Merge "Add rcs.publish.status to the whitelist"

commit: 5971d678e635c4e85b0715131abef4ee0005b77a [log] [tgz]
author: Jaekyun Seok <jaekyun@google.com> Fri Jan 19 03:22:34 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jan 19 03:22:34 2018 +0000
tree: eeb146fe26fb41d86f4dc49cd88f8b1d3fc9f9d2
parent: 1dafee26eecf73a27809e773ed08b80af946b6bc [diff]
parent: 34aad97ea9bdb70ce9ca9abdba69fe639a04c1bb [diff]
diff --git a/private/priv_app.te b/private/priv_app.te
index 9909e06..ec52d56 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -122,11 +122,14 @@
 allow priv_app traced_tmpfs:file { read write getattr map };
 unix_socket_connect(priv_app, traced_producer, traced)
 
-# suppress denials when safetynet scans /system
+# suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app net_dns_prop:file read;
 
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect

diff --git a/private/property_contexts b/private/property_contexts
index bf95b02..ecde9d3 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -122,9 +122,13 @@
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
 
-# Common vendor default properties.
+# Common default properties for vendor and odm.
+init.svc.odm.           u:object_r:vendor_default_prop:s0
 init.svc.vendor.        u:object_r:vendor_default_prop:s0
 ro.hardware.            u:object_r:vendor_default_prop:s0
+ro.odm.                 u:object_r:vendor_default_prop:s0
 ro.vendor.              u:object_r:vendor_default_prop:s0
+odm.                    u:object_r:vendor_default_prop:s0
+persist.odm.            u:object_r:vendor_default_prop:s0
 persist.vendor.         u:object_r:vendor_default_prop:s0
 vendor.                 u:object_r:vendor_default_prop:s0

diff --git a/private/system_server.te b/private/system_server.te
index 92988b4..62f3a86 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -280,7 +280,6 @@
 r_dir_file(system_server, sysfs_wakeup_reasons)
 
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
 allow system_server sysfs_mac_address:file r_file_perms;
 allow system_server sysfs_power:dir search;
 allow system_server sysfs_power:file rw_file_perms;

diff --git a/public/charger.te b/public/charger.te
index 33f3254..7145548 100644
--- a/public/charger.te
+++ b/public/charger.te

@@ -6,10 +6,12 @@
 allow charger kmsg_device:chr_file rw_file_perms;
 
 # Read access to pseudo filesystems.
-allow charger sysfs_type:dir search;
 r_dir_file(charger, rootfs)
 r_dir_file(charger, cgroup)
 
+# Allow to read /sys/class/power_supply directory
+allow charger sysfs_type:dir r_dir_perms;
+
 allow charger self:global_capability_class_set { sys_tty_config };
 allow charger self:global_capability_class_set sys_boot;
commit	5971d678e635c4e85b0715131abef4ee0005b77a	[log] [tgz]
author	Jaekyun Seok <jaekyun@google.com>	Fri Jan 19 03:22:34 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Jan 19 03:22:34 2018 +0000
tree	eeb146fe26fb41d86f4dc49cd88f8b1d3fc9f9d2
parent	1dafee26eecf73a27809e773ed08b80af946b6bc [diff]
parent	34aad97ea9bdb70ce9ca9abdba69fe639a04c1bb [diff]