Merge "Allow system_server_startup to load system server odex files"
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index 32b2594..b923cdb 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -209,4 +209,5 @@
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
index d4aed40..d9e351c 100644
--- a/prebuilts/api/31.0/private/atrace.te
+++ b/prebuilts/api/31.0/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -161,6 +161,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 10b8177..239686e 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/prebuilts/api/31.0/private/traced.te
+++ b/prebuilts/api/31.0/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/private/apexd.te b/private/apexd.te
index 32b2594..b923cdb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -209,4 +209,5 @@
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/atrace.te b/private/atrace.te
index d4aed40..d9e351c 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -161,6 +161,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/private/recovery.te b/private/recovery.te
index 00d7132..bba2a0d 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -43,4 +43,7 @@
set_prop(recovery, fastbootd_protocol_prop)
get_prop(recovery, recovery_config_prop)
+
+ # Needed to read bootconfig parameters through libfs_mgr
+ allow recovery proc_bootconfig:file r_file_perms;
')
diff --git a/private/system_app.te b/private/system_app.te
index 10b8177..239686e 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/private/traced.te b/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index e56ab99..9c65e22 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -3,3 +3,6 @@
hal_attribute_service(hal_keymint, hal_keymint_service)
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
+
+allow hal_keymint tee_device:chr_file rw_file_perms;
+allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/public/recovery.te b/public/recovery.te
old mode 100644
new mode 100755
index 3649888..33658e8
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -133,6 +133,10 @@
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
+
+ # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+ allow recovery devpts:chr_file rw_file_perms;
+ allow recovery kmsg_device:chr_file { getattr w_file_perms };
')
###