Merge "Add bluetooth classic sysprops"
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index 2be7f88..ada65ae 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -12,3 +12,10 @@
neverallow { domain -bpfdomain } *:bpf *;
allow bpfdomain fs_bpf:dir search;
+
+# genfscon doesn't seem to trigger during symlink creation,
+# and thus any created symlinks end up as 'fs_bpf:lnk_type',
+# however this feels like a kernel bug / missing feature,
+# so let's allow all bpffs_type's instead,
+# this will keep things working even if this is fixed.
+allow bpfdomain bpffs_type:lnk_file read;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index ffb80c5..7c009ec 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,6 +8,7 @@
# These permissions are required to pin ebpf maps & programs.
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
+allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
@@ -42,6 +43,9 @@
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
+neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
+
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow {
diff --git a/public/domain.te b/public/domain.te
index 8fba442..c0c6699 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -670,6 +670,8 @@
-vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -hal_service_type # see app_neverallows.te
+
-apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
index 9d2c636..79efecf 100644
--- a/tests/searchpolicy.py
+++ b/tests/searchpolicy.py
@@ -78,10 +78,10 @@
for r in TERules:
if len(r.perms) > 1:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
- " ".join(r.perms) + " };")
+ " ".join(sorted(r.perms)) + " };")
else:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
- " ".join(r.perms) + ";")
+ " ".join(sorted(r.perms)) + ";")
for r in sorted(rules):
print(r)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 79c55de..e940681 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -18,7 +18,8 @@
import policy
import re
import sys
-import distutils.ccompiler
+
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
#############################################################
# Tests
@@ -158,7 +159,7 @@
(options, args) = parser.parse_args()
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index a3bf661..64a9e95 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,9 +20,9 @@
from policy import MatchPathPrefix
import re
import sys
-import distutils.ccompiler
DEBUG=False
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
'''
Use file_contexts and policy to verify Treble requirements
@@ -375,7 +375,7 @@
parser.usage)
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
+ "libsepolwrap" + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
diff --git a/tools/seamendc.c b/tools/seamendc.c
index 1328afb..2e49c1b 100644
--- a/tools/seamendc.c
+++ b/tools/seamendc.c
@@ -123,6 +123,7 @@
goto parse_err;
}
free(buff);
+ buff = NULL;
}
return SEPOL_OK;