Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
index d210884..f24340d 100644
--- a/private/extra_free_kbytes.te
+++ b/private/extra_free_kbytes.te
@@ -4,3 +4,13 @@
# Only extra_free_kbytes script is allowed to store these properties
set_prop(extra_free_kbytes, init_storage_prop)
+
+# required permissions to run the script from init
+allow extra_free_kbytes shell_exec:file rx_file_perms;
+allow extra_free_kbytes system_file:file x_file_perms;
+allow extra_free_kbytes toolbox_exec:file rx_file_perms;
+
+# files used by the script
+allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
+allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
+allow extra_free_kbytes proc_zoneinfo:file r_file_perms;