Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 290d1876ffbec412e3e8536d85c684d5e6f9feff^2..290d1876ffbec412e3e8536d85c684d5e6f9feff / .
commit290d1876ffbec412e3e8536d85c684d5e6f9feff[log] [tgz]
authorCharles Chen <liangyuchen@google.com>Thu Apr 20 16:31:52 2023 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Apr 20 16:31:52 2023 +0000
tree7f5e4441cb2c969985f5916505e81dbe2cdf7c37
parent66ef8f01ee74fc9ffba75bcab70f5e4ed6898dbc [diff]
parentc8ab3593d02f5bd473453b7eb955d7ea6c7229b4 [diff]
Merge "Move isolated_compute_app to be public"
diff --git a/private/file_contexts b/private/file_contexts
index 7432c2f..b1c7508 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -376,9 +376,11 @@
 /system/bin/simpleperf           u:object_r:simpleperf_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
 /system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
 /system/bin/snapuserd            u:object_r:snapuserd_exec:s0
 /system/bin/odsign               u:object_r:odsign_exec:s0
 /system/bin/vehicle_binding_util     u:object_r:vehicle_binding_util_exec:s0
+/system/bin/cardisplayproxyd     u:object_r:automotive_display_service_exec:s0
 /system/bin/evsmanagerd          u:object_r:evsmanagerd_exec:s0
 /system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
 
@@ -494,9 +496,7 @@
 /(system_ext|system/system_ext)/bin/hidl_lazy_test_server    u:object_r:hidl_lazy_test_server_exec:s0
 /(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
 
-/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
 /(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
-/(system_ext|system/system_ext)/bin/cardisplayproxyd           u:object_r:automotive_display_service_exec:s0
 
 /(system_ext|system/system_ext)/lib(64)?(/.*)?      u:object_r:system_lib_file:s0
 

diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index fc4fce3..4806e6d 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te

@@ -92,6 +92,7 @@
     -pan_result_prop
     -permissive_mte_prop
     -persist_debug_prop
+    -persist_sysui_builder_extras_prop
     -pm_prop
     -powerctl_prop
     -property_service_version_prop

diff --git a/private/system_server.te b/private/system_server.te
index 7fea6e7..df0dfa7 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -321,6 +321,7 @@
 hal_client_domain(system_server, hal_input_classifier)
 hal_client_domain(system_server, hal_input_processor)
 hal_client_domain(system_server, hal_ir)
+hal_client_domain(system_server, hal_keymint)
 hal_client_domain(system_server, hal_light)
 hal_client_domain(system_server, hal_memtrack)
 hal_client_domain(system_server, hal_neuralnetworks)
@@ -1107,6 +1108,8 @@
 
 # Allow system process to measure fs-verity for apps, apps being installed and system files
 allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
+allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
+allow system_server system_file:file ioctl;
 
 # Postinstall
 #

diff --git a/private/zygote.te b/private/zygote.te
index 9c47468..d61a431 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -247,6 +247,10 @@
 # preloaded classes
 get_prop(zygote, persist_wm_debug_prop)
 
+# Allow zygote to read persist_sysui_builder_extras_prop to toggle experimental features in
+# core preloaded classes
+get_prop(zygote, persist_sysui_builder_extras_prop)
+
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;