Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 01147a70f40bc5388f3ec2e765ff30cee107d7b6^2..01147a70f40bc5388f3ec2e765ff30cee107d7b6 / .
commit01147a70f40bc5388f3ec2e765ff30cee107d7b6[log] [tgz]
authorAndreas Gampe <agampe@google.com>Wed Mar 13 18:19:03 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Mar 13 18:19:03 2019 +0000
treeeb03de79ca2933c0058d6ac97039fb5a6fa69691
parente5667b30d54ebca6375fe2cd51cc000806dec7fc [diff]
parent1845b406fc3ccfa5d63a3aa4dfa174391dac19bf [diff]
Merge "Sepolicy: ART APEX boot integrity"
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
index 314fb7c..40b09d2 100644
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te

@@ -17,6 +17,7 @@
 
 # Required for relabel.
 allow art_apex_postinstall file_contexts_file:file r_file_perms;
+allow art_apex_postinstall self:global_capability_class_set sys_admin;
 
 # Script helpers.
 allow art_apex_postinstall shell_exec:file rx_file_perms;

diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
index c81a17c..53dbfce 100644
--- a/private/mini_keyctl.te
+++ b/private/mini_keyctl.te

@@ -8,7 +8,7 @@
 # Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
 dontaudit mini-keyctl init:key view;
 dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl kernel:key { view search write setattr };
 allow mini-keyctl mini-keyctl:key { view search write };
 
 # When kernel requests an algorithm, the crypto API first looks for an