Merge "Use PRODUCT_SEPOLICY_SPLIT for full Treble."
diff --git a/private/bug_map b/private/bug_map
index 8f28a66..26d25e7 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1 +1,5 @@
priv_app firstboot_prop file 63801215
+update_engine update_engine capability 69197466
+vold system_data_file file 62140539
+system_server proc file 69175449
+system_server vendor_framework_file dir 68826235
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1d8351d..fdc672a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -34,6 +34,7 @@
thermalserviced_tmpfs
timezone_service
tombstoned_java_trace_socket
+ update_engine_log_data_file
vendor_init
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/domain.te b/private/domain.te
index 9515074..4015cf9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,7 +45,6 @@
-storaged
-system_app
-ueventd
- -update_verifier
-vold
-vendor_init
} sysfs:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index ca0a696..05c36c3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -387,6 +387,7 @@
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
diff --git a/public/file.te b/public/file.te
index 0798bd1..5353a3d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -240,6 +240,7 @@
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 413a057..d0824c3 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -5,10 +5,6 @@
add_hwservice(hal_camera_server, hal_camera_hwservice)
allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
-# access /data/misc/camera
-allow hal_camera camera_data_file:dir create_dir_perms;
-allow hal_camera camera_data_file:file create_file_perms;
-
allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
diff --git a/public/netd.te b/public/netd.te
index 17f60b5..a8a32be 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -33,6 +33,11 @@
# Acquire advisory lock on /system/etc/xtables.lock
allow netd system_file:file lock;
+# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
+# complete
+allow netd qtaguid_proc:file rw_file_perms;
+
r_dir_file(netd, proc_net)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
diff --git a/public/update_engine.te b/public/update_engine.te
index 289d216..9f9b557 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -20,8 +20,12 @@
dontaudit update_engine kernel:process setsched;
# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir { create_dir_perms };
-allow update_engine update_engine_data_file:file { create_file_perms };
+allow update_engine update_engine_data_file:dir create_dir_perms;
+allow update_engine update_engine_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/misc/update_engine_log.
+allow update_engine update_engine_log_data_file:dir create_dir_perms;
+allow update_engine update_engine_log_data_file:file create_file_perms;
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;