am ee66ba8c: Merge "update isolated_app service_manager rules"
* commit 'ee66ba8c4062f6cd1ce481384d39d13e0281f8bc':
update isolated_app service_manager rules
diff --git a/adbd.te b/adbd.te
index c80dba4..babbdc5 100644
--- a/adbd.te
+++ b/adbd.te
@@ -73,6 +73,10 @@
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
+# b/18078338 - allow read access to executable types on /system
+# to assist with debugging OTA issues.
+allow adbd exec_type:file r_file_perms;
+
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
diff --git a/dex2oat.te b/dex2oat.te
index 5fded36..f7de25d 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -12,3 +12,4 @@
# locked APKs.
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
+allow dex2oat oemfs:file read;
diff --git a/recovery.te b/recovery.te
index b0616ae..8576356 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,6 +48,8 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
+ access_kmsg(recovery)
+
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
allow recovery functionfs:dir search;
diff --git a/service_contexts b/service_contexts
index 3eee034..afc8585 100644
--- a/service_contexts
+++ b/service_contexts
@@ -103,7 +103,7 @@
statusbar u:object_r:statusbar_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
-telecom u:object_r:radio_service:s0
+telecom u:object_r:system_server_service:s0
telephony.registry u:object_r:registry_service:s0
textservices u:object_r:textservices_service:s0
trust u:object_r:trust_service:s0
diff --git a/system_server.te b/system_server.te
index 41036b6..0fa709e 100644
--- a/system_server.te
+++ b/system_server.te
@@ -75,6 +75,10 @@
# Kill apps.
allow system_server appdomain:process { sigkill signal };
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow system_server kernel:process setsched;
+
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
diff --git a/tools/README b/tools/README
index 1ffe409..899b981 100644
--- a/tools/README
+++ b/tools/README
@@ -50,4 +50,4 @@
sepolicy-analyze
A tool for performing various kinds of analysis on a sepolicy
- file.
\ No newline at end of file
+ file.
diff --git a/untrusted_app.te b/untrusted_app.te
index 91cb46a..e84e3ef 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -47,6 +47,14 @@
allow untrusted_app shell_data_file:file r_file_perms;
allow untrusted_app shell_data_file:dir r_dir_perms;
+# b/18504118: Allow reads from /data/anr/traces.txt
+# TODO: We shouldn't be allowing all untrusted_apps to read
+# this file. This is only needed for the GMS feedback agent.
+# See also b/18340553. GMS runs as untrusted_app, and
+# it's too late to change the domain it runs in.
+# This line needs to be deleted.
+allow untrusted_app anr_data_file:file r_file_perms;
+
#
# Rules migrated from old app domains coalesced into untrusted_app.
# This includes what used to be media_app, shared_app, and release_app.
diff --git a/zygote.te b/zygote.te
index 67660b3..adbea06 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,9 +21,6 @@
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
-# Read system security data.
-allow zygote keychain_data_file:dir r_dir_perms;
-allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;