Merge "Allow gatekeeper to find hardwareproperties service." into nyc-dev
diff --git a/dex2oat.te b/dex2oat.te
index 4252b88..df3cc42 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -27,9 +27,9 @@
allow dex2oat ota_data_file:dir ra_dir_perms;
allow dex2oat ota_data_file:file r_file_perms;
-# Read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file read;
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
# It would be nice to tie this down, but currently, because of how images are written, we can't
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
diff --git a/file_contexts b/file_contexts
index 56ed390..9222324 100644
--- a/file_contexts
+++ b/file_contexts
@@ -313,6 +313,8 @@
/cores(/.*)? u:object_r:coredump_file:s0
# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
#############################
diff --git a/mediaserver.te b/mediaserver.te
index 31c7a67..a305060 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -90,6 +90,7 @@
allow mediaserver appops_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
allow mediaserver cameraproxy_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
diff --git a/netd.te b/netd.te
index 0f4e891..2c0fb15 100644
--- a/netd.te
+++ b/netd.te
@@ -18,6 +18,7 @@
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket create_socket_perms;
allow netd self:netlink_socket create_socket_perms;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
diff --git a/zygote.te b/zygote.te
index 2255804..013d8c6 100644
--- a/zygote.te
+++ b/zygote.te
@@ -96,11 +96,14 @@
allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
-allow zygote ota_data_file:{ dir file } relabelfrom;
-allow zygote dalvikcache_data_file:{ dir file } relabelto;
+allow zygote ota_data_file:{ dir file lnk_file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file lnk_file } relabelto;
# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+# In case something goes wrong in relabelling, we also need to be able to delete the files that
+# have already been moved.
allow zygote ota_data_file:dir rmdir;
+allow zygote ota_data_file:{ file lnk_file } unlink;
###
### neverallow rules