system_server: replace sys_resource with sys_ptrace am: 3d8dde0e2e
am: dddbd2f3ba
Change-Id: I517d7bbd415e28d2ba7719f17c1ddcc7c28f20a0
diff --git a/dumpstate.te b/dumpstate.te
index dda8a58..115bb09 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -5,6 +5,7 @@
init_daemon_domain(dumpstate)
net_domain(dumpstate)
binder_use(dumpstate)
+wakelock_use(dumpstate)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
@@ -136,6 +137,9 @@
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
+# List sockets via ss.
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
+
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index fcba7b1..1c5f2ee 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -10,6 +10,8 @@
# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;
allow otapreopt_chroot labeledfs:filesystem mount;
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/platform_app.te b/platform_app.te
index 0d3bdba..d4a27ad 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -45,6 +45,7 @@
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
allow platform_app mediacodec_service:service_manager find;
+allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
diff --git a/service.te b/service.te
index 6b5838c..e7a30f9 100644
--- a/service.te
+++ b/service.te
@@ -39,6 +39,7 @@
type IProxyService_service, app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type;
+type connmetrics_service, app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 0ddbdc1..dd7e49f 100644
--- a/service_contexts
+++ b/service_contexts
@@ -19,9 +19,10 @@
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
commontime_management u:object_r:commontime_management_service:s0
-common_time.clock u:object_r:mediaserver_service:s0
-common_time.config u:object_r:mediaserver_service:s0
+common_time.clock u:object_r:mediaserver_service:s0
+common_time.config u:object_r:mediaserver_service:s0
connectivity u:object_r:connectivity_service:s0
+connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
contexthub_service u:object_r:contexthub_service:s0