Merge "Add bug_map entry for unrelated SELinux denial to unblock IC."
diff --git a/OWNERS b/OWNERS
index 55f7f00..0ad1d05 100644
--- a/OWNERS
+++ b/OWNERS
@@ -9,5 +9,4 @@
nnk@google.com
smoreland@google.com
sspatil@google.com
-tomcherry@google.com
trong@google.com
diff --git a/private/bug_map b/private/bug_map
index 8d642c3..a404de3 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -33,3 +33,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
+zygote labeledfs filesystem b/170748799
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 18644de..2f154cd 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -10,6 +10,7 @@
apc_service
apex_info_file
arm64_memtag_prop
+ authorization_service
cgroup_desc_api_file
cgroup_v2
ctl_snapuserd_prop
diff --git a/private/service_contexts b/private/service_contexts
index f22e2fd..0b027ed 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -25,6 +25,7 @@
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.security.apc u:object_r:apc_service:s0
+android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 69e04d9..893ea11 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -762,6 +762,7 @@
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
+allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 5188d19..4c6d96c 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -56,7 +56,7 @@
core_data_file_type
vendor_file_type
}:dir search;
-dontaudit crash_dump system_data_file:file read;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
###
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 154b9c9..10c0302 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -41,8 +41,8 @@
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
-# Allow dumpstate to append into privileged apps private files.
-allow dumpstate privapp_data_file:file append;
+# Allow dumpstate to append into apps' private files.
+allow dumpstate { privapp_data_file app_data_file }:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 6ab9727..7295c24 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -24,6 +24,8 @@
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
+allow gatekeeperd authorization_service:service_manager find;
+
# For permissions checking
allow gatekeeperd system_server:binder call;
diff --git a/public/keystore.te b/public/keystore.te
index 564e9f3..8c64090 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -17,6 +17,7 @@
allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/service.te b/public/service.te
index 28638c8..ef7fff5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -2,6 +2,7 @@
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
+type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
@@ -106,7 +107,7 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
-type bugreport_service, system_api_service, system_server_service, service_manager_type;
+type bugreport_service, app_api_service, system_server_service, service_manager_type;
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;