Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 6c4f6d0f5a447ffc307ba11049974ab3ff6be4e3^2..6c4f6d0f5a447ffc307ba11049974ab3ff6be4e3 / .
commit6c4f6d0f5a447ffc307ba11049974ab3ff6be4e3[log] [tgz]
authorTri Vo <trong@google.com>Fri May 10 05:35:19 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri May 10 05:35:19 2019 +0000
treed86a8e08410fbc21054afec98bb1d8515aa888c4
parentf4c31d3f14acd17475bd173290af2e1245250c56 [diff]
parente319c0367377c3d4ce0c9ff5c178b3a80c0a8f17 [diff]
Merge "priv_app: suppress denials to proc_net"
diff --git a/prebuilts/api/28.0/private/atrace.te b/prebuilts/api/28.0/private/atrace.te
index 1b86d3e..630935d 100644
--- a/prebuilts/api/28.0/private/atrace.te
+++ b/prebuilts/api/28.0/private/atrace.te

@@ -22,8 +22,6 @@
 binder_use(atrace)
 allow atrace healthd:binder call;
 allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-
 get_prop(atrace, hwservicemanager_prop)
 
 allow atrace {

diff --git a/public/clatd.te b/public/clatd.te
index 7d3d40e..35d6190 100644
--- a/public/clatd.te
+++ b/public/clatd.te

@@ -32,6 +32,5 @@
 allow clatd self:global_capability_class_set ipc_lock;
 
 allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
-allowxperm clatd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
+allow clatd tun_device:chr_file rw_file_perms;
\ No newline at end of file

diff --git a/public/mtp.te b/public/mtp.te
index c744343..add63c0 100644
--- a/public/mtp.te
+++ b/public/mtp.te

@@ -5,7 +5,7 @@
 net_domain(mtp)
 
 # pptp policy
-allow mtp self:socket create_socket_perms_no_ioctl;
+allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
 allow mtp self:global_capability_class_set net_raw;
 allow mtp ppp:process signal;
 allow mtp vpn_data_file:dir search;

diff --git a/public/property_contexts b/public/property_contexts
index b0ba329..d79c615 100644
--- a/public/property_contexts
+++ b/public/property_contexts

@@ -209,6 +209,8 @@
 ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
 ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
 ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
+ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
+ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
 ro.bootloader u:object_r:exported2_default_prop:s0 exact string
 ro.build.date u:object_r:exported2_default_prop:s0 exact string
 ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int

diff --git a/public/su.te b/public/su.te
index 346b1fe..a2f435e 100644
--- a/public/su.te
+++ b/public/su.te

@@ -51,6 +51,7 @@
   dontaudit su unlabeled:filesystem *;
   dontaudit su postinstall_file:filesystem *;
   dontaudit su domain:bpf *;
+  dontaudit su unlabeled:vsock_socket *;
 
   # VTS tests run in the permissive su domain on debug builds, but the HALs
   # being tested run in enforcing mode. Because hal_foo_server is enforcing