Merge "[MTE] ignore mtectrl selinux error for device tree."
diff --git a/private/app.te b/private/app.te
index 69ec868..005a078 100644
--- a/private/app.te
+++ b/private/app.te
@@ -348,7 +348,7 @@
# Write profiles /data/misc/profiles
allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:dir w_dir_perms;
allow appdomain user_profile_data_file:file create_file_perms;
# Send heap dumps to system_server via an already open file descriptor
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index 1f60e34..f46c614 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -10,3 +10,11 @@
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
set_prop(derive_sdk, module_sdkextensions_prop)
neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
+
+# Allow derive_sdk to write data back to dumpstate when forked from dumpstate.
+# The shell_data_file permissions are needed when a bugreport is taken:
+# dumpstate will redirect its stdout to a temporary shell_data_file:file, and
+# this makes derive_sdk append to that file.
+allow derive_sdk dumpstate:fd use;
+allow derive_sdk dumpstate:unix_stream_socket { read write };
+allow derive_sdk shell_data_file:file { getattr append read write };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 149d389..ee59cb7 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -123,3 +123,6 @@
# system_dlkm_file for /system_dlkm partition
allow dumpstate system_dlkm_file:dir getattr;
+
+# Allow dumpstate to execute derive_sdk in its own domain
+domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)
diff --git a/tools/fuzzer_bindings_check.py b/tools/fuzzer_bindings_check.py
index 1791f30..55859ac 100644
--- a/tools/fuzzer_bindings_check.py
+++ b/tools/fuzzer_bindings_check.py
@@ -51,7 +51,8 @@
sys.exit("\nerror: Service '{0}' is being added, but we have no fuzzer on file for it. "
"Fuzzers are listed at $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
"NOTE: automatic service fuzzers are currently not supported in Java (b/232439254) "
- "and Rust (b/164122727). In this case, please ignore this for now. \n\n"
+ "and Rust (b/164122727). In this case, please ignore this for now and add an entry for your"
+ "new service in service_fuzzer_bindings.go \n\n"
"If you are writing a new service, it may be subject to attack from other "
"potentially malicious processes. A fuzzer can be written automatically "
"by adding these things: \n"
@@ -65,6 +66,8 @@
"automatically filed on you. You will find out about issues without needing "
"to backport changes years later, and the system will automatically find ways "
"to reproduce difficult to solve issues for you. \n\n"
+ "This error can be bypassed by adding entry "
+ "for new service in $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
"- Android Fuzzing and Security teams".format(service_name))
return