Merge "cgroup: allow associate to tmpfs"
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index ccb7e85..a440bfe 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -1,28 +1,11 @@
# rules removed from the domain attribute
# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
userdebug_or_eng(`
auditallow {
domain_deprecated
- -fsck
- -fsck_untrusted
- -sdcardd
- -system_server
- -update_engine
- -vold
-} proc:file r_file_perms;
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -system_server
- -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
- domain_deprecated
-fingerprintd
-healthd
-netd
diff --git a/private/platform_app.te b/private/platform_app.te
index 047cca4..a8bb1c2 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,6 +41,9 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app proc:file r_file_perms;
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 80afcb9..803ee44 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,5 +84,8 @@
# /sys access
r_dir_file(system_app, sysfs_type)
+# settings app reads /proc/version and /proc/pagetypeinfo
+allow system_app proc:file r_file_perms;
+
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index d10eb39..59f7da3 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -37,3 +37,6 @@
allow uncrypt userdata_block_device:blk_file w_file_perms;
r_dir_file(uncrypt, rootfs)
+
+# uncrypt reads /proc/cmdline
+allow uncrypt proc:file r_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e9bf24f..2a0266e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,10 +38,8 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
+# access /proc/misc and /proc/sys/kernel/random/boot_id
+allow update_engine proc:file r_file_perms;
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor