commit 5faae3ae879252d3cc09b09ec645a1c3251bb870
author Treehugger Robot <treehugger-gerrit@google.com> Thu Nov 08 16:16:34 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Nov 08 16:16:34 2018 +0000
tree 988bd89029b3f68dd8aeb40847f82c2ecb4c3e00
parent 6a6260611507d698ef075c943c231780e1d5c10e
parent b14c1a967403d04f85e237cf635d0c6bcbc46ecc

Merge "apexd_prop is defined for PRODUCT_COMPATIBLE_PROPERTY = false case"

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index d7a3173..61e099b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -43,6 +43,10 @@
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
+# Configure read-ahead of dm-verity devices
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+
 # Spawning a libbinder thread results in a dac_override deny,
 # /dev/cpuset/tasks is owned by system.
 #
@@ -50,5 +54,5 @@
 dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

private/compat/28.0/28.0.ignore.cil

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 9d3ad2e..7e1993c 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,7 @@
     apexd_tmpfs
     biometric_service
     device_config_boot_count_prop
+    face_service
     fastbootd
     flags_health_check
     flags_health_check_exec
@@ -33,6 +34,7 @@
     heapprofd_exec
     heapprofd_socket
     intelligence_service
+    iris_service
     llkd
     llkd_exec
     llkd_prop

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 71741e2..458c43a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -56,6 +56,7 @@
 euicc_card_controller                     u:object_r:radio_service:s0
 lowpan                                    u:object_r:lowpan_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
+face                                      u:object_r:face_service:s0
 fingerprint                               u:object_r:fingerprint_service:s0
 font                                      u:object_r:font_service:s0
 android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
@@ -79,6 +80,7 @@
 imms                                      u:object_r:imms_service:s0
 intelligence                              u:object_r:intelligence_service:s0
 ipsec                                     u:object_r:ipsec_service:s0
+iris                                      u:object_r:iris_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0

public/kernel.te

diff --git a/public/kernel.te b/public/kernel.te
index d20bc47..d3a6079 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,6 +81,12 @@
 # Access to /data/misc/vold/virtual_disk.
 allow kernel vold_data_file:file { read write };
 
+# Allow the kernel to read APEX file descriptors and data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel apex_data_file:file read;
+
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
 # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed

public/service.te

diff --git a/public/service.te b/public/service.te
index 997b709..0ea7638 100644
--- a/public/service.te
+++ b/public/service.te
@@ -87,6 +87,7 @@
 type lowpan_service, system_api_service, system_server_service, service_manager_type;
 type ethernet_service, app_api_service, system_server_service, service_manager_type;
 type biometric_service, app_api_service, system_server_service, service_manager_type;
+type face_service, app_api_service, system_server_service, service_manager_type;
 type fingerprint_service, app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -98,6 +99,7 @@
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type intelligence_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type iris_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;