Merge "Track priv_app SELinux denial."
diff --git a/private/file_contexts b/private/file_contexts
index 3c24ce5..25d0d9d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -55,7 +55,9 @@
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/vendor_service_contexts u:object_r:service_contexts_file:s0
+# Use nonplat_service_contexts_file to allow servicemanager to read it
+# on non full-treble devices.
+/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
diff --git a/private/incident.te b/private/incident.te
index 2038816..1844898 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -8,6 +8,9 @@
# allow incident access to stdout from its parent shell.
allow incident shell:fd use;
+# allow incident be able to output data for CTS to fetch.
+allow incident devpts:chr_file { read write };
+
# allow incident to communicate use, read and write over the adb
# connection.
allow incident adbd:fd use;
diff --git a/public/app.te b/public/app.te
index 3c29946..1fd8186 100644
--- a/public/app.te
+++ b/public/app.te
@@ -169,15 +169,7 @@
allow appdomain heapdump_data_file:file append;
')
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
@@ -550,3 +542,8 @@
# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps cannot access proc/net/xt_qtaguid/ files anymore since P.
+neverallow { appdomain -shell } qtaguid_proc:file rw_file_perms;
+neverallow { appdomain -shell } proc_qtaguid_stat:{ file lnk_file } r_file_perms;
+neverallow { appdomain -shell } qtaguid_device:chr_file r_file_perms;
diff --git a/public/property.te b/public/property.te
index f5ca4d8..5c34264 100644
--- a/public/property.te
+++ b/public/property.te
@@ -183,10 +183,19 @@
exported3_default_prop
exported3_system_prop
-debug_prop
- -fingerprint_prop
-logd_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
')