Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 40f1682ba691ab8efc9a9439fed198c06339722b^2..40f1682ba691ab8efc9a9439fed198c06339722b / .
commit40f1682ba691ab8efc9a9439fed198c06339722b[log] [tgz]
authorYifan Hong <elsk@google.com>Tue Mar 26 20:35:36 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Mar 26 20:35:36 2019 +0000
tree79330bb2d30df00382900148fcb537b929101133
parenta2b90b5efc722234260facbfba5ca10760ef8fe7 [diff]
parent18ade868ff10e692d7d2f3ccec794e456986bc8e [diff]
Merge changes from topic "lpdumpd"

* changes:
  Add rules for lpdump and lpdumpd
  Allow to getattr kmsg_device

diff --git a/private/system_suspend.te b/private/system_suspend.te
index e93a73d..961cd67 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te

@@ -10,6 +10,11 @@
 # Access to /sys/power/{ wakeup_count, state } suspend interface.
 allow system_suspend sysfs_power:file rw_file_perms;
 
+# TODO(b/128923994): remove once all debugging info moves to SystemSuspend.
+# Access to /sys/power/{ wake_lock, wake_unlock } suspend blocker interface.
+allow system_suspend self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+
 neverallow {
     domain
     -atrace # tracing

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e6df48d..e7b6c5f 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te

@@ -32,3 +32,6 @@
     system_data_file
     vold_data_file
 }:file { getattr unlink };
+
+# Temporarily block denials causing failing tests (b/129298168).
+dontaudit vold_prepare_subdirs domain:file read;

diff --git a/public/attributes b/public/attributes
index 4cae0ff..dbb9356 100644
--- a/public/attributes
+++ b/public/attributes

@@ -308,3 +308,6 @@
 attribute mediaswcodec_server;
 attribute system_suspend_server;
 attribute camera_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;

diff --git a/public/device.te b/public/device.te
index 57b0503..41b4edb 100644
--- a/public/device.te
+++ b/public/device.te

@@ -104,4 +104,4 @@
 type misc_block_device, dev_type;
 
 # 'super' partition to be used for logical partitioning.
-type super_block_device, dev_type;
+type super_block_device, super_block_device_type, dev_type;

diff --git a/public/domain.te b/public/domain.te
index 8331d2d..978c9bf 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -643,6 +643,11 @@
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } binder_device:chr_file rw_file_perms;
 ')
+
+# libcutils can probe for /dev/binder permissions with access(). Ignore
+# generated denials. See b/129073672 for details.
+dontaudit domain binder_device:chr_file audit_access;
+
 full_treble_only(`
   neverallow {
     domain