Merge "Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy""
diff --git a/METADATA b/METADATA
index 313792c..cdcfa70 100644
--- a/METADATA
+++ b/METADATA
@@ -1,3 +1,6 @@
third_party {
- license_type: UNENCUMBERED
+ # would be UNENCUMBERED save for
+ # tests/combine_maps.py
+ # build/soong/
+ license_type: NOTICE
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index e07bbf0..5d32e11 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -26,11 +26,6 @@
"android/soong/sysprop"
)
-const (
- coreMode = "core"
- recoveryMode = "recovery"
-)
-
type selinuxContextsProperties struct {
// Filenames under sepolicy directories, which will be used to generate contexts file.
Srcs []string `android:"path"`
@@ -56,8 +51,6 @@
// Make this module available when building for recovery
Recovery_available *bool
-
- InRecovery bool `blueprint:"mutated"`
}
type fileContextsProperties struct {
@@ -93,32 +86,32 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
-
- android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
- ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
- })
-}
-
-func (m *selinuxContextsModule) inRecovery() bool {
- return m.properties.InRecovery || m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) onlyInRecovery() bool {
- return m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) InstallInRecovery() bool {
- return m.inRecovery()
}
func (m *selinuxContextsModule) InstallInRoot() bool {
- return m.inRecovery()
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) InstallInRecovery() bool {
+ // ModuleBase.InRecovery() checks the image variant
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) onlyInRecovery() bool {
+ // ModuleBase.InstallInRecovery() checks commonProperties.Recovery property
+ return m.ModuleBase.InstallInRecovery()
}
func (m *selinuxContextsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
if m.deps != nil {
m.deps(ctx)
}
+
+ if m.InRecovery() && !m.onlyInRecovery() {
+ ctx.AddFarVariationDependencies([]blueprint.Variation{
+ {Mutator: "image", Variation: android.CoreVariation},
+ }, reuseContextsDepTag, ctx.ModuleName())
+ }
}
func (m *selinuxContextsModule) propertyContextsDeps(ctx android.BottomUpMutatorContext) {
@@ -128,14 +121,14 @@
}
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.inRecovery() {
+ if m.InRecovery() {
// Installing context files at the root of the recovery partition
m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
dep := ctx.GetDirectDepWithTag(m.Name(), reuseContextsDepTag)
if reuseDeps, ok := dep.(*selinuxContextsModule); ok {
@@ -225,7 +218,7 @@
return android.AndroidMkData{
Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
nameSuffix := ""
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
nameSuffix = ".recovery"
}
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
@@ -245,44 +238,38 @@
}
}
-func selinuxContextsMutator(ctx android.BottomUpMutatorContext) {
- m, ok := ctx.Module().(*selinuxContextsModule)
- if !ok {
- return
- }
-
- var coreVariantNeeded bool = true
- var recoveryVariantNeeded bool = false
- if proptools.Bool(m.properties.Recovery_available) {
- recoveryVariantNeeded = true
- }
-
- if m.ModuleBase.InstallInRecovery() {
- recoveryVariantNeeded = true
- coreVariantNeeded = false
- }
-
- var variants []string
- if coreVariantNeeded {
- variants = append(variants, coreMode)
- }
- if recoveryVariantNeeded {
- variants = append(variants, recoveryMode)
- }
- mod := ctx.CreateVariations(variants...)
-
- for i, v := range variants {
- if v == recoveryMode {
- m := mod[i].(*selinuxContextsModule)
- m.properties.InRecovery = true
-
- if coreVariantNeeded {
- ctx.AddInterVariantDependency(reuseContextsDepTag, m, mod[i-1])
- }
- }
+func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+ if proptools.Bool(m.properties.Recovery_available) && m.InstallInRecovery() {
+ ctx.PropertyErrorf("recovery_available",
+ "doesn't make sense at the same time as `recovery: true`")
}
}
+func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+ return !m.InstallInRecovery()
+}
+
+func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+ return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
+}
+
+func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+ return nil
+}
+
+func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string, module android.Module) {
+}
+
+var _ android.ImageInterface = (*selinuxContextsModule)(nil)
+
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 8340c76..fb0fa44 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1914,7 +1914,9 @@
(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_29_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_29_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_29_0 (vendor_shell))
(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index a2ae272..3830fc0 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2185,7 +2185,9 @@
(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_30_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_30_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_30_0 (vendor_shell))
(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 9db6e48..f572667 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -12,6 +12,7 @@
apex_art_staging_data_file
apex_info_file
app_hibernation_service
+ appcompat_data_file
arm64_memtag_prop
authorization_service
cgroup_desc_api_file
@@ -78,8 +79,10 @@
snapuserd
snapuserd_exec
snapuserd_socket
+ soc_prop
speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_dmabuf_stats
sysfs_uhid
system_server_dumper_service
system_suspend_control_internal_service
@@ -90,5 +93,6 @@
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
+ vpnmanager_service
watchdog_metadata_file
zygote_config_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index 4209ac7..de9b953 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -164,6 +164,7 @@
-dumpstate
-gpuservice
-init
+ -traced_perf
-traced_probes
-shell
-system_server
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 27e4b0c..b71ede7 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -47,6 +47,10 @@
allow dex2oat apex_art_data_file:dir r_dir_perms;
allow dex2oat apex_art_data_file:file r_file_perms;
+# Allow dex2oat to read runtime native flag properties.
+get_prop(dex2oat, device_config_runtime_native_prop)
+get_prop(dex2oat, device_config_runtime_native_boot_prop)
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/domain.te b/private/domain.te
index 062a51e..982031a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -467,6 +467,7 @@
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
+ -vendor_public_framework_file
-vendor_public_lib_file
-vendor_task_profiles_file
-vndk_sp_file
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 2b7b228..16f4add 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -51,6 +51,7 @@
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
+allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
dontaudit dumpstate update_engine:binder call;
# Read files in /proc
diff --git a/private/file_contexts b/private/file_contexts
index 89c67fc..1e16169 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -561,6 +561,7 @@
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
+/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index c5baf79..960110f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -154,6 +154,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
diff --git a/private/gsid.te b/private/gsid.te
index fe1d08e..a0b74b6 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -64,10 +64,11 @@
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir r_dir_perms;
+allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir rw_dir_perms;
+allow gsid vfat:dir create_dir_perms;
allow gsid vfat:file create_file_perms;
allow gsid sdcard_block_device:blk_file r_file_perms;
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
diff --git a/private/kernel.te b/private/kernel.te
index 70ca912..5341163 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -30,3 +30,4 @@
allow kernel snapuserd_exec:file relabelto;
allow kernel kmsg_device:chr_file write;
+allow kernel gsid:fd use;
diff --git a/private/netd.te b/private/netd.te
index 27663d3..670a4bf 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -20,6 +20,7 @@
set_prop(netd, ctl_mdnsd_prop)
set_prop(netd, netd_stable_secret_prop)
+get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
get_prop(netd, hwservicemanager_prop)
get_prop(netd, device_config_netd_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 6b2b883..5b832dc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1067,6 +1067,11 @@
partition.product.verified u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
@@ -1097,3 +1102,7 @@
db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
+
+# SOC related props
+ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
+ro.soc.model u:object_r:soc_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index 5369b54..3eee0d5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -276,6 +276,7 @@
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
+vpnmanager u:object_r:vpnmanager_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
diff --git a/private/shell.te b/private/shell.te
index e6038b1..0cdf43d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -174,3 +174,6 @@
# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
+
+# Allow shell to read the dm-verity props on user builds.
+get_prop(shell, verity_status_prop)
diff --git a/private/system_server.te b/private/system_server.te
index 6767cd1..abfafa9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -500,6 +500,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/appcompat.
+allow system_server appcompat_data_file:dir rw_dir_perms;
+allow system_server appcompat_data_file:file create_file_perms;
+
# Manage /data/misc/emergencynumberdb
allow system_server emergency_data_file:dir create_dir_perms;
allow system_server emergency_data_file:file create_file_perms;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index e5760f0..96a7263 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -38,6 +38,14 @@
userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
allow traced_perf proc_kallsyms:file r_file_perms;
+# Allow reading tracefs files to get the format and numeric ids of tracepoints.
+allow traced_perf debugfs_tracing:dir r_dir_perms;
+allow traced_perf debugfs_tracing:file r_file_perms;
+userdebug_or_eng(`
+ allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
+ allow traced_perf debugfs_tracing_debug:file r_file_perms;
+')
+
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
@@ -51,7 +59,7 @@
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
# Never allow profiling highly privileged processes.
-never_profile_heap(`{
+never_profile_perf(`{
bpfloader
init
kernel
diff --git a/public/app.te b/public/app.te
index 5eb20d8..39d67af 100644
--- a/public/app.te
+++ b/public/app.te
@@ -120,8 +120,8 @@
r_dir_file(appdomain, vendor_framework_file)
# Allow apps read / execute access to vendor public libraries.
-allow appdomain vendor_public_lib_file:dir r_dir_perms;
-allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 2bb104a..c512b45 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -21,6 +21,9 @@
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 3f33b5b..29b0258 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -118,6 +118,7 @@
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
@@ -986,6 +987,7 @@
-same_process_hal_file
-vndk_sp_file
-vendor_app_file
+ -vendor_public_framework_file
-vendor_public_lib_file
}:file execute;
')
@@ -1346,7 +1348,7 @@
neverallow {
coredomain
-appdomain
- } vendor_public_lib_file:file { execute execute_no_trans };
+ } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')
# Vendor domian must not have access to /mnt/product.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 10c0302..2c5086f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -342,6 +342,26 @@
allow hal_rebootescrow_server dumpstate:fifo_file write;
allow hal_rebootescrow_server dumpstate:fd use;
+binder_call(dumpstate, hal_authsecret_server)
+allow hal_authsecret_server dumpstate:fifo_file write;
+allow hal_authsecret_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_keymint_server)
+allow hal_keymint_server dumpstate:fifo_file write;
+allow hal_keymint_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_memtrack_server)
+allow hal_memtrack_server dumpstate:fifo_file write;
+allow hal_memtrack_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_oemlock_server)
+allow hal_oemlock_server dumpstate:fifo_file write;
+allow hal_oemlock_server dumpstate:fd use;
+
+binder_call(dumpstate, hal_weaver_server)
+allow hal_weaver_server dumpstate:fifo_file write;
+allow hal_weaver_server dumpstate:fd use;
+
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index dceb96e..0cf465c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,6 +88,7 @@
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
@@ -224,6 +225,9 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Type for all vendor public libraries for system. These libs should only be exposed to
+# system. ABI stability of these libs is vendor's responsibility.
+type vendor_public_framework_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -377,6 +381,7 @@
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
+type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/public/property.te b/public/property.te
index 151983f..37884f0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -141,6 +141,7 @@
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
system_vendor_config_prop(sendbug_config_prop)
+system_vendor_config_prop(soc_prop)
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(storagemanager_config_prop)
system_vendor_config_prop(surfaceflinger_prop)
diff --git a/public/service.te b/public/service.te
index 87d9bcd..cf223da 100644
--- a/public/service.te
+++ b/public/service.te
@@ -90,7 +90,7 @@
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, system_api_service, system_server_service, service_manager_type;
+type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -215,6 +215,7 @@
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vpnmanager_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0bdf632..685317b 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -212,6 +212,9 @@
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
@@ -233,6 +236,7 @@
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, soc_prop)
set_prop(vendor_init, surfaceflinger_color_prop)
set_prop(vendor_init, usb_control_prop)
set_prop(vendor_init, userspace_reboot_config_prop)