Merge "priv_app: remove more logspam"
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 0f86e25..c1f5e94 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -3,6 +3,7 @@
(type reboot_data_file)
(type rild)
(type webview_zygote_socket)
+(type vold_socket)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5428d83..efc0166 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -35,12 +35,14 @@
exported_system_prop
exported_system_radio_prop
exported_vold_prop
+ fingerprint_vendor_data_file
fs_bpf
hal_authsecret_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
+ hal_wifi_hostapd_hwservice
incident_helper
incident_helper_exec
last_boot_reason_prop
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index abc989e..90621a0 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -43,6 +43,8 @@
android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
+android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d8..ea58814 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -33,3 +33,9 @@
-coredomain
-appdomain
}, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401d..0a1a7c6 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -114,6 +114,9 @@
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
+# ingore spurious denials
+dontaudit zygote self:capability sys_resource;
+
###
### neverallow rules
###
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 6b6b986..f778d28 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -59,10 +59,8 @@
# Crash dump is not intended to access the following data types. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
- app_data_file
- bluetooth_data_file
- resourcecache_data_file
- vendor_overlay_file
+ core_data_file_type
+ vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:file read;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 8b240b1..181de4a 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,3 +4,5 @@
add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+
+dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/update_engine.te b/public/update_engine.te
index 00f70bc..2075985 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -19,6 +19,7 @@
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:capability sys_rawio;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir create_dir_perms;