Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 148998495cf7d46b8e9c9ab8a7370cf45f994cf5^2..148998495cf7d46b8e9c9ab8a7370cf45f994cf5 / .
commit148998495cf7d46b8e9c9ab8a7370cf45f994cf5[log] [tgz]
authorCollin Fijalkovich <cfijalkovich@google.com>Mon May 18 20:52:43 2020 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Mon May 18 20:52:43 2020 +0000
tree5483b13bfeab9d3608c25fb5727eb89d750b5a62
parentca26a345db442a40fe29da6b963ec98466e0085d [diff]
parent77efb419f33d6acbd3967fdd237ff3283e960f39 [diff]
Merge "Allow ActivityManagerService to start cacheDump service." into rvc-dev
diff --git a/prebuilts/api/30.0/private/app_neverallows.te b/prebuilts/api/30.0/private/app_neverallows.te
index 66e9f69..1157187 100644
--- a/prebuilts/api/30.0/private/app_neverallows.te
+++ b/prebuilts/api/30.0/private/app_neverallows.te

@@ -257,3 +257,6 @@
   -untrusted_app_25
   -untrusted_app_27
 } mnt_sdcard_file:lnk_file *;
+
+# Only privileged apps may find the incident service
+neverallow all_untrusted_apps incident_service:service_manager find;

diff --git a/prebuilts/api/30.0/private/incidentd.te b/prebuilts/api/30.0/private/incidentd.te
index 405684a..656f69f 100644
--- a/prebuilts/api/30.0/private/incidentd.te
+++ b/prebuilts/api/30.0/private/incidentd.te

@@ -179,21 +179,6 @@
 ###
 ### neverallow rules
 ###
-
-# only specific domains can find the incident service
-neverallow {
-  domain
-  -dumpstate
-  -incident
-  -incidentd
-  -perfetto
-  -permissioncontroller_app
-  -priv_app
-  -statsd
-  -system_app
-  -system_server
-} incident_service:service_manager find;
-
 # only incidentd and the other root services in limited circumstances
 # can get to the files in /data/misc/incidents
 #

diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index 10347d9..85777f5 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te

@@ -22,6 +22,8 @@
 not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
 
 add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
 
 # Check SELinux permissions.
 selinux_check_access(servicemanager)

diff --git a/prebuilts/api/30.0/public/sgdisk.te b/prebuilts/api/30.0/public/sgdisk.te
index 9d71249..e5a9152 100644
--- a/prebuilts/api/30.0/public/sgdisk.te
+++ b/prebuilts/api/30.0/public/sgdisk.te

@@ -17,6 +17,8 @@
 allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
 # Force a re-read of the partition table.
 allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
+# Allow reading of the physical block size.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
 
 # Inherit and use pty created by android_fork_execvp()
 allow sgdisk devpts:chr_file { read write ioctl getattr };

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 66e9f69..1157187 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -257,3 +257,6 @@
   -untrusted_app_25
   -untrusted_app_27
 } mnt_sdcard_file:lnk_file *;
+
+# Only privileged apps may find the incident service
+neverallow all_untrusted_apps incident_service:service_manager find;

diff --git a/private/incidentd.te b/private/incidentd.te
index 405684a..656f69f 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te

@@ -179,21 +179,6 @@
 ###
 ### neverallow rules
 ###
-
-# only specific domains can find the incident service
-neverallow {
-  domain
-  -dumpstate
-  -incident
-  -incidentd
-  -perfetto
-  -permissioncontroller_app
-  -priv_app
-  -statsd
-  -system_app
-  -system_server
-} incident_service:service_manager find;
-
 # only incidentd and the other root services in limited circumstances
 # can get to the files in /data/misc/incidents
 #

diff --git a/public/servicemanager.te b/public/servicemanager.te
index 10347d9..85777f5 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te

@@ -22,6 +22,8 @@
 not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
 
 add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
 
 # Check SELinux permissions.
 selinux_check_access(servicemanager)

diff --git a/public/sgdisk.te b/public/sgdisk.te
index 9d71249..e5a9152 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te

@@ -17,6 +17,8 @@
 allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
 # Force a re-read of the partition table.
 allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
+# Allow reading of the physical block size.
+allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
 
 # Inherit and use pty created by android_fork_execvp()
 allow sgdisk devpts:chr_file { read write ioctl getattr };