commit 2bf5c3d29f252ee5d399b19cd700fdf230f809f1
author Treehugger Robot <treehugger-gerrit@google.com> Thu Dec 06 21:06:19 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Dec 06 21:06:19 2018 +0000
tree 2da048423e79b53e804f5f882a4156be055d0717
parent 69dc26411ad93de616b1c1327726691075db6d8c
parent 22cf8f7c1e27aa9a4ef3ebe1d687bea897354a0e

Merge "sepolicy: add rule for offload minimum duration property"

private/compat/28.0/28.0.cil

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d3019ec..323fb0a 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1,4 +1,5 @@
 ;; types removed from current policy
+(type alarm_device)
 (type audio_seq_device)
 (type audio_timer_device)
 (type commontime_management_service)

private/dumpstate.te

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 5cba2cd..4f3dda6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -34,6 +34,9 @@
 # Allow dumpstate to talk to gpuservice over binder
 binder_call(dumpstate, gpuservice);
 
+# Allow dumpstate to talk to idmap over binder
+binder_call(dumpstate, idmap);
+
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
 

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 493d782..abef72b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -71,7 +71,6 @@
 /dev/adf[0-9]*		u:object_r:graphics_device:s0
 /dev/adf-interface[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
 /dev/adf-overlay-engine[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
-/dev/alarm		u:object_r:alarm_device:s0
 /dev/ashmem		u:object_r:ashmem_device:s0
 /dev/audio.*		u:object_r:audio_device:s0
 /dev/binder		u:object_r:binder_device:s0

private/heapprofd.te

diff --git a/private/heapprofd.te b/private/heapprofd.te
index 30ad7f1..b7013d7 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -13,10 +13,10 @@
 
   # Executables and libraries.
   # These are needed to read the ELF binary data needed for unwinding.
-  allow heapprofd system_file:file r_file_perms;
-  allow heapprofd apk_data_file:file r_file_perms;
-  allow heapprofd dalvikcache_data_file:file r_file_perms;
-  allow heapprofd vendor_file_type:file r_file_perms;
+  r_dir_file(heapprofd, system_file_type)
+  r_dir_file(heapprofd, apk_data_file)
+  r_dir_file(heapprofd, dalvikcache_data_file)
+  r_dir_file(heapprofd, vendor_file_type)
 ')
 
 # Write trace data to the Perfetto traced damon. This requires connecting to its

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 5098760..3806d23 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -325,7 +325,6 @@
 # Access devices.
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server alarm_device:chr_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;

private/vold.te

diff --git a/private/vold.te b/private/vold.te
index a6d1001..dea24a5 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -8,8 +8,8 @@
 
 # For a handful of probing tools, we choose an even more restrictive
 # domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, blkid_exec, blkid);
+domain_trans(vold, blkid_exec, blkid_untrusted);
 domain_trans(vold, fsck_exec, fsck);
 domain_trans(vold, fsck_exec, fsck_untrusted);
 

public/device.te

diff --git a/public/device.te b/public/device.te
index e55c86d..57b0503 100644
--- a/public/device.te
+++ b/public/device.te
@@ -1,6 +1,5 @@
 # Device types
 type device, dev_type, fs_type;
-type alarm_device, dev_type, mlstrustedobject;
 type ashmem_device, dev_type, mlstrustedobject;
 type audio_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index c536c12..d0e4e41 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -75,7 +75,6 @@
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain proc_random:dir r_dir_perms;
 allow domain proc_random:file r_file_perms;

public/hal_telephony.te

diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 9d0f8c0..3e4b65d 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -9,7 +9,6 @@
 allow hal_telephony_server self:netlink_route_socket nlmsg_write;
 allow hal_telephony_server kernel:system module_request;
 allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
-allow hal_telephony_server alarm_device:chr_file rw_file_perms;
 allow hal_telephony_server cgroup:dir create_dir_perms;
 allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
 allow hal_telephony_server radio_device:chr_file rw_file_perms;

public/hal_wifi.te

diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index f735be5..805adaf 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -10,9 +10,9 @@
 set_prop(hal_wifi, exported_wifi_prop)
 set_prop(hal_wifi, wifi_prop)
 
-# allow hal wifi set interfaces up and down
+# allow hal wifi set interfaces up and down and get the factory MAC
 allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
 
 allow hal_wifi self:global_capability_class_set { net_admin net_raw };
 # allow hal_wifi to speak to nl80211 in the kernel

public/init.te

diff --git a/public/init.te b/public/init.te
index 2a8036a..8b95e2b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -257,7 +257,6 @@
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
 allow init {
-  alarm_device
   ashmem_device
   binder_device
   console_device

public/radio.te

diff --git a/public/radio.te b/public/radio.te
index 05bfd8c..8a8bef3 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -12,7 +12,6 @@
 allow radio radio_data_file:dir create_dir_perms;
 allow radio radio_data_file:notdevfile_class_set create_file_perms;
 
-allow radio alarm_device:chr_file rw_file_perms;
 
 allow radio net_data_file:dir search;
 allow radio net_data_file:file r_file_perms;

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 6994776..0f5fb0f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,9 +31,6 @@
 # Allow us to jump into execution domains of above tools
 allow vold self:process setexec;
 
-# For sgdisk launched through popen()
-allow vold shell_exec:file rx_file_perms;
-
 # For formatting adoptable storage devices
 allow vold e2fs_exec:file rx_file_perms;