Merge "Add ro.vndk.lite to property_contexts"

commit: 60227ea7c0cb721857b602bfaa0d02f33fd2bde8 [log] [tgz]
author: Logan Chien <loganchien@google.com> Tue May 22 04:04:07 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue May 22 04:04:07 2018 +0000
tree: 0570f3b452407bf6ba7a6c6f269c15a47f52b9b8
parent: cfaaa9f42d5336674b876c2c41c64131feb14a25 [diff]
parent: 2e6e72208f0a0ee87d569b4b17a89fe42b2de913 [diff]
diff --git a/prebuilts/api/26.0/private/service_contexts b/prebuilts/api/26.0/private/service_contexts
index dc77cb9..ff97d66 100644
--- a/prebuilts/api/26.0/private/service_contexts
+++ b/prebuilts/api/26.0/private/service_contexts

@@ -142,6 +142,7 @@
 soundtrigger                              u:object_r:voiceinteraction_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 storaged                                  u:object_r:storaged_service:s0
+storaged_pri                              u:object_r:storaged_service:s0
 storagestats                              u:object_r:storagestats_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 task                                      u:object_r:task_service:s0

diff --git a/private/audioserver.te b/private/audioserver.te
index 1d4223f..3c20268 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te

@@ -86,3 +86,6 @@
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow using wake locks
+wakelock_use(audioserver)

diff --git a/private/file_contexts b/private/file_contexts
index 4381f91..1ce0a80 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -395,6 +395,7 @@
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
+/data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
 /data/misc/audioserver(/.*)?    u:object_r:audioserver_data_file:s0
 /data/misc/audiohal(/.*)?       u:object_r:audiohal_data_file:s0

diff --git a/private/genfs_contexts b/private/genfs_contexts
index c076918..265e646 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -143,7 +143,6 @@
 genfscon tracefs /trace_marker                        u:object_r:debugfs_trace_marker:s0
 genfscon debugfs /wakeup_sources                      u:object_r:debugfs_wakeup_sources:s0
 
-genfscon debugfs /tracing/events/sync/                               u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/workqueue/                          u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/regulator/                          u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/pagecache/                          u:object_r:debugfs_tracing_debug:s0
@@ -165,7 +164,6 @@
 genfscon debugfs /tracing/events/block/block_rq_issue/               u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/block/block_rq_complete/            u:object_r:debugfs_tracing:s0
 
-genfscon tracefs /events/sync/                               u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/workqueue/                          u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/regulator/                          u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/pagecache/                          u:object_r:debugfs_tracing_debug:s0
@@ -212,6 +210,8 @@
 genfscon tracefs /events/binder/binder_locked/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/binder/binder_unlock/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/                                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/                                          u:object_r:debugfs_tracing:s0
 
 genfscon debugfs /tracing/trace_clock                                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/buffer_size_kb                                         u:object_r:debugfs_tracing:s0
@@ -238,6 +238,8 @@
 genfscon debugfs /tracing/events/binder/binder_locked/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/binder/binder_unlock/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/                                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/                                          u:object_r:debugfs_tracing:s0
 
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0

diff --git a/private/property_contexts b/private/property_contexts
index de09d4a..1b27432 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -95,6 +95,7 @@
 
 # ctl properties
 ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
+ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
 ctl.fuse_               u:object_r:ctl_fuse_prop:s0
 ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0

diff --git a/private/service_contexts b/private/service_contexts
index 8656b4e..8b9b862 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -153,6 +153,7 @@
 soundtrigger                              u:object_r:voiceinteraction_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 storaged                                  u:object_r:storaged_service:s0
+storaged_pri                              u:object_r:storaged_service:s0
 storagestats                              u:object_r:storagestats_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 system_update                             u:object_r:system_update_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index aab37fc..de6ad7b 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -105,6 +105,7 @@
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server mediacodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
 allow system_server hal_camera:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
@@ -113,6 +114,7 @@
 # Allow system_server to write to /proc/<pid>/timerslack_ns
 allow system_server appdomain:file w_file_perms;
 allow system_server audioserver:file w_file_perms;
+allow system_server mediacodec:file w_file_perms;
 allow system_server cameraserver:file w_file_perms;
 allow system_server hal_audio_server:file w_file_perms;
 

diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index c41f9cb..55b268a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te

@@ -6,6 +6,8 @@
 # The webview_zygote needs to be able to transition domains.
 typeattribute webview_zygote mlstrustedsubject;
 
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
 tmpfs_domain(webview_zygote);
 
 # Allow reading/executing installed binaries to enable preloading the

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 62762d3..8379cf8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -73,6 +73,7 @@
   hal_audio_server
   hal_bluetooth_server
   hal_camera_server
+  hal_drm_server
   hal_graphics_composer_server
   hal_sensors_server
   hal_vr_server
@@ -267,6 +268,9 @@
 # newer kernels (e.g. 4.4) have a new class for sockets
 allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
 ###
 ### neverallow rules
 ###

diff --git a/public/ueventd.te b/public/ueventd.te
index c41adb3..9b9eacb 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te

@@ -36,6 +36,9 @@
 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
 
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+allow ueventd proc_cmdline:file r_file_perms;
+
 #####
 ##### neverallow rules
 #####
commit	60227ea7c0cb721857b602bfaa0d02f33fd2bde8	[log] [tgz]
author	Logan Chien <loganchien@google.com>	Tue May 22 04:04:07 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue May 22 04:04:07 2018 +0000
tree	0570f3b452407bf6ba7a6c6f269c15a47f52b9b8
parent	cfaaa9f42d5336674b876c2c41c64131feb14a25 [diff]
parent	2e6e72208f0a0ee87d569b4b17a89fe42b2de913 [diff]