Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 1f9ecdc8944dfd6cdace02003c517ec3d999784d^2..1f9ecdc8944dfd6cdace02003c517ec3d999784d / .
commit1f9ecdc8944dfd6cdace02003c517ec3d999784d[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Fri Jan 10 19:11:33 2020 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Jan 10 19:11:33 2020 +0000
tree5112920aa4f6fba8521accd7a267f120a0f1a31f
parent6df27928ddf7e750e90fcac9d9b6ccce0d99439f [diff]
parentb2b7c02e7d34bacf1d654c33302e4a4203140344 [diff]
Merge "Allow zygote to relabel CE and DE dirs from tmpfs to system_data_file"
diff --git a/apex/Android.bp b/apex/Android.bp
index 1c27bc3..4a860e1 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp

@@ -70,6 +70,13 @@
 }
 
 filegroup {
+  name: "com.android.cronet-file_contexts",
+  srcs: [
+    "com.android.cronet-file_contexts",
+  ],
+}
+
+filegroup {
   name: "com.android.ipsec-file_contexts",
   srcs: [
     "com.android.ipsec-file_contexts",

diff --git a/private/priv_app.te b/private/priv_app.te
index f68586a..7e5f961 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -122,18 +122,6 @@
 # access the mac address
 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
 
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(priv_app, storaged)
-allow priv_app storaged_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
-  auditallow priv_app storaged:binder { call transfer };
-  auditallow storaged priv_app:binder transfer;
-  auditallow priv_app storaged:fd use;
-  auditallow priv_app storaged_service:service_manager find;
-')
-
-
 # Allow GMS core to access system_update_service (e.g. to publish pending
 # system update info).
 allow priv_app system_update_service:service_manager find;
@@ -154,13 +142,6 @@
 allow priv_app preloads_media_file:file r_file_perms;
 allow priv_app preloads_media_file:dir r_dir_perms;
 
-# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
-allow priv_app keystore:keystore_key gen_unique_id;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
-  auditallow priv_app keystore:keystore_key gen_unique_id;
-')
-
 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
 allow priv_app selinuxfs:file r_file_perms;
 # b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.

diff --git a/public/iorapd.te b/public/iorapd.te
index abf7adb..4c08c72 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te

@@ -36,6 +36,9 @@
 # tracing sessions and read trace data.
 unix_socket_connect(iorapd, traced_consumer, traced)
 
+# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
+allow iorapd system_file:file rx_file_perms;
+
 ###
 ### neverallow rules
 ###