Merge "Add MediaProjectionManagerService to service list DO NOT MERGE" into lmp-dev
diff --git a/dex2oat.te b/dex2oat.te
index 164e89c..2df9947 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -6,4 +6,7 @@
allow dex2oat installd:fd use;
# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
allow dex2oat asec_apk_file:file read;
+allow dex2oat unlabeled:file read;
diff --git a/init.te b/init.te
index abd0690..361fb87 100644
--- a/init.te
+++ b/init.te
@@ -71,9 +71,9 @@
# Certain domains need LD_PRELOAD passed from init.
# https://android-review.googlesource.com/94851
-# For now, allow it to all domains.
+# For now, allow it to most domains.
# TODO: scope this down.
-allow init domain:process noatsecure;
+allow init { domain -lmkd }:process noatsecure;
# Support "adb shell stop"
allow init domain:process sigkill;
diff --git a/lmkd.te b/lmkd.te
index 771c780..df8208f 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -30,3 +30,8 @@
# Set self to SCHED_FIFO
allow lmkd self:capability sys_nice;
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow domain lmkd:process noatsecure;
diff --git a/service_contexts b/service_contexts
index 5d0161b..82d2f8a 100644
--- a/service_contexts
+++ b/service_contexts
@@ -16,6 +16,7 @@
bluetooth u:object_r:bluetooth_service:s0
clipboard u:object_r:system_server_service:s0
com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
+com.android.net.IProxyService u:object_r:system_server_service:s0
commontime_management u:object_r:system_server_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0