Merge "rebootescrow: allow dumpstate to call via binder"
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 7300dfe..3838f54 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -65,6 +65,7 @@
module_sdkextensions_prop
ota_metadata_file
ota_prop
+ prereboot_data_file
art_apex_dir
rebootescrow_hal_prop
service_manager_service
diff --git a/private/file_contexts b/private/file_contexts
index 62fbed3..a35cfb4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -541,6 +541,7 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/property_contexts b/private/property_contexts
index 1fef2e4..1197de3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -52,7 +52,6 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
-persist.nfc. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 78853bb..97203ba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -121,6 +121,11 @@
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow pushing jank event atoms to statsd
+userdebug_or_eng(`
+ unix_socket_send(surfaceflinger, statsdw, statsd)
+')
+
###
### Neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index e5d7d18..1432017 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -69,6 +69,9 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system_app (adb data loader) to write data to /data/incremental
+allow system_app apk_data_file:file write;
+
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/private/system_server.te b/private/system_server.te
index 56d91d6..9eea579 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -441,6 +441,10 @@
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
+# Manage /data/misc/prereboot.
+allow system_server prereboot_data_file:dir rw_dir_perms;
+allow system_server prereboot_data_file:file create_file_perms;
+
# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
# binder.
allow system_server perfetto_traces_data_file:file read;
diff --git a/public/app.te b/public/app.te
index b771b5f..a156183 100644
--- a/public/app.te
+++ b/public/app.te
@@ -464,10 +464,10 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
diff --git a/public/dumpstate.te b/public/dumpstate.te
index b923b42..a9c1990 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -218,6 +218,10 @@
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
allow dumpstate app_fuse_file:dir r_dir_perms;
allow dumpstate overlayfs_file:dir r_dir_perms;
@@ -329,6 +333,10 @@
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 3c3d1bc..a0d4cdf 100644
--- a/public/file.te
+++ b/public/file.te
@@ -283,6 +283,8 @@
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/prereboot
+type prereboot_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
diff --git a/public/hal_power.te b/public/hal_power.te
index 2c80a51..c94771b 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -6,4 +6,5 @@
add_service(hal_power_server, hal_power_service)
binder_call(hal_power_server, servicemanager)
+binder_call(hal_power_client, servicemanager)
allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/vold.te b/public/vold.te
index 58d1c48..1ddd19e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -126,6 +126,13 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file rw_file_perms;
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;