Merge "Whitelist exported platform properties"
diff --git a/OWNERS b/OWNERS
index 4bd7e34..c15fa63 100644
--- a/OWNERS
+++ b/OWNERS
@@ -4,3 +4,4 @@
 dcashman@google.com
 jbires@google.com
 sspatil@google.com
+jgalenson@google.com
diff --git a/private/bug_map b/private/bug_map
index d493c55..8b31001 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -4,3 +4,4 @@
 crash_dump app_data_file dir 68319037
 crash_dump bluetooth_data_file dir 68319037
 crash_dump vendor_overlay_file dir 68319037
+statsd statsd capability 71537285
diff --git a/private/statsd.te b/private/statsd.te
index 6b7f8cd..fee1881 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -13,10 +13,15 @@
 #   /system/bin/toolbox
 #   /system/bin/logcat
 #   /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
 allow statsd shell_exec:file rx_file_perms;
 allow statsd system_file:file execute_no_trans;
 allow statsd toolbox_exec:file rx_file_perms;
 
+userdebug_or_eng(`
+  allow statsd su:fifo_file read;
+')
+
 # Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
 allow statsd stats_data_file:dir create_dir_perms;
 allow statsd stats_data_file:file create_file_perms;
@@ -25,6 +30,7 @@
 binder_call(statsd, appdomain)
 binder_call(statsd, incidentd)
 binder_call(statsd, statscompanion_service)
+binder_call(statsd, system_server)
 
 # Allow logd access.
 read_logd(statsd)
@@ -50,6 +56,10 @@
 # Allow statsd to call back to stats with status updates.
 binder_call(statsd, stats)
 
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_power)
+
 ###
 ### neverallow rules
 ###
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 7bdcd84..58e510e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@
 allow vold_prepare_subdirs vold:fd use;
 allow vold_prepare_subdirs vold:fifo_file { read write };
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set dac_override;
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };