Merge "Use with_dexpreopt macro for zygote execute permissions."
diff --git a/private/file_contexts b/private/file_contexts
index a341d7e..f1d736d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -227,7 +227,7 @@
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_exec:s0
/system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_exec:s0
-/system/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_exec:s0
+/system/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/system/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_exec:s0
/system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_exec:s0
/system/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_exec:s0
diff --git a/private/hal_light.te b/private/hal_light.te
deleted file mode 100644
index 8c5f108..0000000
--- a/private/hal_light.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# may be started by init
-init_daemon_domain(hal_light)
diff --git a/private/hal_light_default.te b/private/hal_light_default.te
new file mode 100644
index 0000000..8ac8037
--- /dev/null
+++ b/private/hal_light_default.te
@@ -0,0 +1,5 @@
+type hal_light_default, hal_light, domain;
+type hal_light_default_exec, exec_type, file_type;
+
+# may be started by init
+init_daemon_domain(hal_light_default)
diff --git a/public/app.te b/public/app.te
index 6cb3382..7f51574 100644
--- a/public/app.te
+++ b/public/app.te
@@ -425,10 +425,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app }
- kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shell }
- kernel:system syslog_read;
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
diff --git a/public/attributes b/public/attributes
index a846c34..5b68eea 100644
--- a/public/attributes
+++ b/public/attributes
@@ -113,3 +113,6 @@
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
+
+# HALs
+attribute hal_light;
diff --git a/public/hal_light.te b/public/hal_light.te
index cdb36bb..af238dd 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,7 +1,3 @@
-# light subsystem
-type hal_light, domain;
-type hal_light_exec, exec_type, file_type;
-
# hwbinder access
hwbinder_use(hal_light)
diff --git a/public/shell.te b/public/shell.te
index 0e747b7..b00c9ef 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,9 +85,6 @@
set_prop(shell, persist_debug_prop)
')
-# allow shell to run dmesg
-allow shell kernel:system syslog_read;
-
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
diff --git a/public/vold.te b/public/vold.te
index afe55c0..3ebb1d2 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -47,7 +47,6 @@
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-allow vold sdcard_type:filesystem { mount unmount remount };
# Manage per-user primary symlinks
allow vold mnt_user_file:dir create_dir_perms;