Merge "Allow vold to get the DSU status"
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
index 5601f64..e55ff17 100644
--- a/private/compos_verify_key.te
+++ b/private/compos_verify_key.te
@@ -15,9 +15,6 @@
allow compos_verify_key odsign:fd use;
allow compos_verify_key odsign_devpts:chr_file { read write };
-# TODO: Remove this!
-allow compos_verify_key self:vsock_socket create_socket_perms_no_ioctl;
-
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify_key:process transition;
neverallow * compos_verify_key:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index 725e79e..4f85125 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,3 +13,6 @@
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(composd, odrefresh_exec, odrefresh)
diff --git a/private/file.te b/private/file.te
index e185b85..124309c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -68,6 +68,3 @@
# /dev/kvm
type kvm_device, dev_type;
-
-# /dev/userspace_panic
-type userspace_panic_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8849602..0c8bf78 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,6 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/userspace_panic u:object_r:userspace_panic_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
diff --git a/private/init.te b/private/init.te
index 400e47c..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -112,6 +112,3 @@
-kvm_device
-port_device
}:chr_file setattr;
-
-# Allow use userpanic to request panic.
-allow init userspace_panic_device:chr_file w_file_perms;
diff --git a/private/llkd.te b/private/llkd.te
index 0d19f62..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -44,9 +44,6 @@
allow llkd proc_sysrq:file rw_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;
-# Allow use userpanic to request panic.
-allow llkd userspace_panic_device:chr_file w_file_perms;
-
### neverallow rules
neverallow { domain -init } llkd:process { dyntransition transition };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3db1ae8..811b7cf 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -34,16 +34,30 @@
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Use inherited stdin/stdout/stderr from composd which exec()'s
+# odrefesh.
+allow odrefresh composd:fd use;
+
+# Run system binaries, e.g. pvm_exec, in the same domain
+allow odrefresh system_file:file execute_no_trans;
+
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
dontaudit odrefresh devpts:chr_file rw_file_perms;
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
@@ -51,10 +65,3 @@
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/property.te b/private/property.te
index 3ee6650..659d1d4 100644
--- a/private/property.te
+++ b/private/property.te
@@ -40,6 +40,7 @@
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index ba0d557..cd10fe6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1233,3 +1233,6 @@
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/private/system_server.te b/private/system_server.te
index 622fd41..ee4cfe2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1156,9 +1156,6 @@
# Allow system server to read profcollectd reports for upload.
userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
-# Allow use userpanic to request panic.
-allow system_server userspace_panic_device:chr_file w_file_perms;
-
###
### Neverallow rules
###
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0c09509..3b23449 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -54,3 +54,11 @@
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_prop:property_service set;