Merge "Remove 'vendor_service' neverallows."
diff --git a/private/access_vectors b/private/access_vectors
index 0f8dd5f..6cd8c4e 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -729,7 +729,6 @@
get_state
list
lock
- migrate_any_key
pull_metrics
report_off_body
reset
diff --git a/private/property_contexts b/private/property_contexts
index fa794fd..cd880d3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -527,6 +527,15 @@
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.acl.link_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -1187,6 +1196,7 @@
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_adpf_cpu_hint u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/system_server.te b/private/system_server.te
index aac29f6..9ccd22d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -959,9 +959,7 @@
clear_ns
clear_uid
get_state
- list
lock
- migrate_any_key
pull_metrics
reset
unlock
diff --git a/public/domain.te b/public/domain.te
index c084fa7..d0310d3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -654,6 +654,8 @@
-vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -hal_service_type # see app_neverallows.te
+
-apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
diff --git a/public/kernel.te b/public/kernel.te
index 09d2480..b01c07a 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -95,10 +95,10 @@
staging_data_file
vendor_apex_file
}:file read;
-# Also allow the kernel to read /data/local/tmp files via loop device
-# for ApexTestCases
+# Also allow the kernel to read/write /data/local/tmp files via loop device
+# for ApexTestCases and fiemap_image_test.
userdebug_or_eng(`
- allow kernel shell_data_file:file read;
+ allow kernel shell_data_file:file { read write };
')
# Allow the first-stage init (which is running in the kernel domain) to execute the
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e8fd29e..12961e7 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -72,6 +72,7 @@
# read /dev/dm-user, so that we can inotify wait for control devices to be
# asynchronously created by ueventd.
allow update_engine dm_user_device:dir r_dir_perms;
+allow update_engine dm_user_device:chr_file r_file_perms;
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
index 9d2c636..79efecf 100644
--- a/tests/searchpolicy.py
+++ b/tests/searchpolicy.py
@@ -78,10 +78,10 @@
for r in TERules:
if len(r.perms) > 1:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
- " ".join(r.perms) + " };")
+ " ".join(sorted(r.perms)) + " };")
else:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
- " ".join(r.perms) + ";")
+ " ".join(sorted(r.perms)) + ";")
for r in sorted(rules):
print(r)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 79c55de..e940681 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -18,7 +18,8 @@
import policy
import re
import sys
-import distutils.ccompiler
+
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
#############################################################
# Tests
@@ -158,7 +159,7 @@
(options, args) = parser.parse_args()
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index a3bf661..64a9e95 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,9 +20,9 @@
from policy import MatchPathPrefix
import re
import sys
-import distutils.ccompiler
DEBUG=False
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
'''
Use file_contexts and policy to verify Treble requirements
@@ -375,7 +375,7 @@
parser.usage)
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
diff --git a/tools/seamendc.c b/tools/seamendc.c
index 1328afb..2e49c1b 100644
--- a/tools/seamendc.c
+++ b/tools/seamendc.c
@@ -123,6 +123,7 @@
goto parse_err;
}
free(buff);
+ buff = NULL;
}
return SEPOL_OK;