Merge "sepolicy: Allow lmkd access to psi procfs nodes"
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
new file mode 100644
index 0000000..14feee6
--- /dev/null
+++ b/private/art_apex_boot_integrity.te
@@ -0,0 +1,34 @@
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type art_apex_boot_integrity, domain, coredomain;
+type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# art_apex_boot_integrity to occur.
+init_daemon_domain(art_apex_boot_integrity)
+
+# Read dalvik cache directories, remove entries.
+allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
+# Read and possibly delete dalvik cache files.
+allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
+
+# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
+allow art_apex_boot_integrity shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
+# permissions.
+allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_boot_integrity system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_boot_integrity ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_boot_integrity kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_boot_integrity su:key search;
+')
diff --git a/private/domain.te b/private/domain.te
index 3b340c5..d6b233f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -221,6 +221,7 @@
-dex2oat
-otapreopt_slot
-art_apex_postinstall
+ -art_apex_boot_integrity
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -232,6 +233,7 @@
-dex2oat
-zygote
-otapreopt_slot
+ -art_apex_boot_integrity
-art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 9625acc..f81f399 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -238,6 +238,7 @@
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
+/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
index c81a17c..53dbfce 100644
--- a/private/mini_keyctl.te
+++ b/private/mini_keyctl.te
@@ -8,7 +8,7 @@
# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
dontaudit mini-keyctl init:key view;
dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl kernel:key { view search write setattr };
allow mini-keyctl mini-keyctl:key { view search write };
# When kernel requests an algorithm, the crypto API first looks for an
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 8aa475e..689ff5c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -66,8 +66,9 @@
proc_stat
}:file r_file_perms;
-# Allow access to the IHealth HAL service for tracing battery counters.
+# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
+hal_client_domain(traced_probes, hal_power_stats)
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
diff --git a/public/vold.te b/public/vold.te
index ace733f..cb21b83 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -9,11 +9,14 @@
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
-allow vold sysfs_loop:file w_file_perms; # writing to /sys/block/loop*/uevent during coldboot.
-allow vold sysfs_dm:file w_file_perms;
-allow vold sysfs_usb:file w_file_perms;
-allow vold sysfs_zram_uevent:file w_file_perms;
+allow vold {
+ sysfs # writing to /sys/*/uevent during coldboot.
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
+ sysfs_usb
+ sysfs_zram_uevent
+}:file w_file_perms;
r_dir_file(vold, rootfs)
r_dir_file(vold, metadata_file)