commit 4c78a608f9de64627d102f9bfa9a1b507df45a7a
author Treehugger Robot <treehugger-gerrit@google.com> Wed Dec 18 17:56:34 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Dec 18 17:56:34 2019 +0000
tree b35e1c23a408270e0d902ef42733b9a25dfa7baf
parent 58798f2aa649909450aeebbcd2c394e730c3a8ea
parent fe746ae45362fbe5fd5653da6cb216caba52e1d9

Merge "Allow gmscore to write to /cache"

apex/Android.bp

diff --git a/apex/Android.bp b/apex/Android.bp
index 6caeb0c..2ae2905 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -133,6 +133,13 @@
 }
 
 filegroup {
+  name: "com.android.telephony-file_contexts",
+  srcs: [
+    "com.android.telephony-file_contexts",
+  ],
+}
+
+filegroup {
   name: "com.android.tzdata-file_contexts",
   srcs: [
     "com.android.tzdata-file_contexts",

private/gmscore_app.te

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 461928d..38238c8 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -124,3 +124,8 @@
 allow gmscore_app ota_package_file:dir rw_dir_perms;
 allow gmscore_app ota_package_file:file create_file_perms;
 
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
+

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index 45de3cb..9e26d7a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -76,7 +76,7 @@
 binder_call(platform_app, gpuservice)
 
 # Allow platform apps to log via statsd.
-binder_call(platform_app statsd)
+binder_call(platform_app, statsd)
 
 # Access to /data/preloads
 allow platform_app preloads_data_file:file r_file_perms;

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 8a0a94f..3263877 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -80,6 +80,11 @@
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
 allow priv_app shell_data_file:dir r_dir_perms;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app shell_data_file:file r_file_perms;
+  auditallow priv_app shell_data_file:dir r_dir_perms;
+')
 
 # Allow traceur to pass file descriptors through a content provider to betterbug
 allow priv_app trace_data_file:file { getattr read };

private/service.te

diff --git a/private/service.te b/private/service.te
index 7ac7988..6c17521 100644
--- a/private/service.te
+++ b/private/service.te
@@ -4,4 +4,5 @@
 type incidentcompanion_service,     system_api_service, system_server_service, service_manager_type;
 type stats_service,                 service_manager_type;
 type statscompanion_service,        system_server_service, service_manager_type;
+type statsmanager_service,          system_api_service, system_server_service, service_manager_type;
 type uce_service,                   service_manager_type;

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 908ff68..a3680d3 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -189,6 +189,7 @@
 slice                                     u:object_r:slice_service:s0
 stats                                     u:object_r:stats_service:s0
 statscompanion                            u:object_r:statscompanion_service:s0
+statsmanager                              u:object_r:statsmanager_service:s0
 soundtrigger                              u:object_r:voiceinteraction_service:s0
 soundtrigger_middleware                   u:object_r:soundtrigger_middleware_service:s0
 statusbar                                 u:object_r:statusbar_service:s0

private/statsd.te

diff --git a/private/statsd.te b/private/statsd.te
index 9d250bd..a55c42d 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -3,8 +3,6 @@
 
 init_daemon_domain(statsd)
 
-binder_call(statsd, statscompanion_service)
-
 # Allow to exec the perfetto cmdline client and pass it the trace config on
 # stdint through a pipe. It allows statsd to  capture traces and hand them
 # to Android dropbox.