commit 61cbd0a362bd7eff74747110c4cdcf8e98717927
author TreeHugger Robot <treehugger-gerrit@google.com> Tue Apr 09 22:54:04 2019 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Tue Apr 09 22:54:04 2019 +0000
tree 4acbd3195f5eb0b03b979b122add6052cddee637
parent e65658c04473b44a5e6490ce199d13b908e23248
parent b3ecb4e5b9eba74321f066b0fe2b961e52b03af7

Merge "Allow signals to hal_power_stats_server from dumpstate" into qt-dev

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 17f4111..fcdd653 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -339,6 +339,7 @@
 # They must use ASharedMemory NDK API instead.
 neverallow {
   all_untrusted_apps
+  -ephemeral_app
   -untrusted_app_25
   -untrusted_app_27
 } ashmem_device:chr_file open;

private/ephemeral_app.te

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index a94c637..1283e21 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -65,7 +65,7 @@
 allow ephemeral_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+allow ephemeral_app ashmem_device:chr_file rw_file_perms;
 
 ###
 ### neverallow rules

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index f3f367b..f4aefe3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -451,6 +451,8 @@
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
 /data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
 /data/nativetest64(/.*)?	u:object_r:nativetest_data_file:s0
+# This directory was removed after Q Beta 2, but we need to preserve labels for upgrading devices.
+/data/pkg_staging(/.*)?		u:object_r:staging_data_file:s0
 /data/property(/.*)?	u:object_r:property_data_file:s0
 /data/preloads(/.*)?	u:object_r:preloads_data_file:s0
 /data/preloads/media(/.*)?	u:object_r:preloads_media_file:s0

private/perfetto.te

diff --git a/private/perfetto.te b/private/perfetto.te
index 128205b..28ea868 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -11,6 +11,13 @@
 # Allow to access traced's privileged consumer socket.
 unix_socket_connect(perfetto, traced_consumer, traced)
 
+# Connect to the Perfetto traced daemon as a producer. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow perfetto traced:fd use;
+allow perfetto traced_tmpfs:file { read write getattr map };
+unix_socket_connect(perfetto, traced_producer, traced)
+
+
 # Allow to write and unlink traces into /data/misc/perfetto-traces.
 allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
 allow perfetto perfetto_traces_data_file:file create_file_perms;