Merge "platform/system/sepolicy - SEPolicy Prebuilts for S" into sc-dev
diff --git a/private/adbd.te b/private/adbd.te
index 3fc77a2..52070cb 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -84,6 +84,10 @@
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
+# adb pull /vendor/framework/*
+allow adbd vendor_framework_file:dir r_dir_perms;
+allow adbd vendor_framework_file:file r_file_perms;
+
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
diff --git a/private/apexd.te b/private/apexd.te
index 48fbcb8..b6fff92 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,6 +18,8 @@
allow apexd apex_ota_reserved_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
diff --git a/private/audioserver.te b/private/audioserver.te
index 5047e2c..2d0b46d 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -36,6 +36,7 @@
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
+allow audioserver permission_checker_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index dd626ad..313acc7 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,7 @@
ab_update_gki_prop
adbd_config_prop
apc_service
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_info_file
diff --git a/private/file_contexts b/private/file_contexts
index 4a4867b..351cd7c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -565,12 +565,12 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
@@ -671,6 +671,7 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index c9f3f8e..7239a30 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -44,11 +44,28 @@
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_FILLED_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_COMPRESS_BLOCKS
+ F2FS_IOC_COMPRESS_FILE
+ F2FS_IOC_DECOMPRESS_FILE
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ F2FS_IOC_RESERVE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+ FS_IOC_GETFLAGS
+};
+
+allowxperm system_server apk_tmp_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
};
# For Incremental Service to check incfs metrics
allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+# For f2fs-compression support
+allow system_server sysfs_fs_f2fs:dir r_dir_perms;
+allow system_server sysfs_fs_f2fs:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -1259,6 +1276,8 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_appsearch_data_file:dir create_dir_perms;
+allow system_server apex_appsearch_data_file:file create_file_perms;
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
allow system_server apex_scheduling_data_file:dir create_dir_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 1414f6c..956e94e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_module_data_file
apex_permission_data_file
@@ -32,6 +33,7 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_appsearch_data_file
apex_art_data_file
apex_art_staging_data_file
apex_module_data_file
diff --git a/public/file.te b/public/file.te
index 2250482..20348b5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -385,6 +385,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 388001d..ad460e1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -76,6 +76,7 @@
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
+allow mediaserver permission_checker_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;