Merge "Clean up bug_map."
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 1caf952..fe3e648 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -13,8 +13,7 @@
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
-# TODO: unknown fd pass denials, need further investigation.
-dontaudit bpfloader netd:fd use;
+allow bpfloader netd:fd use;
# Use pinned bpf map files from netd.
allow bpfloader netd:bpf { map_read map_write };
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3a493e0..859e45d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( adbd_exec
+ ( adb_service
+ adbd_exec
bootloader_boot_reason_prop
blank_screen
blank_screen_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 99db662..998ac5f 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( blank_screen
+ ( adb_service
+ blank_screen
blank_screen_exec
blank_screen_tmpfs
bootloader_boot_reason_prop
diff --git a/private/incidentd.te b/private/incidentd.te
index a887a61..824dece 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -31,6 +31,9 @@
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+# section id 2005, allow reading ps dump in full
+allow incidentd domain:process getattr;
+
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
@@ -42,6 +45,11 @@
# Get process attributes
# TODO allow incidentd domain:process getattr;
+# Read files in /proc
+allow incidentd {
+ proc_stat
+}:file r_file_perms;
+
# Signal java processes to dump their stack and get the results
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
# TODO allow incidentd anr_data_file:dir create_dir_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 71d4845..985444f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,6 +1,7 @@
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
+adb u:object_r:adb_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index a512e5d..d1571d6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -746,8 +746,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
# the map after snapshot is recorded
-allow system_server fs_bpf:file write;
-allow system_server netd:bpf { map_read map_write };
+allow system_server fs_bpf:file read;
+allow system_server netd:bpf map_read;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/public/service.te b/public/service.te
index e13b6d5..ae45987 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type adb_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;