Merge "Selinux: Fix perfprofd policy" into pi-dev
diff --git a/Android.mk b/Android.mk
index bb04286..c32b328 100644
--- a/Android.mk
+++ b/Android.mk
@@ -261,6 +261,12 @@
odm_mac_permissions.xml
endif
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+LOCAL_REQUIRED_MODULES += \
+ sepolicy_freeze_test \
+
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -1612,7 +1618,44 @@
plat_sepolicy :=
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
+
#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+base_plat_public := $(LOCAL_PATH)/public
+base_plat_private := $(LOCAL_PATH)/private
+base_plat_public_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
+base_plat_private_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
+
+all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
+$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): $(all_frozen_files)
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
+ @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ $(hide) touch $@
+
+base_plat_public :=
+base_plat_private :=
+base_plat_public_prebuilt :=
+base_plat_private_prebuilt :=
+all_frozen_files :=
+
+#################################
+
add_nl :=
build_vendor_policy :=
diff --git a/private/statsd.te b/private/statsd.te
index dfec7a4..fec10a4 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -101,7 +101,7 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/private/system_server.te b/private/system_server.te
index 152ea6b..365c00a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -139,6 +139,10 @@
allow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
diff --git a/public/property_contexts b/public/property_contexts
index bc2395e..5f7ebfa 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -69,6 +69,7 @@
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string