commit 753476286140c5b80112d5e4f22fd48e45c2c5ff
author Steven Moreland <smoreland@google.com> Wed Apr 21 16:42:26 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Apr 21 16:42:26 2021 +0000
tree 2f58a56c4b63bc3601325ebf6156fee1fc6ceeeb
parent c78b80667ca45f783f827716ceb892682f93db4b
parent a251b7ed65b52a632ccaaa158b5e16b03e168422

Merge "sepolicy: allow BINDER_ENABLE_ONEWAY_SPAM_DETECTION for all processes"

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index a2ee3c1..befcabe 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -26,6 +26,7 @@
     debugfs_kprobes
     debugfs_mm_events_tracing
     debugfs_bootreceiver_tracing
+    debugfs_restriction_prop
     device_config_profcollect_native_boot_prop
     device_config_connectivity_prop
     device_config_swcodec_native_prop

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 7cb7f1c..e2bfb3e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -404,8 +404,6 @@
 
 /(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
 
-/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
 #############################
 # OEM and ODM files
 #

private/keystore.te

diff --git a/private/keystore.te b/private/keystore.te
index aa902d5..3fccf59 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,10 @@
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)
 
+# Allow keystore to register callbacks with statsd.
+allow keystore stats_service:service_manager find;
+binder_call(keystore, statsd);
+
 # Keystore need access to the keystore_key context files to load the keystore key backend.
 allow keystore keystore2_key_contexts_file:file r_file_perms;
 

private/property.te

diff --git a/private/property.te b/private/property.te
index d6533e8..267ff85 100644
--- a/private/property.te
+++ b/private/property.te
@@ -298,7 +298,8 @@
 
   neverallow {
     domain
-    -init
+    -coredomain
+    -vendor_init
   } {
     suspend_prop
   }:property_service set;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 9094ebb..7356a34 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -808,6 +808,9 @@
 ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
 ro.old_dlkm.build.version.sdk                 u:object_r:build_vendor_prop:s0 exact int
 
+# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
+ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
+
 # All vendor build props are set by /vendor/build.prop
 ro.vendor.build.date                        u:object_r:build_vendor_prop:s0 exact string
 ro.vendor.build.date.utc                    u:object_r:build_vendor_prop:s0 exact int

private/stats.te

diff --git a/private/stats.te b/private/stats.te
index 9b9d4ba..db29072 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -43,6 +43,7 @@
   -gmscore_app
   -gpuservice
   -incidentd
+  -keystore
   -mediametrics
   -platform_app
   -priv_app

public/property.te

diff --git a/public/property.te b/public/property.te
index caa705a..88da840 100644
--- a/public/property.te
+++ b/public/property.te
@@ -87,7 +87,6 @@
 system_restricted_prop(userspace_reboot_exported_prop)
 system_restricted_prop(vold_status_prop)
 system_restricted_prop(vts_status_prop)
-system_restricted_prop(suspend_prop)
 
 compatible_property_only(`
     # DO NOT ADD ANY PROPERTIES HERE
@@ -127,6 +126,7 @@
 system_vendor_config_prop(codec2_config_prop)
 system_vendor_config_prop(cpu_variant_prop)
 system_vendor_config_prop(dalvik_config_prop)
+system_vendor_config_prop(debugfs_restriction_prop)
 system_vendor_config_prop(drm_service_config_prop)
 system_vendor_config_prop(exported_camera_prop)
 system_vendor_config_prop(exported_config_prop)
@@ -151,6 +151,7 @@
 system_vendor_config_prop(storage_config_prop)
 system_vendor_config_prop(storagemanager_config_prop)
 system_vendor_config_prop(surfaceflinger_prop)
+system_vendor_config_prop(suspend_prop)
 system_vendor_config_prop(systemsound_config_prop)
 system_vendor_config_prop(telephony_config_prop)
 system_vendor_config_prop(tombstone_config_prop)

public/statsd.te

diff --git a/public/statsd.te b/public/statsd.te
index baf05d4..670f4c7 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -33,6 +33,10 @@
 allow statsd gpu_service:service_manager find;
 binder_call(statsd, gpuservice)
 
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
 # Allow statsd to interact with mediametrics
 allow statsd mediametrics_service:service_manager find;
 binder_call(statsd, mediametrics)

vendor/file_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 785f4cb..12e5d9f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -85,6 +85,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy      u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/install-recovery\.sh                              u:object_r:vendor_install_recovery_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 
 #############################