Merge "Add ro.vendor.build.dont_use_vabc to property_contexts"
diff --git a/private/adbd.te b/private/adbd.te
index 52070cb..c2c6164 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -217,6 +217,9 @@
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file r_file_perms;
+# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
+allow adbd apex_info_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/platform_app.te b/private/platform_app.te
index a112081..f746f1c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -99,6 +99,9 @@
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
+# Allow platform apps to act as Perfetto producers.
+perfetto_producer(platform_app)
+
###
### Neverallow rules
###
diff --git a/private/shell.te b/private/shell.te
index 26f6d95..40b19fd 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,8 +114,10 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
-# Allow shell to read /apex/apex-info-list.xml
+# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
+allow shell vendor_apex_file:file r_file_perms;
+allow shell vendor_apex_file:dir r_dir_perms;
# Set properties.
set_prop(shell, shell_prop)
@@ -200,3 +202,6 @@
# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)
+
+# Allow shell read access to /apex/apex-info-list.xml for CTS.
+allow shell apex_info_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 48d5f9d..10b8177 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -169,6 +169,9 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
+# Allow system apps to act as Perfetto producers.
+perfetto_producer(system_app)
+
###
### Neverallow rules
###
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d7451df..b7e555f 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -28,6 +28,7 @@
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver package_native_service:service_manager find;
+allow cameraserver permission_checker_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
diff --git a/public/installd.te b/public/installd.te
index eb13cfa..08060e3 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -160,6 +160,10 @@
#add for move app to sd card
get_prop(installd, storage_config_prop)
+# Allow installd to access apps installed on the Incremental File System
+# Accessing files on the Incremental File System uses fds opened in the context of vold.
+allow installd vold:fd use;
+
###
### Neverallow rules
###