Merge "Add sepolicies to allow hal_health_default to load BPFs."

commit: 68e028b7315bc867ecb971ed6ed8134892da7ef5 [log] [tgz]
author: Stephane Lee <stayfan@google.com> Tue Mar 22 15:29:20 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Mar 22 15:29:20 2022 +0000
tree: 87bfa3cb56ebde7e5486a665abefe94df59e3d85
parent: bcd0bd7976c53faa7a37cc3a93825de39ae2459d [diff]
parent: 52862a32c16d8088a82b4373724365c4c7da5143 [diff]
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 8c77cd5..bd91f5f 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil

@@ -57,8 +57,8 @@
     remotelyprovisionedkeypool_service
     resources_manager_service
     rootdisk_sysdev
-    sdk_sandbox_service
     selection_toolbar_service
+    sdk_sandbox_service
     snapuserd_proxy_socket
     sysfs_fs_fuse_bpf
     system_dlkm_file

diff --git a/private/gsid.te b/private/gsid.te
index fa76da0..e795cea 100644
--- a/private/gsid.te
+++ b/private/gsid.te

@@ -48,7 +48,7 @@
 # Needed to read fstab, which is used to validate that system verity does not
 # use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
 # to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
+read_fstab(gsid)
 allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
 allow gsid sysfs_dt_firmware_android:file r_file_perms;
 

diff --git a/private/property_contexts b/private/property_contexts
index f92e558..80ceafc 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -73,6 +73,7 @@
 persist.sys.tap_gesture u:object_r:gesture_prop:s0
 persist.sys.theme       u:object_r:theme_prop:s0
 persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
+dynamic_system.data_transfer.shared_memory.size       u:object_r:dynamic_system_prop:s0   exact   uint
 ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.sys.dalvik.jvmtiagent   u:object_r:system_jvmti_agent_prop:s0

diff --git a/public/te_macros b/public/te_macros
index 06d292c..e70c5d3 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -1023,7 +1023,7 @@
 define(`read_fstab', `
   allow $1 { metadata_file gsi_metadata_file_type }:dir search;
   allow $1 gsi_public_metadata_file:file r_file_perms;
-  allow $1 proc_bootconfig:file r_file_perms;
+  allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
 ')
 
 ######################################
commit	68e028b7315bc867ecb971ed6ed8134892da7ef5	[log] [tgz]
author	Stephane Lee <stayfan@google.com>	Tue Mar 22 15:29:20 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Mar 22 15:29:20 2022 +0000
tree	87bfa3cb56ebde7e5486a665abefe94df59e3d85
parent	bcd0bd7976c53faa7a37cc3a93825de39ae2459d [diff]
parent	52862a32c16d8088a82b4373724365c4c7da5143 [diff]