Merge "Move split sepolicy to correct locations"
diff --git a/private/genfs_contexts b/private/genfs_contexts
index d1e1b91..e84b494 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -6,6 +6,7 @@
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/system_server.te b/private/system_server.te
index 0ad5d99..892d522 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -399,7 +399,6 @@
 set_prop(system_server, powerctl_prop)
 set_prop(system_server, fingerprint_prop)
 set_prop(system_server, device_logging_prop)
-set_prop(system_server, wifi_prop)
 set_prop(system_server, dumpstate_options_prop)
 set_prop(system_server, overlay_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index cba0161..cd3f32b 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -31,3 +31,7 @@
 # b/34115651 - net.dns* properties read
 # This will go away in a future Android release
 get_prop(untrusted_app_25, net_dns_prop)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 10e62b8..b8004ac 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -92,7 +92,7 @@
 # System file accesses.
 allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
-allow domain system_file:lnk_file read;
+allow domain system_file:lnk_file { getattr read };
 
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
diff --git a/public/file.te b/public/file.te
index 5cbc75a..6aecab4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -16,6 +16,7 @@
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_meminfo, fs_type;
+type proc_misc, fs_type;
 type proc_net, fs_type;
 type proc_stat, fs_type;
 type proc_sysrq, fs_type;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index edd30fb..e06d8f9 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,6 +5,8 @@
 r_dir_file(hal_wifi, proc_net)
 r_dir_file(hal_wifi, sysfs_type)
 
+set_prop(hal_wifi, wifi_prop)
+
 # allow hal wifi set interfaces up and down
 allow hal_wifi self:udp_socket create_socket_perms;
 allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 9409947..29d730c 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,10 @@
 allow update_engine_common postinstall:process { signal sigstop };
 
 # access /proc/misc
-allow update_engine proc:file r_file_perms;
+# Access is also granted to proc:file, but it is likely unneeded
+# due to the more specific grant to proc_misc immediately below.
+allow update_engine proc:file r_file_perms; # delete candidate
+allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;