commit 8e0b882cd6851c15ca16b805560833758e5d9a31
author Treehugger Robot <treehugger-gerrit@google.com> Mon Mar 19 07:54:46 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Mar 19 07:54:46 2018 +0000
tree b0cb27849096aa9823f6968820a7bad502ba125d
parent c828802643791265d65e05f224edc0b3a38b2e25
parent 88cd813fe2c537a1490dfe6d65e3adde4e13eef2

Merge "Allow dexopt to follow /odm/lib(64) symlinks."

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 4d36d8e..5f126fe 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -25,6 +25,7 @@
     exported_overlay_prop
     exported_pm_prop
     exported_radio_prop
+    exported_secure_prop
     exported_system_prop
     exported_system_radio_prop
     exported_vold_prop

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index dcd9f88..f7f4292 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -28,6 +28,7 @@
     exported_overlay_prop
     exported_pm_prop
     exported_radio_prop
+    exported_secure_prop
     exported_system_prop
     exported_system_radio_prop
     exported_vold_prop

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 2681b99..869d94e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -131,6 +131,7 @@
 get_prop(domain, exported_dumpstate_prop)
 get_prop(domain, exported_fingerprint_prop)
 get_prop(domain, exported_radio_prop)
+get_prop(domain, exported_secure_prop)
 get_prop(domain, exported_system_prop)
 get_prop(domain, exported_vold_prop)
 get_prop(domain, exported2_default_prop)
@@ -524,7 +525,8 @@
     neverallow { domain -init } default_prop:property_service set;
     neverallow { domain -init } mmc_prop:property_service set;
     neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
-    neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
+    neverallow { domain -init } exported_secure_prop:property_service set;
+    neverallow { domain -init } exported2_default_prop:property_service set;
     neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
     neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
 ')

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index 0e9e08c..c056ea9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -146,3 +146,12 @@
 # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
 # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
 neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow netd proc_net:dir no_w_dir_perms;
+dontaudit netd proc_net:dir write;
+
+neverallow netd sysfs_net:dir no_w_dir_perms;
+dontaudit netd sysfs_net:dir write;

public/property.te

diff --git a/public/property.te b/public/property.te
index cb839c9..a099e87 100644
--- a/public/property.te
+++ b/public/property.te
@@ -20,6 +20,7 @@
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
 type dumpstate_prop, property_type, core_property_type;
+type exported_secure_prop, property_type;
 type ffs_prop, property_type, core_property_type;
 type fingerprint_prop, property_type, core_property_type;
 type firstboot_prop, property_type;

public/property_contexts

diff --git a/public/property_contexts b/public/property_contexts
index a3702c3..d4d0ab9 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -74,7 +74,6 @@
 pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-ro.adb.secure u:object_r:exported3_default_prop:s0 exact int
 ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
 ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
 ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
@@ -136,6 +135,7 @@
 libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
 libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
 persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
 ro.arch u:object_r:exported2_default_prop:s0 exact string
 ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
 ro.baseband u:object_r:exported2_default_prop:s0 exact string
@@ -188,6 +188,7 @@
 ro.product.name u:object_r:exported2_default_prop:s0 exact string
 ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
 ro.revision u:object_r:exported2_default_prop:s0 exact string
+ro.secure u:object_r:exported_secure_prop:s0 exact int
 service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
 sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
 vold.decrypt u:object_r:exported_vold_prop:s0 exact string