crash_dump: suppress devpts denials am: 60bb29fcdf am: f9ef333f17
am: 28c611affa
Change-Id: Iafc49f4f9c30540c42412c175ae065c11a3dc63e
diff --git a/private/audioserver.te b/private/audioserver.te
index 1e8b90b..1eaddac 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -39,6 +39,7 @@
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 8bc2ca6..09a0185 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -4,10 +4,10 @@
(type mediacodec_exec)
(type qtaguid_proc)
(type reboot_data_file)
-(type vold_socket)
(type rild)
(type untrusted_v2_app)
(type webview_zygote_socket)
+(type vold_socket)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 29efc22..a238306 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -12,6 +12,8 @@
(type mtd_device)
(type qtaguid_proc)
(type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
(type untrusted_v2_app)
(type vcs_device)
@@ -738,8 +740,6 @@
(expandtypeattribute (textservices_service_28_0) true)
(expandtypeattribute (thermalcallback_hwservice_28_0) true)
(expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (thermalserviced_28_0) true)
-(expandtypeattribute (thermalserviced_exec_28_0) true)
(expandtypeattribute (timezone_service_28_0) true)
(expandtypeattribute (tmpfs_28_0) true)
(expandtypeattribute (tombstoned_28_0) true)
@@ -1613,8 +1613,6 @@
(typeattributeset textservices_service_28_0 (textservices_service))
(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
(typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset thermalserviced_28_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
(typeattributeset timezone_service_28_0 (timezone_service))
(typeattributeset tmpfs_28_0 (tmpfs))
(typeattributeset tombstoned_28_0 (tombstoned))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7031977..fc86dc4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -101,6 +101,7 @@
postinstall_apex_mnt_dir
recovery_socket
role_service
+ rollback_service
rs
rs_exec
rss_hwm_reset
diff --git a/private/file_contexts b/private/file_contexts
index a3723e2..873eeb2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,8 +155,8 @@
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
@@ -288,7 +288,6 @@
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
diff --git a/private/service_contexts b/private/service_contexts
index 7ee4827..2ce4cb1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -36,8 +36,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_suggestions u:object_r:content_suggestions_service:s0
content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -159,6 +159,7 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
+rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
runtime u:object_r:runtime_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index ab4a07c..a2b95d0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -145,10 +145,6 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs_wakeup_sources:file r_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -682,7 +678,7 @@
# /sys access
allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
+allow system_server sysfs_zram:file rw_file_perms;
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
@@ -710,7 +706,6 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
-allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index bd7b2c0..ad9fb44 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,6 +7,13 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the dalvik cache.
+allow system_server_startup dalvikcache_data_file:dir r_dir_perms;
+allow system_server_startup dalvikcache_data_file:file { r_file_perms execute };
+
+# While doing the above, will touch the apex mount dir.
+allow system_server_startup mnt_expand_file:dir getattr;
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/private/thermalserviced.te b/private/thermalserviced.te
deleted file mode 100644
index 1a09e20..0000000
--- a/private/thermalserviced.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-
diff --git a/public/cameraserver.te b/public/cameraserver.te
index f4eed48..b2ee301 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -18,6 +18,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
@@ -27,6 +28,7 @@
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
diff --git a/public/init.te b/public/init.te
index f5f42e7..a565436 100644
--- a/public/init.te
+++ b/public/init.te
@@ -397,6 +397,7 @@
sysfs_power
sysfs_vibrator
sysfs_wake_lock
+ sysfs_zram
}:file setattr;
# Set usermodehelpers.
diff --git a/public/property_contexts b/public/property_contexts
index 4216116..2369b6a 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,6 +61,7 @@
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -98,6 +99,7 @@
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -136,6 +138,9 @@
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index 852e3df..0aeee2d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -31,7 +31,6 @@
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
-type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
@@ -67,8 +66,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -143,6 +142,7 @@
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
@@ -164,6 +164,7 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
deleted file mode 100644
index 4716826..0000000
--- a/public/thermalserviced.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# thermalserviced -- thermal management services for system and vendor
-type thermalserviced, domain;
-type thermalserviced_exec, system_file_type, exec_type, file_type;
-
-binder_use(thermalserviced)
-binder_service(thermalserviced)
-add_service(thermalserviced, thermal_service)
-
-hwbinder_use(thermalserviced)
-hal_client_domain(thermalserviced, hal_thermal)
-add_hwservice(thermalserviced, thermalcallback_hwservice)
-
-binder_call(thermalserviced, platform_app)
-binder_call(thermalserviced, system_server)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 8890ca0..6de31a8 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -13,11 +13,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index a446721..b6b9e09 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -9,7 +9,7 @@
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
# Allow wpa_supplicant to configure nl80211
-allow hal_wifi_supplicant_default proc_net:file write;
+allow hal_wifi_supplicant_default proc_net_type:file write;
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)