Merge "Allow heapprofd to read system_file_type."
diff --git a/private/apexd.te b/private/apexd.te
index 61e099b..7a1e4e2 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -40,6 +40,11 @@
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to relabel apk_tmp_file to apex_data_file.
+# TODO(b/112669193) remove this when APEXes are staged via file descriptor
+allow apexd apk_tmp_file:file relabelfrom;
+allow apexd apex_data_file:file relabelto;
+
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
diff --git a/private/bug_map b/private/bug_map
index becbd97..9747704 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -12,6 +12,7 @@
init shell_data_file sock_file 77873135
init system_data_file chr_file 77873135
isolated_app privapp_data_file dir 119596573
+isolated_app app_data_file dir 120394782
mediaextractor app_data_file file 77923736
mediaextractor radio_data_file file 77923736
mediaprovider cache_file blk_file 77925342
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 5ba2adf..d3a6982 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -133,6 +133,7 @@
property_info
recovery_socket
role_service
+ runtime_service
secure_element
secure_element_device
secure_element_tmpfs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 38d7d03..764a9ea 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -120,6 +120,7 @@
property_info
recovery_socket
role_service
+ runtime_service
secure_element
secure_element_device
secure_element_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index fa7cd58..f9f4ebf 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -60,6 +60,7 @@
overlayfs_file
recovery_socket
role_service
+ runtime_service
super_block_device
system_lmk_prop
system_suspend_hwservice
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 293998d..5cba2cd 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -22,6 +22,9 @@
allow dumpstate wm_trace_data_file:file r_file_perms;
')
+# Allow dumpstate to make binder calls to incidentd
+binder_call(dumpstate, incidentd)
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
diff --git a/private/incident_helper.te b/private/incident_helper.te
index 078aa24..b453855 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -6,8 +6,8 @@
domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
# use pipe to transmit data from/to incidentd/incident_helper for parsing
-allow incident_helper { shell incident incidentd }:fd use;
-allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper { shell incident incidentd dumpstate }:fd use;
+allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
diff --git a/private/incidentd.te b/private/incidentd.te
index 4e80bdd..ad6fbf3 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -134,9 +134,9 @@
# Only incidentd can publish the binder service
add_service(incidentd, incident_service)
-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
+# Allow pipes only from dumpstate and incident
+allow incidentd { dumpstate incident }:fd use;
+allow incidentd { dumpstate incident }:fifo_file write;
# Allow incident to call back to incident with status updates.
binder_call(incidentd, incident)
@@ -145,9 +145,10 @@
### neverallow rules
###
-# only system_server, system_app and incident command can find the incident service
+# only dumpstate, system_server, system_app and incident command can find the incident service
neverallow {
domain
+ -dumpstate
-incident
-incidentd
-statsd
diff --git a/private/service_contexts b/private/service_contexts
index 0089f6f..7f1b38f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -145,6 +145,7 @@
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rttmanager u:object_r:rttmanager_service:s0
+runtime u:object_r:runtime_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
diff --git a/private/traced_probes.te b/private/traced_probes.te
index f84d698..b0b87d8 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -65,6 +65,10 @@
proc_stat
}:file r_file_perms;
+
+# Allow access to the IHealth HAL service for tracing battery counters.
+hal_client_domain(traced_probes, hal_health)
+
###
### Neverallow rules
###
diff --git a/public/dumpstate.te b/public/dumpstate.te
index af6956e..cd3310a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -209,7 +209,6 @@
-apex_service
-dumpstate_service
-gatekeeper_service
- -incident_service
-iorapd_service
-virtual_touchpad_service
-vold_service
@@ -220,7 +219,6 @@
apex_service
dumpstate_service
gatekeeper_service
- incident_service
iorapd_service
virtual_touchpad_service
vold_service
diff --git a/public/hal_usb.te b/public/hal_usb.te
index b8034b8..38bc49a 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -6,6 +6,7 @@
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
+allow hal_usb self:netlink_kobject_uevent_socket getopt;
allow hal_usb self:netlink_kobject_uevent_socket bind;
allow hal_usb self:netlink_kobject_uevent_socket read;
allow hal_usb sysfs:dir open;
diff --git a/public/service.te b/public/service.te
index 55f8d75..ce87ba9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -133,6 +133,7 @@
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
+type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;