Merge "Allow MediaProvider to binder call into statsd"
diff --git a/Android.mk b/Android.mk
index 37dee73..b667fd2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -346,6 +346,7 @@
vendor_property_contexts \
vendor_property_contexts_test \
vendor_seapp_contexts \
+ vendor_service_contexts \
vendor_hwservice_contexts \
vendor_hwservice_contexts_test \
vndservice_contexts \
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index f69037c..8dc585a 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -121,6 +121,7 @@
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
+ vendor_service_contexts_file
vendor_socket_hook_prop
vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index b86d9a2..4b0cab7 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -378,7 +378,9 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index ed4aded..8cb4950 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -1005,6 +1005,7 @@
-vendor_app_file
-vendor_apex_file
-vendor_configs_file
+ -vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index dffa5a3..e7b3050 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -507,6 +507,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
# nonplat service_contexts file (only accessible on non full-treble devices)
type nonplat_service_contexts_file, vendor_file_type, file_type;
diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index 85777f5..63fc227 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te
@@ -18,6 +18,9 @@
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index a3b05ad..7d5a04f 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -122,6 +122,7 @@
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
+ vendor_service_contexts_file
vendor_socket_hook_prop
vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/private/file_contexts b/private/file_contexts
index ca3220c..75bca42 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -380,7 +380,9 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index e944063..ebbbf08 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -161,7 +161,7 @@
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/public/domain.te b/public/domain.te
index 3baf482..4d5a394 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1026,6 +1026,7 @@
-vendor_app_file
-vendor_apex_file
-vendor_configs_file
+ -vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
diff --git a/public/file.te b/public/file.te
index 523390c..4c5b541 100644
--- a/public/file.te
+++ b/public/file.te
@@ -511,6 +511,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
# nonplat service_contexts file (only accessible on non full-treble devices)
type nonplat_service_contexts_file, vendor_file_type, file_type;
diff --git a/public/init.te b/public/init.te
index 1390e9e..7dc522a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -376,6 +376,7 @@
proc_cmdline
proc_kmsg
proc_net
+ proc_pagetypeinfo
proc_qtaguid_stat
proc_slabinfo
proc_sysrq
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 85777f5..63fc227 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -18,6 +18,9 @@
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')