Merge "ueventd: allow reading kernel cmdline"
diff --git a/prebuilts/api/26.0/private/service_contexts b/prebuilts/api/26.0/private/service_contexts
index dc77cb9..ff97d66 100644
--- a/prebuilts/api/26.0/private/service_contexts
+++ b/prebuilts/api/26.0/private/service_contexts
@@ -142,6 +142,7 @@
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
+storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
diff --git a/private/property_contexts b/private/property_contexts
index de09d4a..1b27432 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -95,6 +95,7 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
+ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 8656b4e..8b9b862 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -153,6 +153,7 @@
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
+storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
system_update u:object_r:system_update_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index aab37fc..de6ad7b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -105,6 +105,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server mediacodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
@@ -113,6 +114,7 @@
# Allow system_server to write to /proc/<pid>/timerslack_ns
allow system_server appdomain:file w_file_perms;
allow system_server audioserver:file w_file_perms;
+allow system_server mediacodec:file w_file_perms;
allow system_server cameraserver:file w_file_perms;
allow system_server hal_audio_server:file w_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index c41f9cb..55b268a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -6,6 +6,8 @@
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
tmpfs_domain(webview_zygote);
# Allow reading/executing installed binaries to enable preloading the
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 62762d3..8379cf8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -73,6 +73,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_drm_server
hal_graphics_composer_server
hal_sensors_server
hal_vr_server
@@ -267,6 +268,9 @@
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
###
### neverallow rules
###