Merge "vendor_init can set config.disable_cameraservice"
diff --git a/private/bug_map b/private/bug_map
index c6c8278..60c2f15 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -27,6 +27,7 @@
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 93e4f46..77f0ce0 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -12,6 +12,9 @@
auth_service
ashmem_libcutils_device
blob_store_service
+ binderfs
+ binderfs_logs
+ binderfs_logs_proc
boringssl_self_test
charger_prop
cold_boot_done_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5b956da..07c44ca 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -290,9 +290,15 @@
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index daca057..4ae8eff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -3,14 +3,6 @@
###
typeattribute gmscore_app coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `gmscore_app` and remove this line once we are confident about this having
-# the right set of permissions.
-userdebug_or_eng(`permissive gmscore_app;')
-
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 0fa2dea..8a6f6aa 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -3,14 +3,6 @@
###
type permissioncontroller_app, domain, coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `permissioncontroller_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive permissioncontroller_app;')
-
app_domain(permissioncontroller_app)
# Allow interaction with gpuservice
diff --git a/public/app.te b/public/app.te
index b771b5f..e4eee82 100644
--- a/public/app.te
+++ b/public/app.te
@@ -50,6 +50,9 @@
# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };
+# Allow appdomain to access app_api_service
+allow { appdomain -isolated_app } app_api_service:service_manager find;
+
# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 4ae6c9a..88093f9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 73ac226..9573ad0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -4,6 +4,9 @@
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;