commit 1a5fcecc98a3c83e07a3ef62d3a86f386c5ba1fa
author TreeHugger Robot <treehugger-gerrit@google.com> Fri May 13 00:33:28 2016 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Fri May 13 00:33:28 2016 +0000
tree 77056aaf1eced145a288f36dec62e4d38536d1d6
parent 95fd38169b867c0e45d11a9dbae698bc65e43a89
parent b84c86b21127be48850a3c533ee1a1da3bc0e195

Merge "DO NOT MERGE. Remove isolated_app's ability to read sysfs." into nyc-dev

app.te

diff --git a/app.te b/app.te
index 56cecb5..f2adf37 100644
--- a/app.te
+++ b/app.te
@@ -127,6 +127,10 @@
 # Profiles for foreign dex files are just markers and only need create permissions.
 allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
 allow appdomain user_profile_foreign_dex_data_file:file create;
+# There is no way to create user_profile_foreign_dex_data_file without
+# generating open/read denials. These permissions should not be granted and the
+# denial is harmless. dontaudit to suppress the denial.
+dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
 
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576

service.te

diff --git a/service.te b/service.te
index 8fea071..6b5838c 100644
--- a/service.te
+++ b/service.te
@@ -83,6 +83,7 @@
 type package_service, app_api_service, system_server_service, service_manager_type;
 type permission_service, app_api_service, system_server_service, service_manager_type;
 type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
 type power_service, app_api_service, system_server_service, service_manager_type;
 type print_service, app_api_service, system_server_service, service_manager_type;
 type processinfo_service, system_server_service, service_manager_type;

service_contexts

diff --git a/service_contexts b/service_contexts
index 11c0736..0ddbdc1 100644
--- a/service_contexts
+++ b/service_contexts
@@ -99,6 +99,7 @@
 phone1                                    u:object_r:radio_service:s0
 phone2                                    u:object_r:radio_service:s0
 phone                                     u:object_r:radio_service:s0
+pinner                                    u:object_r:pinner_service:s0
 power                                     u:object_r:power_service:s0
 print                                     u:object_r:print_service:s0
 processinfo                               u:object_r:processinfo_service:s0

system_server.te

diff --git a/system_server.te b/system_server.te
index 67dc16a..92d8387 100644
--- a/system_server.te
+++ b/system_server.te
@@ -46,6 +46,7 @@
 # These are the capabilities assigned by the zygote to the
 # system server.
 allow system_server self:capability {
+    ipc_lock
     kill
     net_admin
     net_bind_service