Merge "Add dex2oat permissions to open and read the tmp apk." into oc-dev
diff --git a/private/app.te b/private/app.te
index c0fdff2..2ee3bee 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,8 +87,9 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
diff --git a/public/dhcp.te b/public/dhcp.te
index c18b08d..22351ed 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -9,6 +9,7 @@
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
allow dhcp toolbox_exec:file rx_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index bfbb43b..3322e14 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -26,6 +26,7 @@
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;
# Create and write into /data/anr/
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 06794ee..9a2a9ee 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,6 +10,7 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
+not_full_treble(allow install_recovery vendor_file:file rx_file_perms;')
allow install_recovery toolbox_exec:file rx_file_perms;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index eccefc6..cef8121 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -16,6 +16,7 @@
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
add_service(mediadrmserver, mediacasserver_service)
diff --git a/public/netd.te b/public/netd.te
index 3a48cd3..1694aec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -27,6 +27,7 @@
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
# Acquire advisory lock on /system/etc/xtables.lock
diff --git a/public/ppp.te b/public/ppp.te
index 7a5eada..918ef5e 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -17,6 +17,7 @@
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;
diff --git a/public/racoon.te b/public/racoon.te
index d5d5a4e..00744d8 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -19,6 +19,7 @@
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index 89e2c24..20181d1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,6 +31,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;