Merge "access_vectors: re-organize common file perms"
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 96eb1dd..d26ef89 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -57,6 +57,7 @@
art_apex_dir
service_manager_service
soundtrigger_middleware_service
+ sysfs_dm_verity
system_group_file
system_jvmti_agent_prop
system_passwd_file
diff --git a/private/domain.te b/private/domain.te
index 907d1b8..08d963c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -77,6 +77,7 @@
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 07c44ca..92ef6a8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
diff --git a/private/zygote.te b/private/zygote.te
index f1ccce6..6ad6db4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -60,6 +60,9 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
+# Bind mount subdirectories on /data/misc/profiles/cur
+allow zygote { user_profile_data_file }:dir { mounton search };
+
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..3ab489b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -53,12 +53,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
- # For disabling/wiping GSI.
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir search;
- allow fastbootd gsi_metadata_file:dir r_dir_perms;
- allow fastbootd gsi_metadata_file:file rw_file_perms;
+ allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
diff --git a/public/file.te b/public/file.te
index 9573ad0..3348fd4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -84,6 +84,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
diff --git a/public/init.te b/public/init.te
index 56ed703..cc60b5a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -381,6 +381,7 @@
# init access to /sys files.
allow init {
sysfs_android_usb
+ sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs