Merge "Add SEPolicy for new Java-based Broadcast Radio service."
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index db81d0d..1c23f57 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -21,6 +21,10 @@
# package manager.
allow dexoptanalyzer app_data_file:dir { getattr search };
allow dexoptanalyzer app_data_file:file r_file_perms;
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer app_data_file:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index c2cfa2c..5c5dd89 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -40,6 +40,7 @@
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
diff --git a/private/system_server.te b/private/system_server.te
index 7b95600..6f1579b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -126,6 +126,9 @@
# Write /proc/uid_procstat/set.
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+# Read /proc/uid_time_in_state.
+allow system_server proc_uid_time_in_state:file r_file_perms;
+
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index aaf516c..6a51e61 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -14,19 +14,6 @@
} tmpfs:dir r_dir_perms;
')
-# Inherit or receive open files from others.
-allow domain_deprecated system_server:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
-')
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server -runas } adbd:fd use;
-')
-
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
@@ -171,25 +158,6 @@
} cache_file:lnk_file r_file_perms;
')
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -keystore
- -surfaceflinger
- -system_server
- -tee
- -vold
- -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9b54329..ee27cbe 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -194,6 +194,9 @@
# Create a service for talking back to system_server
add_service(dumpstate, dumpstate_service)
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 7e11c64..437c361 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@
type proc_uid_cputime_removeuid, fs_type;
type proc_uid_io_stats, fs_type;
type proc_uid_procstat_set, fs_type;
+type proc_uid_time_in_state, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;