Merge "FrameworksServicesTests: allow access to test.sys.boot.reason property" into pi-dev
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
index 2c7c6e6..9b28ab4 100644
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
@@ -134,6 +134,9 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
wpantund
wpantund_exec
wpantund_service
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
index 824bbc2..5a6509e 100644
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
@@ -112,6 +112,9 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
wm_trace_data_file
wpantund
wpantund_exec
diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index 71bff73..3dfb8a6 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -292,6 +292,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
#############################
# Vendor files
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index 7e2f266..b037fe4 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -775,6 +775,11 @@
allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
diff --git a/prebuilts/api/28.0/private/wait_for_keymaster.te b/prebuilts/api/28.0/private/wait_for_keymaster.te
new file mode 100644
index 0000000..8b8dd29
--- /dev/null
+++ b/prebuilts/api/28.0/private/wait_for_keymaster.te
@@ -0,0 +1,9 @@
+# wait_for_keymaster service
+type wait_for_keymaster, domain, coredomain;
+type wait_for_keymaster_exec, exec_type, file_type;
+
+init_daemon_domain(wait_for_keymaster)
+
+hal_client_domain(wait_for_keymaster, hal_keymaster)
+
+allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te
index 2c6ce44..307e103 100644
--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
@@ -30,8 +30,8 @@
allow shell trace_data_file:dir { r_dir_perms remove_name write };
# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 2c7c6e6..9b28ab4 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -134,6 +134,9 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
wpantund
wpantund_exec
wpantund_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 824bbc2..5a6509e 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -112,6 +112,9 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
wm_trace_data_file
wpantund
wpantund_exec
diff --git a/private/file_contexts b/private/file_contexts
index 71bff73..3dfb8a6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -292,6 +292,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
#############################
# Vendor files
diff --git a/private/system_server.te b/private/system_server.te
index 7e2f266..b037fe4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -775,6 +775,11 @@
allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
new file mode 100644
index 0000000..8b8dd29
--- /dev/null
+++ b/private/wait_for_keymaster.te
@@ -0,0 +1,9 @@
+# wait_for_keymaster service
+type wait_for_keymaster, domain, coredomain;
+type wait_for_keymaster_exec, exec_type, file_type;
+
+init_daemon_domain(wait_for_keymaster)
+
+hal_client_domain(wait_for_keymaster, hal_keymaster)
+
+allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 2c6ce44..307e103 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@
allow shell trace_data_file:dir { r_dir_perms remove_name write };
# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`