Merge commit '8810311a31827f1e4d5d2fadbc212828ad23cc04' into HEAD

commit: 134e665df2407ccc5443dd4c53623b4a236e2817 [log] [tgz]
author: Bill Yi <byi@google.com> Tue Nov 03 14:29:50 2015 -0800
committer: Bill Yi <byi@google.com> Tue Nov 03 14:29:50 2015 -0800
tree: 8ad319c7ab7ae9a59d3ece048a8bb52aef8389fb
parent: e25588fba8a92da40c69a87658284874f3ea0b5b [diff]
parent: 8810311a31827f1e4d5d2fadbc212828ad23cc04 [diff]
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 0bfd33a..36993eb 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te

@@ -13,6 +13,9 @@
 allow binderservicedomain appdomain:fd use;
 allow binderservicedomain appdomain:fifo_file write;
 
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 
 use_keystore(binderservicedomain)

diff --git a/kernel.te b/kernel.te
index ffefdf3..31da2af 100644
--- a/kernel.te
+++ b/kernel.te

@@ -43,6 +43,9 @@
 # MTP sync (b/15835289)
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
 allow kernel { priv_app untrusted_app }:fd use;
+# privileged apps have moved to the priv_app domain. Determine
+# if this permission is still needed. b/25331459
+auditallow kernel untrusted_app:fd use;
 allow kernel sdcard_type:file { read write };
 
 # Allow the kernel to read OBB files from app directories. (b/17428116)
commit	134e665df2407ccc5443dd4c53623b4a236e2817	[log] [tgz]
author	Bill Yi <byi@google.com>	Tue Nov 03 14:29:50 2015 -0800
committer	Bill Yi <byi@google.com>	Tue Nov 03 14:29:50 2015 -0800
tree	8ad319c7ab7ae9a59d3ece048a8bb52aef8389fb
parent	e25588fba8a92da40c69a87658284874f3ea0b5b [diff]
parent	8810311a31827f1e4d5d2fadbc212828ad23cc04 [diff]