Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 06a5f9ad215e40d5152d4f28676f779c196b2b85^2..06a5f9ad215e40d5152d4f28676f779c196b2b85 / .
commit06a5f9ad215e40d5152d4f28676f779c196b2b85[log] [tgz]
authorThiƩbaud Weksteen <tweek@google.com>Tue Oct 17 08:25:45 2023 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Oct 17 08:25:45 2023 +0000
treed692e53e0226b02bdf229a69a1c6e7cc317721e4
parentd05c1e4943abb1a23e3d71e9bfd32ba84e03d8b2 [diff]
parent9a924ba87554af1e541896e571b13cde259e6fd6 [diff]
Merge "Add checkfc mode to validate file_contexts against test data" into main
diff --git a/apex/com.android.nfc-file_contexts b/apex/com.android.nfcservices-file_contexts
similarity index 100%
rename from apex/com.android.nfc-file_contexts
rename to apex/com.android.nfcservices-file_contexts

diff --git a/private/artd.te b/private/artd.te
index 3b234bf..acab397 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -137,3 +137,8 @@
 # This is needed for getting CPU time and wall time spent on subprocesses.
 r_dir_file(artd, profman);
 r_dir_file(artd, dex2oat);
+
+# Allow artd to reopen its own memfd.
+# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
+# that don't have write permissions on memfds.
+allow artd artd_tmpfs:file open;

diff --git a/private/priv_app.te b/private/priv_app.te
index b911bc0..cadefe1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -150,7 +150,7 @@
 dontaudit priv_app sysfs:file read;
 dontaudit priv_app sysfs_android_usb:file read;
 dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;
 
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect

diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 0bdb7fd..9ed7a8a 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te

@@ -32,3 +32,7 @@
 
 # allow to access graphics related properties
 get_prop(hal_evs_default, graphics_config_prop);
+get_prop(hal_evs_default, graphics_config_writable_prop)
+
+# allow to use binder IPC.
+binder_use(hal_evs_default)