Merge "Allow untrusted apps to read apks" into oc-mr1-dev
diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
index 6c2da16..e713bc1 100644
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ b/prebuilts/api/26.0/26.0.ignore.cil
@@ -9,8 +9,11 @@
hal_cas_hwservice
hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
+ hal_wifi_offload_hwservice
kmsg_debug_device
+ mediaprovider_tmpfs
netd_stable_secret_prop
sysfs_fs_ext4_features
+ system_net_netd_hwservice
timezone_service
tombstoned_java_trace_socket))
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 3f3454f..40c33d9 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -51,5 +51,6 @@
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
* u:object_r:default_android_hwservice:s0
diff --git a/private/nfc.te b/private/nfc.te
index 1a4f789..b41558c 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -26,6 +26,8 @@
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
+set_prop(nfc, nfc_prop);
+
# already open bugreport file descriptors may be shared with
# the nfc process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/public/hwservice.te b/public/hwservice.te
index ce27f21..4daac31 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -46,4 +46,5 @@
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/netd.te b/public/netd.te
index 11e0e5c..aa99da2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -91,6 +91,11 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# Allow netd to register as hal server.
+add_hwservice(netd, system_net_netd_hwservice)
+hwbinder_use(netd)
+get_prop(netd, hwservicemanager_prop)
+
###
### Neverallow rules
###
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 770ff97..b358a14 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -92,7 +92,7 @@
global alldomains
global coredomains
for d in alldomains:
- # TestCoredomainViolators will verify if coredomain was incorrectly
+ # TestCoredomainViolations will verify if coredomain was incorrectly
# applied.
if "coredomain" in alldomains[d].attributes:
alldomains[d].coredomain = True
@@ -205,7 +205,7 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["CoredomainViolators"]
+Tests = ["CoredomainViolations"]
if __name__ == '__main__':
usage = "treble_sepolicy_tests.py -f nonplat_file_contexts -f "
@@ -215,7 +215,7 @@
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
- parser.add_option("-t", "--test", dest="test", action="extend",
+ parser.add_option("-t", "--test", dest="tests", action="extend",
help="Test options include "+str(Tests))
(options, args) = parser.parse_args()
@@ -247,8 +247,11 @@
results = ""
# If an individual test is not specified, run all tests.
- if options.test is None or "CoredomainViolations" in options.tests:
+ if ( options.tests is None
+ or ("CoredomainViolations" in options.tests and len(options.tests) == 1)):
results += TestCoredomainViolations()
+ else:
+ sys.exit("Error: unknown test(s): " + str(options.tests))
if len(results) > 0:
sys.exit(results)