Merge "system_server: access to /proc/sys/fs/pipe-max-size"
diff --git a/private/bug_map b/private/bug_map
index 26d25e7..6bad8c2 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -3,3 +3,6 @@
vold system_data_file file 62140539
system_server proc file 69175449
system_server vendor_framework_file dir 68826235
+crash_dump app_data_file dir 68319037
+crash_dump bluetooth_data_file 68319037
+crash_dump vendor_overlay_file 68319037
diff --git a/private/domain.te b/private/domain.te
index 9515074..4015cf9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,7 +45,6 @@
-storaged
-system_app
-ueventd
- -update_verifier
-vold
-vendor_init
} sysfs:file no_rw_file_perms;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index c99d96f..5d97f72 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,2 +1,6 @@
typeattribute vendor_init coredomain;
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit vendor_init sysfs:dir write;
diff --git a/public/charger.te b/public/charger.te
index 5a5b653..9c48ddd 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -17,8 +17,8 @@
allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-# Write to /sys/power/state
-allow charger sysfs_power:file write;
+# Read/write to /sys/power/state
+allow charger sysfs_power:file rw_file_perms;
allow charger sysfs_batteryinfo:file r_file_perms;
diff --git a/vendor/tee.te b/vendor/tee.te
index 348d715..7eb2430 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -14,4 +14,4 @@
r_dir_file(tee, sysfs_type)
allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
+allow tee system_data_file:lnk_file { getattr read };