Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 91acf22c6228d617290b4f50d5988e138403dfe4^2..91acf22c6228d617290b4f50d5988e138403dfe4 / .
commit91acf22c6228d617290b4f50d5988e138403dfe4[log] [tgz]
authorSteven Moreland <smoreland@google.com>Wed Mar 25 17:34:50 2020 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Mar 25 17:34:50 2020 +0000
tree842b3f0bdb9bf13719f397ed8c03df4c684af1c7
parentd8f270ef6e9a3d03ead8c839dbfa4d9d27a13481 [diff]
parente4f0ccf29cd1d5e3d929b05a01c3953ffeb07fdb [diff]
Merge "Add rules for hidl_lazy_test*"
diff --git a/private/adbd.te b/private/adbd.te
index f7504df..cd3d8f3 100644
--- a/private/adbd.te
+++ b/private/adbd.te

@@ -183,6 +183,11 @@
 
 allow adbd rootfs:dir r_dir_perms;
 
+# Allow killing child "perfetto" binary processes, which auto-transition to
+# their own domain. Allows propagating termination of "adb shell perfetto ..."
+# invocations.
+allow adbd perfetto:process signal;
+
 # Allow to pull Perfetto traces.
 allow adbd perfetto_traces_data_file:file r_file_perms;
 allow adbd perfetto_traces_data_file:dir r_dir_perms;

diff --git a/private/perfetto.te b/private/perfetto.te
index 2183b6d..58cfae8 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te

@@ -50,6 +50,14 @@
   binder_call(perfetto, incidentd)
 ');
 
+# perfetto log formatter calls isatty() on its stderr. Denial when running
+# under adbd is harmless. Avoid generating denial logs.
+dontaudit perfetto adbd:unix_stream_socket getattr;
+dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
+# As above, when adbd is running in "su" domain (only the ioctl is denied in
+# practice).
+dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
+
 ###
 ### Neverallow rules
 ###

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 213ba05..4fdc737 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -25,7 +25,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy       u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service            u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy       u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example      u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service   u:object_r:hal_gnss_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0