Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4eca6c49c8a5ccde801385854c0cfe07064627b6^2..4eca6c49c8a5ccde801385854c0cfe07064627b6 / .
commit4eca6c49c8a5ccde801385854c0cfe07064627b6[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Wed Oct 09 01:21:23 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Oct 09 01:21:23 2019 +0000
tree33680f6b66ce878a4cd6951cc7fc134bf90f8fa5
parentceebbfaba2361457f9d4ee639f951a709d4f6893 [diff]
parent4b3e0dd95714e76a72d50ed3d5def83479f23825 [diff]
Merge "vibrator: Allow Server-to-Client Callbacks"
diff --git a/Android.mk b/Android.mk
index dfc25a1..b516fa1 100644
--- a/Android.mk
+++ b/Android.mk

@@ -383,12 +383,9 @@
 
 endif
 
-ifneq ($(TARGET_BUILD_VARIANT), user)
 LOCAL_REQUIRED_MODULES += \
     selinux_denial_metadata \
 
-endif
-
 # Builds an addtional userdebug sepolicy into the debug ramdisk.
 LOCAL_REQUIRED_MODULES += \
     userdebug_plat_sepolicy.cil \
@@ -1438,7 +1435,6 @@
 file_contexts.local.tmp :=
 
 ##################################
-ifneq ($(TARGET_BUILD_VARIANT), user)
 include $(CLEAR_VARS)
 
 LOCAL_MODULE := selinux_denial_metadata
@@ -1454,7 +1450,6 @@
 	cat $^ > $@
 
 bug_files :=
-endif
 
 ##################################
 include $(LOCAL_PATH)/seapp_contexts.mk

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4e478a4..a35c312 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -276,6 +276,10 @@
 # Allow dumpstate to run top
 allow dumpstate proc_stat:file r_file_perms;
 
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
 # Allow dumpstate to talk to installd over binder
 binder_call(dumpstate, installd);
 

diff --git a/public/ioctl_defines b/public/ioctl_defines
index 48fed86..15cf7d5 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines

@@ -801,6 +801,7 @@
 define(`FS_IOC32_GETVERSION', `0x80047601')
 define(`FS_IOC32_SETFLAGS', `0x40046602')
 define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
 define(`FS_IOC_ENABLE_VERITY', `0x6685')
 define(`FS_IOC_FIEMAP', `0xc020660b')
 define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
@@ -809,6 +810,7 @@
 define(`FS_IOC_GETFLAGS', `0x80086601')
 define(`FS_IOC_GETVERSION', `0x80087601')
 define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
 define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
 define(`FS_IOC_SETFLAGS', `0x40086602')
 define(`FS_IOC_SETVERSION', `0x40087602')

diff --git a/public/property_contexts b/public/property_contexts
index 4418bbf..04d64e2 100644
--- a/public/property_contexts
+++ b/public/property_contexts

@@ -116,6 +116,7 @@
 ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
 ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
 ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.flags u:object_r:exported2_vold_prop:s0 exact string
 ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
 ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
 ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -287,6 +288,7 @@
 ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
 ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
 ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
 ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
 ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
 ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string

diff --git a/public/vold.te b/public/vold.te
index 9568c48..9e68d65 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -43,12 +43,29 @@
 # allowxperm still requires the ioctl permission for the individual type
 allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
 
-# Get encryption policy for dirs in /data
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
 allowxperm vold data_file_type:dir ioctl {
   FS_IOC_GET_ENCRYPTION_POLICY
   FS_IOC_SET_ENCRYPTION_POLICY
+  FS_IOC_ADD_ENCRYPTION_KEY
+  FS_IOC_REMOVE_ENCRYPTION_KEY
 };
 
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+  domain
+  -vold
+  -init
+  -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+  domain
+  -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+
 # Find the location on the raw block device where the
 # crypto key is stored so it can be destroyed
 allowxperm vold vold_data_file:file ioctl {