Merge "Sepolicy for added SystemSuspend HAL to ANR list."

commit: 18898abf3fe513ce5162dd5fd57156282dbb7607 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Mon Jul 01 21:43:45 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jul 01 21:43:45 2019 +0000
tree: b88e61217648b54a3be1452f53618a76035c1969
parent: 56d34f78380c4bdddd97eebaf501bf21ccbaaf70 [diff]
parent: 113d10baaaf9997b497b68bf0cdb50b40af1e87c [diff]
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 037a7d5..d2d0209 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te

@@ -169,7 +169,7 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

diff --git a/prebuilts/api/29.0/private/system_app.te b/prebuilts/api/29.0/private/system_app.te
index e8627151..9ed1d36 100644
--- a/prebuilts/api/29.0/private/system_app.te
+++ b/prebuilts/api/29.0/private/system_app.te

@@ -24,6 +24,12 @@
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index f0da59c..f048814 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te

@@ -1018,7 +1018,7 @@
 # needs these privileges to compare file signatures while processing installs.
 #
 # Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
 allow system_server apex_data_file:file r_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can

diff --git a/private/domain.te b/private/domain.te
index 037a7d5..d2d0209 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -169,7 +169,7 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2a8f7ad..3ad0edb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -214,6 +214,7 @@
 genfscon tracefs /events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
@@ -255,6 +256,7 @@
 genfscon debugfs /tracing/events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0

diff --git a/private/system_app.te b/private/system_app.te
index e8627151..9ed1d36 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -24,6 +24,12 @@
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

diff --git a/private/system_server.te b/private/system_server.te
index f1704b5..df87794 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1023,7 +1023,7 @@
 # needs these privileges to compare file signatures while processing installs.
 #
 # Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
 allow system_server apex_data_file:file r_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can

diff --git a/public/property_contexts b/public/property_contexts
index e969aaf..ecc2610 100644
--- a/public/property_contexts
+++ b/public/property_contexts

@@ -135,8 +135,6 @@
 ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
 ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
 ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
 ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
 ro.zygote u:object_r:exported3_default_prop:s0 exact string
 sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
commit	18898abf3fe513ce5162dd5fd57156282dbb7607	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Mon Jul 01 21:43:45 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Jul 01 21:43:45 2019 +0000
tree	b88e61217648b54a3be1452f53618a76035c1969
parent	56d34f78380c4bdddd97eebaf501bf21ccbaaf70 [diff]
parent	113d10baaaf9997b497b68bf0cdb50b40af1e87c [diff]