bloaty build failures, remove it once bloaty fixes issue
+# Clone and install abseil-cpp
+RUN git clone https://github.com/abseil/abseil-cpp.git /tmp/abseil-cpp \
+    && cd /tmp/abseil-cpp \
+    && cmake -B build -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local \
+    && cmake --build build --target install \
+    && rm -rf /tmp/abseil-cpp
+
 # Install bloat comparison tools
 RUN set -x \
     && git clone https://github.com/google/bloaty.git \

diff --git a/integrations/docker/images/chip-cert-bins/Dockerfile b/integrations/docker/images/chip-cert-bins/Dockerfile
@@ -193,6 +193,9 @@ RUN case ${TARGETPLATFORM} in \
     --target linux-x64-energy-management-ipv6only \
     --target linux-x64-microwave-oven-ipv6only \
     --target linux-x64-rvc-ipv6only \
+    --target linux-x64-fabric-bridge-rpc-ipv6only \
+    --target linux-x64-fabric-admin-rpc-ipv6only \
+    --target linux-x64-network-manager-ipv6only \
     build \
     && mv out/linux-x64-chip-tool-ipv6only-platform-mdns/chip-tool out/chip-tool \
     && mv out/linux-x64-shell-ipv6only-platform-mdns/chip-shell out/chip-shell \
@@ -213,6 +216,9 @@ RUN case ${TARGETPLATFORM} in \
     && mv out/linux-x64-energy-management-ipv6only/chip-energy-management-app out/chip-energy-management-app \
     && mv out/linux-x64-microwave-oven-ipv6only/chip-microwave-oven-app out/chip-microwave-oven-app \
     && mv out/linux-x64-rvc-ipv6only/chip-rvc-app out/chip-rvc-app \
+    && mv out/linux-x64-fabric-bridge-rpc-ipv6only/fabric-bridge-app out/fabric-bridge-app \
+    && mv out/linux-x64-fabric-admin-rpc-ipv6only/fabric-admin out/fabric-admin \
+    && mv out/linux-x64-network-manager-ipv6only/matter-network-manager-app out/matter-network-manager-app \
     ;; \
     "linux/arm64")\
     set -x \
@@ -237,6 +243,9 @@ RUN case ${TARGETPLATFORM} in \
     --target linux-arm64-energy-management-ipv6only \
     --target linux-arm64-microwave-oven-ipv6only \
     --target linux-arm64-rvc-ipv6only \
+    --target linux-arm64-fabric-bridge-rpc-ipv6only \
+    --target linux-arm64-fabric-admin-rpc-ipv6only \
+    --target linux-arm64-network-manager-ipv6only \
     build \
     && mv out/linux-arm64-chip-tool-ipv6only-platform-mdns/chip-tool out/chip-tool \
     && mv out/linux-arm64-shell-ipv6only-platform-mdns/chip-shell out/chip-shell \
@@ -257,6 +266,9 @@ RUN case ${TARGETPLATFORM} in \
     && mv out/linux-arm64-energy-management-ipv6only/chip-energy-management-app out/chip-energy-management-app \
     && mv out/linux-arm64-microwave-oven-ipv6only/chip-microwave-oven-app out/chip-microwave-oven-app \
     && mv out/linux-arm64-rvc-ipv6only/chip-rvc-app out/chip-rvc-app \
+    && mv out/linux-arm64-fabric-bridge-rpc-ipv6only/fabric-bridge-app out/fabric-bridge-app \
+    && mv out/linux-arm64-fabric-admin-rpc-ipv6only/fabric-admin out/fabric-admin \
+    && mv out/linux-arm64-network-manager-ipv6only/matter-network-manager-app out/matter-network-manager-app \
     ;; \
     *) ;; \
     esac
@@ -290,6 +302,9 @@ COPY --from=chip-build-cert-bins /root/connectedhomeip/out/lit-icd-app lit-icd-a
 COPY --from=chip-build-cert-bins /root/connectedhomeip/out/chip-energy-management-app chip-energy-management-app
 COPY --from=chip-build-cert-bins /root/connectedhomeip/out/chip-microwave-oven-app chip-microwave-oven-app
 COPY --from=chip-build-cert-bins /root/connectedhomeip/out/chip-rvc-app chip-rvc-app
+COPY --from=chip-build-cert-bins /root/connectedhomeip/out/fabric-bridge-app fabric-bridge-app
+COPY --from=chip-build-cert-bins /root/connectedhomeip/out/fabric-admin fabric-admin
+COPY --from=chip-build-cert-bins /root/connectedhomeip/out/matter-network-manager-app matter-network-manager-app
 
 # Stage 3.1: Setup the Matter Python environment
 COPY --from=chip-build-cert-bins /root/connectedhomeip/out/python_lib python_lib
@@ -304,6 +319,6 @@ COPY --from=chip-build-cert-bins /root/connectedhomeip/src/python_testing/requir
 RUN pip install --break-system-packages -r /tmp/requirements.txt && rm /tmp/requirements.txt
 
 # PIP requires MASON package compilation, which seems to require a JDK
-RUN set -x && DEBIAN_FRONTEND=noninteractive apt-get install -fy openjdk-8-jdk
+RUN set -x && DEBIAN_FRONTEND=noninteractive apt-get update; apt-get install -fy openjdk-8-jdk
 
 RUN pip install --break-system-packages --no-cache-dir python_lib/controller/python/chip*.whl
diff --git a/src/access/AccessControl.cpp b/src/access/AccessControl.cpp
@@ -538,12 +538,7 @@ CHIP_ERROR AccessControl::CheckARL(const SubjectDescriptor & subjectDescriptor,
     if (result != CHIP_NO_ERROR)
     {
         ChipLogProgress(DataManagement, "AccessControl: %s",
-#if 0
-                        // TODO(#35177): new error code coming when access check plumbing are fixed in callers
                         (result == CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL) ? "denied (restricted)" : "denied (restriction error)");
-#else
-                        (result == CHIP_ERROR_ACCESS_DENIED) ? "denied (restricted)" : "denied (restriction error)");
-#endif
         return result;
     }
 

diff --git a/src/access/AccessRestrictionProvider.cpp b/src/access/AccessRestrictionProvider.cpp
@@ -197,45 +197,25 @@ CHIP_ERROR AccessRestrictionProvider::DoCheck(const std::vector<Entry> & entries
                 if (requestPath.requestType == RequestType::kAttributeReadRequest ||
                     requestPath.requestType == RequestType::kAttributeWriteRequest)
                 {
-#if 0
-                    // TODO(#35177): use new ARL error code when access checks are fixed
                     return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL;
-#else
-                    return CHIP_ERROR_ACCESS_DENIED;
-#endif
                 }
                 break;
             case Type::kAttributeWriteForbidden:
                 if (requestPath.requestType == RequestType::kAttributeWriteRequest)
                 {
-#if 0
-                    // TODO(#35177): use new ARL error code when access checks are fixed
                     return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL;
-#else
-                    return CHIP_ERROR_ACCESS_DENIED;
-#endif
                 }
                 break;
             case Type::kCommandForbidden:
                 if (requestPath.requestType == RequestType::kCommandInvokeRequest)
                 {
-#if 0
-                    // TODO(#35177): use new ARL error code when access checks are fixed
                     return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL;
-#else
-                    return CHIP_ERROR_ACCESS_DENIED;
-#endif
                 }
                 break;
             case Type::kEventForbidden:
                 if (requestPath.requestType == RequestType::kEventReadRequest)
                 {
-#if 0
-                    // TODO(#35177): use new ARL error code when access checks are fixed
                     return CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL;
-#else
-                    return CHIP_ERROR_ACCESS_DENIED;
-#endif
                 }
                 break;
             }

diff --git a/src/access/tests/TestAccessRestrictionProvider.cpp b/src/access/tests/TestAccessRestrictionProvider.cpp
@@ -174,7 +174,7 @@ void RunChecks(const CheckData * checkData, size_t count)
 {
     for (size_t i = 0; i < count; i++)
     {
-        CHIP_ERROR expectedResult = checkData[i].allow ? CHIP_NO_ERROR : CHIP_ERROR_ACCESS_DENIED;
+        CHIP_ERROR expectedResult = checkData[i].allow ? CHIP_NO_ERROR : CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL;
         EXPECT_EQ(accessControl.Check(checkData[i].subjectDescriptor, checkData[i].requestPath, checkData[i].privilege),
                   expectedResult);
     }

diff --git a/src/app/CommandHandlerImpl.cpp b/src/app/CommandHandlerImpl.cpp
@@ -410,12 +410,13 @@ Status CommandHandlerImpl::ProcessCommandDataIB(CommandDataIB::Parser & aCommand
         err                                = Access::GetAccessControl().Check(subjectDescriptor, requestPath, requestPrivilege);
         if (err != CHIP_NO_ERROR)
         {
-            if (err != CHIP_ERROR_ACCESS_DENIED)
+            if ((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL))
             {
                 return FallibleAddStatus(concretePath, Status::Failure) != CHIP_NO_ERROR ? Status::Failure : Status::Success;
             }
             // TODO: when wildcard invokes are supported, handle them to discard rather than fail with status
-            return FallibleAddStatus(concretePath, Status::UnsupportedAccess) != CHIP_NO_ERROR ? Status::Failure : Status::Success;
+            Status status = err == CHIP_ERROR_ACCESS_DENIED ? Status::UnsupportedAccess : Status::AccessRestricted;
+            return FallibleAddStatus(concretePath, status) != CHIP_NO_ERROR ? Status::Failure : Status::Success;
         }
     }
 

diff --git a/src/app/CommandHandlerImpl.h b/src/app/CommandHandlerImpl.h
@@ -294,7 +294,12 @@ class CommandHandlerImpl : public CommandHandler
         {
             return CHIP_NO_ERROR;
         }
-        ReturnErrorOnFailure(RollbackResponse());
+        // The error value of RollbackResponse is not important if it fails, we prioritize
+        // conveying the error generated by addResponseFunction to the caller.
+        if (RollbackResponse() != CHIP_NO_ERROR)
+        {
+            return err;
+        }
         // If we failed to add a command due to lack of space in the
         // packet, we will make another attempt to add the response using
         // an additional InvokeResponseMessage.

diff --git a/src/app/EventManagement.cpp b/src/app/EventManagement.cpp
@@ -563,7 +563,9 @@ CHIP_ERROR EventManagement::CheckEventContext(EventLoadOutContext * eventLoadOut
         Access::GetAccessControl().Check(eventLoadOutContext->mSubjectDescriptor, requestPath, requestPrivilege);
     if (accessControlError != CHIP_NO_ERROR)
     {
-        ReturnErrorCodeIf(accessControlError != CHIP_ERROR_ACCESS_DENIED, accessControlError);
+        ReturnErrorCodeIf((accessControlError != CHIP_ERROR_ACCESS_DENIED) &&
+                              (accessControlError != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL),
+                          accessControlError);
         ret = CHIP_ERROR_UNEXPECTED_EVENT;
     }
 

diff --git a/src/app/codegen-data-model-provider/CodegenDataModelProvider_Read.cpp b/src/app/codegen-data-model-provider/CodegenDataModelProvider_Read.cpp
@@ -281,15 +281,17 @@ DataModel::ActionReturnStatus CodegenDataModelProvider::ReadAttribute(const Data
                                                           RequiredPrivilege::ForReadAttribute(request.path));
         if (err != CHIP_NO_ERROR)
         {
-            ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err);
+            ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err);
 
             // Implementation of 8.4.3.2 of the spec for path expansion
             if (request.path.mExpanded)
             {
                 return CHIP_NO_ERROR;
             }
-            // access denied has a specific code for IM
-            return CHIP_IM_GLOBAL_STATUS(UnsupportedAccess);
+
+            // access denied and access restricted have specific codes for IM
+            return err == CHIP_ERROR_ACCESS_DENIED ? CHIP_IM_GLOBAL_STATUS(UnsupportedAccess)
+                                                   : CHIP_IM_GLOBAL_STATUS(AccessRestricted);
         }
     }
 

diff --git a/src/app/codegen-data-model-provider/CodegenDataModelProvider_Write.cpp b/src/app/codegen-data-model-provider/CodegenDataModelProvider_Write.cpp
@@ -287,10 +287,10 @@ DataModel::ActionReturnStatus CodegenDataModelProvider::WriteAttribute(const Dat
 
         if (err != CHIP_NO_ERROR)
         {
-            ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err);
+            ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err);
 
             // TODO: when wildcard/group writes are supported, handle them to discard rather than fail with status
-            return Status::UnsupportedAccess;
+            return err == CHIP_ERROR_ACCESS_DENIED ? Status::UnsupportedAccess : Status::AccessRestricted;
         }
     }
 

diff --git a/src/app/reporting/Engine.cpp b/src/app/reporting/Engine.cpp
@@ -346,23 +346,26 @@ CHIP_ERROR Engine::CheckAccessDeniedEventPaths(TLV::TLVWriter & aWriter, bool &
         Access::Privilege requestPrivilege = RequiredPrivilege::ForReadEvent(path);
 
         err = Access::GetAccessControl().Check(apReadHandler->GetSubjectDescriptor(), requestPath, requestPrivilege);
-        if (err != CHIP_ERROR_ACCESS_DENIED)
+        if ((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL))
         {
             ReturnErrorOnFailure(err);
         }
         else
         {
             TLV::TLVWriter checkpoint = aWriter;
-            err                       = EventReportIB::ConstructEventStatusIB(aWriter, path, StatusIB(Status::UnsupportedAccess));
+            err                       = EventReportIB::ConstructEventStatusIB(aWriter, path,
+                                                        err == CHIP_ERROR_ACCESS_DENIED ? StatusIB(Status::UnsupportedAccess)
+                                                                                                              : StatusIB(Status::AccessRestricted));
+
             if (err != CHIP_NO_ERROR)
             {
                 aWriter = checkpoint;
                 break;
             }
             aHasEncodedData = true;
-            ChipLogDetail(InteractionModel, "Access to event (%u, " ChipLogFormatMEI ", " ChipLogFormatMEI ") denied by ACL",
+            ChipLogDetail(InteractionModel, "Access to event (%u, " ChipLogFormatMEI ", " ChipLogFormatMEI ") denied by %s",
                           current->mValue.mEndpointId, ChipLogValueMEI(current->mValue.mClusterId),
-                          ChipLogValueMEI(current->mValue.mEventId));
+                          ChipLogValueMEI(current->mValue.mEventId), err == CHIP_ERROR_ACCESS_DENIED ? "ACL" : "ARL");
         }
         current = current->mpNext;
     }

diff --git a/src/app/tests/suites/certification/PICS.yaml b/src/app/tests/suites/certification/PICS.yaml
@@ -6494,6 +6494,13 @@ PICS:
     - label: "Does the device implement the Schedules attribute?"
       id: TSTAT.S.A0051
 
+    - label: "Does the device implement the Schedules attribute?"
+      id: TSTAT.S.A0051
+
+    - label:
+          "Does the device implement the SetpointHoldExpiryTimestamp attribute?"
+      id: TSTAT.S.A0052
+
     #
     # server / commandsReceived
     #

diff --git a/src/app/tests/suites/certification/Test_TC_DEMM_1_2.yaml b/src/app/tests/suites/certification/Test_TC_DEMM_1_2.yaml
@@ -37,7 +37,6 @@ tests:
           at least one entry the values of the Value fields that are not larger than 16 bits
           - for each Value field: Is the mode tag value a defined common tag value (Auto(0x0000), Quick(0x0001), Quiet(0x0002), LowNoise(0x0003), LowEnergy(0x0004), Vacation(0x0005), Min(0x0006), Max(0x0007), Night(0x0008), Day(0x0009)) or a defined cluster-derived tag value (No Optimization, Device Optimization, Local Optimization, Grid Optimization) or in the MfgTags (0x8000 to 0xBFFF) range
           - for at least one Value field: Is the mode tag value a defined common tag value (Auto(0x0000), Quick(0x0001), Quiet(0x0002), LowNoise(0x0003), LowEnergy(0x0004), Vacation(0x0005), Min(0x0006), Max(0x0007), Night(0x0008), Day(0x0009)) or a derived cluster value (RapidCool, RapidFreeze)
-          - if the Value field is in the MfgTags (0x8000 to 0xBFFF) range, the TagName field is a string with a length between 1 and 64
           - Verify that at least one ModeOptionsStruct entry includes either the RapidCool semantic tag or the RapidFreeze semantic tag in the SemanticTags field
           - Save the Mode field values as supported_modes_dut on the TH (Chip-tool) and below is the sample log provided for the raspi platform:
 

diff --git a/src/app/tests/suites/certification/Test_TC_TSTAT_1_1.yaml b/src/app/tests/suites/certification/Test_TC_TSTAT_1_1.yaml
@@ -606,17 +606,7 @@ tests:
               contains: [1, 2, 3]
 
     - label:
-          "Step 6c: TH reads the optional (GetRelayStatusLog) command in
-          AcceptedCommandList"
-      PICS: TSTAT.S.C04.Rsp
-      command: "readAttribute"
-      attribute: "AcceptedCommandList"
-      response:
-          constraints:
-              type: list
-              contains: [4]
-    - label:
-          "Step 6d: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in
+          "Step 6c: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in
           AcceptedCommandList"
       PICS: TSTAT.S.F08
       command: "readAttribute"
@@ -627,18 +617,7 @@ tests:
               contains: [6, 254]
 
     - label:
-          "Step 7a: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in
-          the GeneratedCommandList attribute."
-      PICS: TSTAT.S.Cfe.Rsp
-      command: "readAttribute"
-      attribute: "GeneratedCommandList"
-      response:
-          value: [0xFD] # AtomicResponse
-          constraints:
-              type: list
-
-    - label:
-          "Step 7b: TH reads Feature dependent(TSTAT.S.F03(SCH)) commands in
+          "Step 7a: TH reads Feature dependent(TSTAT.S.F03(SCH)) commands in
           GeneratedCommandList"
       PICS: TSTAT.S.F03
       command: "readAttribute"
@@ -649,12 +628,12 @@ tests:
               contains: [0]
 
     - label:
-          "Step 7c: TH reads optional command (GetRelayStatusLogResponse) in
-          GeneratedCommandList"
-      PICS: TSTAT.S.C04.Rsp
+          "Step 7b: TH reads Feature dependent(TSTAT.S.F08(PRES)) commands in
+          the GeneratedCommandList attribute."
+      PICS: TSTAT.S.F08 & TSTAT.S.Cfe.Rsp
       command: "readAttribute"
       attribute: "GeneratedCommandList"
       response:
+          value: [0xFD] # AtomicResponse
           constraints:
               type: list
-              contains: [1]
diff --git a/src/app/tests/suites/certification/ci-pics-values b/src/app/tests/suites/certification/ci-pics-values
@@ -1989,6 +1989,7 @@ TSTAT.S.A004a=1
 TSTAT.S.A004e=1
 TSTAT.S.A0050=1
 TSTAT.S.A0051=0
+TSTAT.S.A0052=0
 
 TSTAT.S.M.MinSetpointDeadBandWritable=1
 TSTAT.S.M.HVACSystemTypeConfigurationWritable=0

diff --git a/src/app/util/ember-compatibility-functions.cpp b/src/app/util/ember-compatibility-functions.cpp
@@ -302,12 +302,13 @@ CHIP_ERROR ReadSingleClusterData(const SubjectDescriptor & aSubjectDescriptor, b
         CHIP_ERROR err                     = Access::GetAccessControl().Check(aSubjectDescriptor, requestPath, requestPrivilege);
         if (err != CHIP_NO_ERROR)
         {
-            ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err);
+            ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err);
             if (aPath.mExpanded)
             {
                 return CHIP_NO_ERROR;
             }
-            return CHIP_IM_GLOBAL_STATUS(UnsupportedAccess);
+            return err == CHIP_ERROR_ACCESS_DENIED ? CHIP_IM_GLOBAL_STATUS(UnsupportedAccess)
+                                                   : CHIP_IM_GLOBAL_STATUS(AccessRestricted);
         }
     }
 
@@ -701,9 +702,12 @@ CHIP_ERROR WriteSingleClusterData(const SubjectDescriptor & aSubjectDescriptor,
         }
         if (err != CHIP_NO_ERROR)
         {
-            ReturnErrorCodeIf(err != CHIP_ERROR_ACCESS_DENIED, err);
+            ReturnErrorCodeIf((err != CHIP_ERROR_ACCESS_DENIED) && (err != CHIP_ERROR_ACCESS_RESTRICTED_BY_ARL), err);
             // TODO: when wildcard/group writes are supported, handle them to discard rather than fail with status
-            return apWriteHandler->AddStatus(aPath, Protocols::InteractionModel::Status::UnsupportedAccess);
+            return apWriteHandler->AddStatus(aPath,
+                                             err == CHIP_ERROR_ACCESS_DENIED
+                                                 ? Protocols::InteractionModel::Status::UnsupportedAccess
+                                                 : Protocols::InteractionModel::Status::AccessRestricted);
         }
         apWriteHandler->CacheACLCheckResult({ aPath, requestPrivilege });
     }