Merge "Allow dumpstate to call statsd. This is needed for bugreport."
diff --git a/private/adbd.te b/private/adbd.te
index 9dcfc81..77c0d73 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
diff --git a/private/audioserver.te b/private/audioserver.te
index 9119daa..b6deb28 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -29,6 +29,7 @@
')
add_service(audioserver, audioserver_service)
+allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
@@ -45,6 +46,17 @@
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
+# Allow shell commands from ADB for CTS testing/dumping
+allow audioserver adbd:fd use;
+allow audioserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow audioserver su:fd use;
+ allow audioserver su:fifo_file { read write };
+ allow audioserver su:unix_stream_socket { read write };
+')
+
###
### neverallow rules
###
diff --git a/private/blank_screen.te b/private/blank_screen.te
new file mode 100644
index 0000000..43d273b
--- /dev/null
+++ b/private/blank_screen.te
@@ -0,0 +1,6 @@
+type blank_screen, domain, coredomain;
+type blank_screen_exec, exec_type, file_type;
+
+init_daemon_domain(blank_screen)
+
+hal_client_domain(blank_screen, hal_light)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 78e7b74..a587b4d 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -476,7 +476,8 @@
proc_uid_concurrent_policy_time
proc_uptime
proc_version
- proc_vmallocinfo))
+ proc_vmallocinfo
+ proc_vmstat))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 56b0cf5..7bab012 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,9 @@
(typeattributeset new_objects
( adbd_exec
bootloader_boot_reason_prop
+ blank_screen
+ blank_screen_exec
+ blank_screen_tmpfs
bpfloader
bpfloader_exec
broadcastradio_service
@@ -37,6 +40,7 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
+ hal_usb_gadget_hwservice
hal_wifi_offload_hwservice
kmsg_debug_device
last_boot_reason_prop
@@ -66,6 +70,7 @@
sysfs_fs_ext4_features
system_boot_reason_prop
system_net_netd_hwservice
+ system_update_service
thermal_service
thermalcallback_hwservice
thermalserviced
@@ -74,6 +79,7 @@
timezone_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
+ trace_data_file
traceur_app
traceur_app_tmpfs
traced
@@ -86,6 +92,9 @@
traced_tmpfs
update_engine_log_data_file
vendor_default_prop
+ usbd
+ usbd_exec
+ usbd_tmpfs
vendor_init
vendor_shell
vold_prepare_subdirs
diff --git a/private/coredomain.te b/private/coredomain.te
index 244c83c..84d7a8f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,2 +1,16 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, exported_pm_prop)
+
+full_treble_only(`
+neverallow {
+ coredomain
+
+ # for chowning
+ -init
+
+ # generic access to sysfs_type
+ -ueventd
+ -vendor_init
+ -vold
+} sysfs_leds:file *;
+')
diff --git a/private/domain.te b/private/domain.te
index 72c3855..8a41097 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,9 +25,6 @@
neverallow {
coredomain
-dumpstate
- -platform_app
- -priv_app
- -system_app
-vold
-vendor_init
} proc:file no_rw_file_perms;
@@ -37,9 +34,6 @@
coredomain
-dumpstate
-init
- -priv_app
- -storaged
- -system_app
-ueventd
-vold
-vendor_init
@@ -50,7 +44,6 @@
coredomain
-fsck
-init
- -shell
-ueventd
-vendor_init
} device:{ blk_file file } no_rw_file_perms;
diff --git a/private/e2fs.te b/private/e2fs.te
new file mode 100644
index 0000000..2c4c013
--- /dev/null
+++ b/private/e2fs.te
@@ -0,0 +1,3 @@
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
diff --git a/private/file_contexts b/private/file_contexts
index bebced6..2113945 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -179,6 +179,7 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -240,6 +241,7 @@
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
@@ -298,9 +300,9 @@
/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
@@ -348,6 +350,7 @@
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329..f8e09b6 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,5 @@
typeattribute fsck coredomain;
init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index d05d386..1fddb6e 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -79,6 +79,7 @@
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
@@ -170,6 +171,7 @@
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index a98c68a..661e2ae 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -43,6 +43,7 @@
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 2596a8e..67a9c33 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,7 +41,9 @@
allow platform_app rootfs:dir getattr;
# com.android.captiveportallogin reads /proc/vmstat
-allow platform_app proc:file r_file_perms;
+allow platform_app {
+ proc_vmstat
+}:file r_file_perms;
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 9909e06..dcf7572 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -77,9 +77,17 @@
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
+# /proc access
+allow priv_app {
+ proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
r_dir_file(priv_app, rootfs)
# Allow GMS core to open kernel config for OTA matching through libvintf
@@ -96,6 +104,10 @@
binder_call(priv_app, storaged)
allow priv_app storaged_service:service_manager find;
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow priv_app system_update_service:service_manager find;
+
# Allow GMS core to communicate with statsd.
binder_call(priv_app, statsd)
@@ -122,11 +134,15 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
-# suppress denials when safetynet scans /system
+# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
+dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app net_dns_prop:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/property_contexts b/private/property_contexts
index bf95b02..ecde9d3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -122,9 +122,13 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
-# Common vendor default properties.
+# Common default properties for vendor and odm.
+init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
ro.hardware. u:object_r:vendor_default_prop:s0
+ro.odm. u:object_r:vendor_default_prop:s0
ro.vendor. u:object_r:vendor_default_prop:s0
+odm. u:object_r:vendor_default_prop:s0
+persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 6f33c89..c1ea51a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -151,6 +151,7 @@
storaged u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index c8cc02d..a1e6802 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,6 @@
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, sysfs_type)
r_dir_file(storaged, proc_net)
r_dir_file(storaged, domain)
diff --git a/private/system_app.te b/private/system_app.te
index c849aea..cd697a1 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -102,17 +102,14 @@
user_changed
};
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-# settings app reads /proc/version and /proc/pagetypeinfo
+# settings app reads /proc/version
allow system_app {
- proc
proc_version
}:file r_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
+get_prop(system_app, device_logging_prop)
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/system_server.te b/private/system_server.te
index 92988b4..2054d99 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -198,6 +198,7 @@
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_usb_gadget)
hal_client_domain(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
@@ -280,7 +281,6 @@
r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 194a28f..83c77b4 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -2,6 +2,9 @@
userdebug_or_eng(`
app_domain(traceur_app);
- allow traceur_app debugfs_tracing:file r_file_perms;
+ allow traceur_app debugfs_tracing:file rw_file_perms;
+ allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+ allow traceur_app trace_data_file:file create_file_perms;
+ allow traceur_app trace_data_file:dir { add_name search write };
allow traceur_app atrace_exec:file rx_file_perms;
')
diff --git a/private/usbd.te b/private/usbd.te
new file mode 100644
index 0000000..13a0ad7
--- /dev/null
+++ b/private/usbd.te
@@ -0,0 +1,12 @@
+typeattribute usbd coredomain;
+
+init_daemon_domain(usbd)
+
+# Access usb gadget hal
+hal_client_domain(usbd, hal_usb_gadget)
+
+# Access persist.sys.usb.config
+get_prop(usbd, system_prop)
+
+# start adbd during boot if adb is enabled
+set_prop(usbd, ctl_default_prop)
diff --git a/public/attributes b/public/attributes
index 2a8a40a..11ffd2e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -235,6 +235,7 @@
hal_attribute(tv_cec);
hal_attribute(tv_input);
hal_attribute(usb);
+hal_attribute(usb_gadget);
hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 0dd4a80..ebf0992 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -17,6 +17,8 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+
+allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
allow cameraserver batterystats_service:service_manager find;
@@ -47,3 +49,14 @@
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
diff --git a/public/charger.te b/public/charger.te
index 33f3254..7145548 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -6,10 +6,12 @@
allow charger kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-allow charger sysfs_type:dir search;
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
+# Allow to read /sys/class/power_supply directory
+allow charger sysfs_type:dir r_dir_perms;
+
allow charger self:global_capability_class_set { sys_tty_config };
allow charger self:global_capability_class_set sys_boot;
diff --git a/public/domain.te b/public/domain.te
index d458510..cffe5cd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -556,8 +556,14 @@
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
@@ -892,6 +898,25 @@
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+
+ # Do not allow system components to execute files from vendor
+ # except for the ones whitelisted here.
+ neverallow {
+ coredomain
+ -init
+ -system_executes_vendor_violators
+ -vendor_init
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ }:file execute;
+
+ neverallow {
+ coredomain
+ -system_executes_vendor_violators
+ } vendor_file_type:file execute_no_trans;
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/file.te b/public/file.te
index 56b6c2f..91796c0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -57,6 +57,7 @@
type proc_uptime, fs_type;
type proc_version, fs_type;
type proc_vmallocinfo, fs_type;
+type proc_vmstat, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
@@ -107,8 +108,8 @@
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
@@ -243,6 +244,7 @@
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/fsck.te b/public/fsck.te
index 7cc7e8b..c5219d8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -44,7 +44,6 @@
neverallow fsck {
boot_block_device
frp_block_device
- metadata_block_device
recovery_block_device
root_block_device
swap_block_device
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
new file mode 100644
index 0000000..16f4f08
--- /dev/null
+++ b/public/hal_usb_gadget.te
@@ -0,0 +1,14 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
+binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
+
+add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
+allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
+
+# Configuring usb gadget functions
+allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
+allow hal_usb_gadget_server configfs:dir rw_dir_perms;
+allow hal_usb_gadget_server configfs:file rw_file_perms;
+allow hal_usb_gadget_server functionfs:dir { read search };
+allow hal_usb_gadget_server functionfs:file read;
+
diff --git a/public/hwservice.te b/public/hwservice.te
index 19a7205..09e3068 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -37,6 +37,7 @@
type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
type hal_usb_hwservice, hwservice_manager_type;
+type hal_usb_gadget_hwservice, hwservice_manager_type;
type hal_vibrator_hwservice, hwservice_manager_type;
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
diff --git a/public/property_contexts b/public/property_contexts
index e5772e5..2596161 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -198,6 +198,7 @@
aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index 704e245..44c3ef6 100644
--- a/public/service.te
+++ b/public/service.te
@@ -131,6 +131,7 @@
type slice_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type system_update_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 719036c..32ad770 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,6 +25,10 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { search getattr write remove_name };
allow shell profman_dump_data_file:file { getattr unlink };
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ab08c62..46826d4 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -17,5 +17,7 @@
-vr_hwc_service
}:service_manager find;
+ dontaudit traceur_app service_manager_type:service_manager find;
+ dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
dontaudit traceur_app domain:binder call;
')
diff --git a/public/usbd.te b/public/usbd.te
new file mode 100644
index 0000000..98786e0
--- /dev/null
+++ b/public/usbd.te
@@ -0,0 +1,3 @@
+type usbd, domain;
+type usbd_exec, exec_type, file_type;
+
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9f2526e..3c5c535 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -236,7 +236,7 @@
ret += "SELinux: The following types were found added to the policy "
ret += "without an entry into the compatibility mapping file(s) found "
ret += "in private/compat/" + compatMapping.apiLevel + "/"
- ret += compatMapping.apiLevel + "[.ignore].cil/n"
+ ret += compatMapping.apiLevel + "[.ignore].cil\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2476c4..b4961d7 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -7,6 +7,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0