Merge "Place compat tests in intermediates dir, not on /system"
diff --git a/private/atrace.te b/private/atrace.te
index 8de1826..75be787 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -24,17 +24,7 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
@@ -50,6 +40,33 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/public/init.te b/public/init.te
index 61b8ffb..86e0d32 100644
--- a/public/init.te
+++ b/public/init.te
@@ -46,6 +46,8 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init super_block_device:lnk_file relabelto;
+
# Create /mnt/sdcard -> /storage/self/primary symlink.
allow init mnt_sdcard_file:lnk_file create;
diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c
index b4571a6..1b7bcdb 100644
--- a/tools/sepolicy-analyze/sepolicy-analyze.c
+++ b/tools/sepolicy-analyze/sepolicy-analyze.c
@@ -50,7 +50,7 @@
if (argc < 3)
usage(argv[0]);
policy = argv[1];
- if(load_policy(policy, &policydb, &pf))
+ if(!load_policy(policy, &policydb, &pf))
exit(1);
for(i = 0; i < NUM_COMPONENTS; i++) {
if (!strcmp(analyze_components[i].key, argv[2])) {
diff --git a/tools/sepolicy-analyze/utils.c b/tools/sepolicy-analyze/utils.c
index 5e52f59..af93f71 100644
--- a/tools/sepolicy-analyze/utils.c
+++ b/tools/sepolicy-analyze/utils.c
@@ -22,28 +22,26 @@
(policydb, key->target_class, perms));
}
-int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf)
+bool load_policy(char *filename, policydb_t * policydb, struct policy_file *pf)
{
- int fd;
+ int fd = -1;
struct stat sb;
- void *map;
- int ret;
+ void *map = MAP_FAILED;
+ bool ret = false;
fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno));
- return 1;
+ goto cleanup;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno));
- close(fd);
- return 1;
+ goto cleanup;
}
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno));
- close(fd);
- return 1;
+ goto cleanup;
}
policy_file_init(pf);
@@ -52,17 +50,21 @@
pf->len = sb.st_size;
if (policydb_init(policydb)) {
fprintf(stderr, "Could not initialize policydb!\n");
- close(fd);
- munmap(map, sb.st_size);
- return 1;
+ goto cleanup;
}
- ret = policydb_read(policydb, pf, 0);
- if (ret) {
+ if (policydb_read(policydb, pf, 0)) {
fprintf(stderr, "error(s) encountered while parsing configuration\n");
- close(fd);
- munmap(map, sb.st_size);
- return 1;
+ goto cleanup;
}
- return 0;
+ ret = true;
+
+cleanup:
+ if (map != MAP_FAILED) {
+ munmap(map, sb.st_size);
+ }
+ if (fd >= 0) {
+ close(fd);
+ }
+ return ret;
}
diff --git a/tools/sepolicy-analyze/utils.h b/tools/sepolicy-analyze/utils.h
index 83f5a78..cef6ca3 100644
--- a/tools/sepolicy-analyze/utils.h
+++ b/tools/sepolicy-analyze/utils.h
@@ -11,6 +11,6 @@
void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms);
-int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf);
+bool load_policy(char *filename, policydb_t * policydb, struct policy_file *pf);
#endif /* UTILS_H */