Merge "microdroid: Add support for extra apk files"
diff --git a/build/Android.bp b/build/Android.bp
index 5298f71..a7d56f8 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -31,12 +31,4 @@
"secilc",
"version_policy",
],
- version: {
- py2: {
- enabled: true,
- },
- py3: {
- enabled: false,
- },
- },
}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
old mode 100644
new mode 100755
index 285bfea..ce0548a
--- a/build/build_sepolicy.py
+++ b/build/build_sepolicy.py
@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+#
# Copyright 2018 - The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/build/file_utils.py b/build/file_utils.py
index 9f95f52..e3210ed 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -39,7 +39,7 @@
patterns.extend(open(f).readlines())
# Copy lines that are not in the pattern.
- tmp_output = tempfile.NamedTemporaryFile()
+ tmp_output = tempfile.NamedTemporaryFile(mode='w+')
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 0e1b1a0..82dcdb2 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -62,6 +62,7 @@
allow mediaprovider_app gpu_device:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:dir search;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index e167a5e..0c43a89 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -10,6 +10,10 @@
# fastbootd can only use HALs in passthrough mode
passthrough_hal_client_domain(fastbootd, hal_bootctl)
+ # fastbootd can use AIDL HALs in binder mode
+ binder_use(fastbootd)
+ hal_client_domain(fastbootd, hal_health)
+
# Access /dev/usb-ffs/fastbootd/ep0
allow fastbootd functionfs:dir search;
allow fastbootd functionfs:file rw_file_perms;
diff --git a/public/recovery.te b/public/recovery.te
index b4b4109..324320b 100755
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -13,6 +13,7 @@
passthrough_hal_client_domain(recovery, hal_bootctl)
# Recovery can use AIDL HALs in binder mode
+ binder_use(recovery)
hal_client_domain(recovery, hal_health)
allow recovery self:global_capability_class_set {
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 12004da..a812338 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -31,7 +31,10 @@
# Check SELinux permissions.
selinux_check_access(servicemanager)
-# In recovery, log to kmsg.
recovery_only(`
+ # In recovery, log to kmsg.
allow servicemanager kmsg_device:chr_file rw_file_perms;
+
+ # Read VINTF files.
+ r_dir_file(servicemanager, rootfs)
')