Merge "Game Driver: allow statsd to ask gpuservice for stats"
diff --git a/private/adbd.te b/private/adbd.te
index 5bbf2dd..2fa4af6 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/bug_map b/private/bug_map
index 7606ce8..8e31eca 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,4 +1,3 @@
-cppreopts cppreopts capability 79414024
dnsmasq netd fifo_file 77868789
dnsmasq netd unix_stream_socket 77868789
init app_data_file file 77873135
diff --git a/private/domain.te b/private/domain.te
index 8b502f3..5ca2441 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -154,9 +154,9 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
-neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
diff --git a/private/installd.te b/private/installd.te
index 77889a3..3693c59 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -34,3 +34,8 @@
# Allow installd to access the runtime feature flag properties.
get_prop(installd, device_config_runtime_native_prop)
+get_prop(installd, device_config_runtime_native_boot_prop)
+
+# Allow installd to delete files in /data/staging
+allow installd staging_data_file:file unlink;
+allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/shell.te b/private/shell.te
index 95e0d40..9bfac6c 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -62,3 +62,7 @@
# For hostside tests such as CTS listening ports test.
allow shell proc_net_tcp_udp:file r_file_perms;
+
+# The dl.exec_linker* tests need to execute /system/bin/linker
+# b/124789393
+allow shell system_linker_exec:file rx_file_perms;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index e5ebafc..99ccd8c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -68,6 +68,7 @@
allowxperm fastbootd {
metadata_block_device
userdata_block_device
+ dm_device
}:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
allow fastbootd misc_block_device:blk_file rw_file_perms;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 622e169..0e56b07 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -20,6 +20,9 @@
# allow access to package manager for uid->apk mapping
allow mediametrics package_native_service:service_manager find;
+# Allow metrics service to send information to statsd socket.
+unix_socket_send(mediametrics, statsdw, statsd)
+
###
### neverallow rules
###