Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 351331b015dff93dbe5b947d75e37cbf2229eef3^2..351331b015dff93dbe5b947d75e37cbf2229eef3 / .
commit351331b015dff93dbe5b947d75e37cbf2229eef3[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Sun May 02 23:54:40 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Sun May 02 23:54:40 2021 +0000
tree111a9286b1d97685049dafe1012051b4e2bba7e5
parentbdc4f744da778e5d62e75d2bb65f77a3becc2536 [diff]
parent6cc75f458756789352da0c19d6b593de37b6a2c2 [diff]
Merge "Revert^4 "Build userdebug_plat_sepolicy.cil with Android.bp""
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 98ef3ed..7f2236c 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te

@@ -53,6 +53,11 @@
 r_dir_file(app_zygote, dalvikcache_data_file);
 allow app_zygote dalvikcache_data_file:file execute;
 
+# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
+allow app_zygote apex_module_data_file:dir search;
+# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
+r_dir_file(app_zygote, apex_art_data_file)
+
 # Allow reading/executing installed binaries to enable preloading
 # application data
 allow app_zygote apk_data_file:dir r_dir_perms;

diff --git a/private/crash_dump.te b/private/crash_dump.te
index 616f00c..9233a4d 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te

@@ -17,8 +17,16 @@
   -vendor_init
   -vold
 }:process { ptrace signal sigchld sigstop sigkill };
+
+# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
 userdebug_or_eng(`
-  allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+  allow crash_dump {
+    apexd
+    keystore
+    llkd
+    logd
+    vold
+  }:process { ptrace signal sigchld sigstop sigkill };
 ')
 
 ###
@@ -35,6 +43,7 @@
   init
   kernel
   keystore
+  userdebug_or_eng(`-keystore')
   llkd
   userdebug_or_eng(`-llkd')
   logd

diff --git a/private/dex2oat.te b/private/dex2oat.te
index 697ec1f..28d8b9a 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te

@@ -58,6 +58,9 @@
 get_prop(dex2oat, device_config_runtime_native_prop)
 get_prop(dex2oat, device_config_runtime_native_boot_prop)
 
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
+
 ##################
 # A/B OTA Dexopt #
 ##################

diff --git a/private/system_server.te b/private/system_server.te
index 79666fb..caf5208 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -34,6 +34,7 @@
   INCFS_IOCTL_PERMIT_FILL
   INCFS_IOCTL_GET_READ_TIMEOUTS
   INCFS_IOCTL_SET_READ_TIMEOUTS
+  INCFS_IOCTL_GET_LAST_READ_ERROR
 };
 
 # To get signature of an APK installed on Incremental File System, and fill in data

diff --git a/public/ioctl_defines b/public/ioctl_defines
index d1c20b2..afb0b2d 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines

@@ -1072,6 +1072,7 @@
 define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
 define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
 define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
+define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
 define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
 define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
 define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')

diff --git a/public/keystore.te b/public/keystore.te
index 7a6074b..155322c 100644
--- a/public/keystore.te
+++ b/public/keystore.te

@@ -40,4 +40,5 @@
 neverallow { domain -keystore -init } keystore_data_file:dir *;
 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
 
-neverallow * keystore:process ptrace;
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;