Merge "Allow tethering find netork stack service"
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 715b07b..cbe20fe 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -47,6 +47,7 @@
system_passwd_file
tethering_service
timezonedetector_service
+ usb_serial_device
userspace_reboot_prop
userspace_reboot_exported_prop
vehicle_hal_prop
diff --git a/private/file_contexts b/private/file_contexts
index 87ee5df..c8d9327 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -163,6 +163,8 @@
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/ttyUSB[0-9]* u:object_r:usb_serial_device:s0
+/dev/ttyACM[0-9]* u:object_r:usb_serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
diff --git a/private/init.te b/private/init.te
index 3edd021..463f098 100644
--- a/private/init.te
+++ b/private/init.te
@@ -30,6 +30,12 @@
allow init su:process { siginh rlimitinh };
')
+# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
+# This is useful in case of remounting ext4 userdata into checkpointing mode,
+# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
+# that userdata is mounted onto.
+allow init sysfs_dm:file read;
+
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
diff --git a/private/storaged.te b/private/storaged.te
index 3ed24b2..b7d4ae9 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -30,6 +30,12 @@
# Needed for GMScore to call dumpsys storaged
allow storaged priv_app:fd use;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+# Remove after no logs are seen for this rule.
+userdebug_or_eng(`
+ auditallow storaged priv_app:fd use;
+')
+allow storaged gmscore_app:fd use;
allow storaged { privapp_data_file app_data_file }:file write;
allow storaged permission_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 86c5472..d28ef7a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -37,10 +37,12 @@
allow system_server zygote:process sigchld;
# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-allow system_server crash_dump:process sigkill;
-allow system_server webview_zygote:process sigkill;
-allow system_server app_zygote:process sigkill;
+allow system_server {
+ app_zygote
+ crash_dump
+ webview_zygote
+ zygote
+}:process { sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
diff --git a/public/hal_can.te b/public/hal_can.te
index c75495b..eb68e46 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,6 @@
binder_call(hal_can_bus_client, hal_can_bus_server)
add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+
+# USB serial type for SLCAN
+type usb_serial_device, dev_type;
diff --git a/public/property_contexts b/public/property_contexts
index 4445cd1..f30ae56 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -256,6 +256,7 @@
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.extensions. u:object_r:module_sdkext_prop:s0 prefix int
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 9ee37fd..afa1311 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -16,7 +16,7 @@
};
# Communicating with SocketCAN interfaces and bringing them up/down
-allow hal_can_socketcan self:can_socket { bind create read write ioctl };
+allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };
allowxperm hal_can_socketcan self:can_socket ioctl {
SIOCGIFFLAGS
SIOCSIFFLAGS
@@ -24,3 +24,13 @@
# Un-publishing ICanBus interfaces
allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
+
+allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
+allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
+ TCGETS
+ TCSETSW
+ TIOCGSERIAL
+ TIOCSSERIAL
+ TIOCSETD
+ SIOCGIFNAME
+};