Merge "In native coverage builds, allow all domains to access /data/misc/trace"
diff --git a/private/apexd.te b/private/apexd.te
index d0ec9f4..14778b2 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -80,6 +80,9 @@
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 293d97d..c005a14 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -34,6 +34,7 @@
color_display_service
content_capture_service
crossprofileapps_service
+ ctl_apexd_prop
ctl_interface_restart_prop
ctl_interface_start_prop
ctl_interface_stop_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fbc241a..7d2f8dd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -32,6 +32,7 @@
color_display_service
content_capture_service
crossprofileapps_service
+ ctl_apexd_prop
ctl_interface_restart_prop
ctl_interface_start_prop
ctl_interface_stop_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 4d32997..0994389 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -33,6 +33,7 @@
content_capture_service
content_suggestions_service
cpu_variant_prop
+ ctl_apexd_prop
ctl_gsid_prop
dev_cpu_variant
device_config_activity_manager_native_boot_prop
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 56457a6..8fc3155 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ ctl_apexd_prop
device_config_sys_traced_prop
runtime_apex_dir
system_ashmem_hwservice
diff --git a/private/property_contexts b/private/property_contexts
index dd08c32..2473cdb 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -135,6 +135,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to stopping apexd.
+ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/public/property.te b/public/property.te
index 8cb19fb..43fba69 100644
--- a/public/property.te
+++ b/public/property.te
@@ -10,6 +10,7 @@
type cppreopt_prop, property_type, core_property_type;
type cpu_variant_prop, property_type;
type ctl_adbd_prop, property_type;
+type ctl_apexd_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
@@ -364,6 +365,7 @@
-config_prop
-cppreopt_prop
-ctl_adbd_prop
+ -ctl_apexd_prop
-ctl_bootanim_prop
-ctl_bugreport_prop
-ctl_console_prop
diff --git a/public/te_macros b/public/te_macros
index 85783dc..1ab417b 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -708,3 +708,13 @@
neverallow heapprofd $1:file read;
neverallow heapprofd $1:process signal;
')
+
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+ hal_client_domain(dumpstate, $1);
+ allow $1_server dumpstate:fifo_file write;
+ allow $1_server dumpstate:fd use;
+')