Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8751aa64d76310b3cee15d5672f68523934132f5^2..8751aa64d76310b3cee15d5672f68523934132f5 / .
commit8751aa64d76310b3cee15d5672f68523934132f5[log] [tgz]
authorEric Laurent <elaurent@google.com>Thu Nov 07 18:20:19 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Nov 07 18:20:19 2019 +0000
tree0d1016a91c5ad7329dca5e290092badb56ca5115
parent426f2e77c0d90599d60b2db53712f82fce3fa4b1 [diff]
parent685eab6ca22e4b49d936cc748b23d792adab0cc1 [diff]
Merge "audioserver: allow audioserver to generate audio HAL tombstones"
diff --git a/apex/com.android.adbd-file_contexts b/apex/com.android.adbd-file_contexts
new file mode 100644
index 0000000..3488de2
--- /dev/null
+++ b/apex/com.android.adbd-file_contexts

@@ -0,0 +1,2 @@
+(/.*)?                   u:object_r:system_file:s0
+/bin/adbd                u:object_r:adbd_exec:s0

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 06380de..83c76cb 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -6,6 +6,7 @@
 (typeattributeset new_objects
   ( new_objects
     ashmem_libcutils_device
+    blob_store_service
     boringssl_self_test
     charger_prop
     cold_boot_done_prop

diff --git a/private/keys.conf b/private/keys.conf
index 8c899b6..362e73d 100644
--- a/private/keys.conf
+++ b/private/keys.conf

@@ -17,9 +17,6 @@
 [@NETWORK_STACK]
 ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
 
-[@PERMISSION_CONTROLLER]
-ALL: $DEFAULT_SYSTEM_DEV_CERTIFICATE/com_google_android_permissioncontroller-container.x509.pem
-
 [@SHARED]
 ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
 

diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 5095a2a..7fc37c1 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml

@@ -59,10 +59,4 @@
     <signer signature="@NETWORK_STACK" >
       <seinfo value="network_stack" />
     </signer>
-
-    <signer signature="@PERMISSION_CONTROLLER" >
-        <package name="com.google.android.permissioncontroller">
-            <seinfo value="permission_controller" />
-        </package>
-    </signer>
 </policy>

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 3651389..14b63e9 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -113,9 +113,10 @@
 neverallow user=((?!system).)* domain=system_app
 neverallow user=((?!system).)* type=system_app_data_file
 
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
+# any non priv-app with a non-known uid with a specified name should have a specified
+# seinfo
+neverallow user=_app isPrivApp=false name=.* seinfo=""
+neverallow user=_app isPrivApp=false name=.* seinfo=default
 
 # neverallow shared relro to any other domain
 # and neverallow any other uid into shared_relro
@@ -156,7 +157,7 @@
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app seinfo=permission_controller isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user

diff --git a/private/service_contexts b/private/service_contexts
index 4041a60..b7cd10f 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -12,6 +12,7 @@
 app_binding                               u:object_r:app_binding_service:s0
 app_prediction                            u:object_r:app_prediction_service:s0
 apexservice                               u:object_r:apex_service:s0
+blob_store                                u:object_r:blob_store_service:s0
 gsiservice                                u:object_r:gsi_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
@@ -191,6 +192,7 @@
 task                                      u:object_r:task_service:s0
 telecom                                   u:object_r:telecom_service:s0
 telephony.registry                        u:object_r:registry_service:s0
+telephony_ims                             u:object_r:radio_service:s0
 testharness                               u:object_r:testharness_service:s0
 textclassification                        u:object_r:textclassification_service:s0
 textservices                              u:object_r:textservices_service:s0

diff --git a/public/kernel.te b/public/kernel.te
index 46864b8..42fe2c4 100644
--- a/public/kernel.te
+++ b/public/kernel.te

@@ -107,7 +107,7 @@
 ')
 
 # required by VTS lidbm unit test
-allow kernel appdomain_tmpfs:file read;
+allow kernel appdomain_tmpfs:file { read write };
 
 ###
 ### neverallow rules

diff --git a/public/service.te b/public/service.te
index 9d4aaeb..aace214 100644
--- a/public/service.te
+++ b/public/service.te

@@ -54,6 +54,7 @@
 type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type battery_service, system_server_service, service_manager_type;
 type binder_calls_stats_service, system_server_service, service_manager_type;
+type blob_store_service, app_api_service, system_server_service, service_manager_type;
 type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type broadcastradio_service, system_server_service, service_manager_type;
 type cameraproxy_service, system_server_service, service_manager_type;