Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7bf9669a6c9836cd6ff635d9f15c8c169ab7600c^2..7bf9669a6c9836cd6ff635d9f15c8c169ab7600c / .
commit7bf9669a6c9836cd6ff635d9f15c8c169ab7600c[log] [tgz]
authorJeffrey Vander Stoep <jeffv@google.com>Thu Apr 23 17:36:28 2020 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Apr 23 17:36:28 2020 +0000
tree5b88f1d8349d855dcbeaf273ad8d5dfe778370bf
parent6866e41bc5d22c1fa7cf077746858fa13ec32f9b [diff]
parent3b9683ff5393b56822bc9e016beb315dc01379a6 [diff]
Merge "Revert "mediaprovider: fixed sharedUserId bug""
diff --git a/Android.bp b/Android.bp
index 4973c13..a2f202f 100644
--- a/Android.bp
+++ b/Android.bp

@@ -375,3 +375,12 @@
     reqd_mask: true,
     soc_specific: true,
 }
+
+// For vts_treble_sys_prop_test
+filegroup {
+    name: "private_property_contexts",
+    srcs: ["private/property_contexts"],
+    visibility: [
+        "//test/vts-testcase/security/system_property",
+    ],
+}

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 87e8b83..1bad9c1 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -165,7 +165,7 @@
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.gfs domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all

diff --git a/public/hal_audio.te b/public/hal_audio.te
index d54b2b2..5958f2c 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te

@@ -30,10 +30,6 @@
 # Should never execute any executable without a domain transition
 neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
 
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
 # Only audio HAL may directly access the audio hardware
 neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
 

diff --git a/public/shell.te b/public/shell.te
index 712307f..822f4ca 100644
--- a/public/shell.te
+++ b/public/shell.te

@@ -91,7 +91,7 @@
 hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;
 
-# allow shell to look through /proc/ for lsmod, ps, top, netstat.
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
 r_dir_file(shell, proc_net_type)
 
 allow shell {
@@ -107,6 +107,7 @@
   proc_timer
   proc_uptime
   proc_version
+  proc_vmstat
   proc_zoneinfo
 }:file r_file_perms;