Merge "SELinux policy for on-device signing binary."
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index e07bbf0..5d32e11 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -26,11 +26,6 @@
"android/soong/sysprop"
)
-const (
- coreMode = "core"
- recoveryMode = "recovery"
-)
-
type selinuxContextsProperties struct {
// Filenames under sepolicy directories, which will be used to generate contexts file.
Srcs []string `android:"path"`
@@ -56,8 +51,6 @@
// Make this module available when building for recovery
Recovery_available *bool
-
- InRecovery bool `blueprint:"mutated"`
}
type fileContextsProperties struct {
@@ -93,32 +86,32 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
-
- android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
- ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
- })
-}
-
-func (m *selinuxContextsModule) inRecovery() bool {
- return m.properties.InRecovery || m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) onlyInRecovery() bool {
- return m.ModuleBase.InstallInRecovery()
-}
-
-func (m *selinuxContextsModule) InstallInRecovery() bool {
- return m.inRecovery()
}
func (m *selinuxContextsModule) InstallInRoot() bool {
- return m.inRecovery()
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) InstallInRecovery() bool {
+ // ModuleBase.InRecovery() checks the image variant
+ return m.InRecovery()
+}
+
+func (m *selinuxContextsModule) onlyInRecovery() bool {
+ // ModuleBase.InstallInRecovery() checks commonProperties.Recovery property
+ return m.ModuleBase.InstallInRecovery()
}
func (m *selinuxContextsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
if m.deps != nil {
m.deps(ctx)
}
+
+ if m.InRecovery() && !m.onlyInRecovery() {
+ ctx.AddFarVariationDependencies([]blueprint.Variation{
+ {Mutator: "image", Variation: android.CoreVariation},
+ }, reuseContextsDepTag, ctx.ModuleName())
+ }
}
func (m *selinuxContextsModule) propertyContextsDeps(ctx android.BottomUpMutatorContext) {
@@ -128,14 +121,14 @@
}
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.inRecovery() {
+ if m.InRecovery() {
// Installing context files at the root of the recovery partition
m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
dep := ctx.GetDirectDepWithTag(m.Name(), reuseContextsDepTag)
if reuseDeps, ok := dep.(*selinuxContextsModule); ok {
@@ -225,7 +218,7 @@
return android.AndroidMkData{
Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
nameSuffix := ""
- if m.inRecovery() && !m.onlyInRecovery() {
+ if m.InRecovery() && !m.onlyInRecovery() {
nameSuffix = ".recovery"
}
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
@@ -245,44 +238,38 @@
}
}
-func selinuxContextsMutator(ctx android.BottomUpMutatorContext) {
- m, ok := ctx.Module().(*selinuxContextsModule)
- if !ok {
- return
- }
-
- var coreVariantNeeded bool = true
- var recoveryVariantNeeded bool = false
- if proptools.Bool(m.properties.Recovery_available) {
- recoveryVariantNeeded = true
- }
-
- if m.ModuleBase.InstallInRecovery() {
- recoveryVariantNeeded = true
- coreVariantNeeded = false
- }
-
- var variants []string
- if coreVariantNeeded {
- variants = append(variants, coreMode)
- }
- if recoveryVariantNeeded {
- variants = append(variants, recoveryMode)
- }
- mod := ctx.CreateVariations(variants...)
-
- for i, v := range variants {
- if v == recoveryMode {
- m := mod[i].(*selinuxContextsModule)
- m.properties.InRecovery = true
-
- if coreVariantNeeded {
- ctx.AddInterVariantDependency(reuseContextsDepTag, m, mod[i-1])
- }
- }
+func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
+ if proptools.Bool(m.properties.Recovery_available) && m.InstallInRecovery() {
+ ctx.PropertyErrorf("recovery_available",
+ "doesn't make sense at the same time as `recovery: true`")
}
}
+func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
+ return !m.InstallInRecovery()
+}
+
+func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
+func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
+ return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
+}
+
+func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
+ return nil
+}
+
+func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string, module android.Module) {
+}
+
+var _ android.ImageInterface = (*selinuxContextsModule)(nil)
+
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index aff3a0a..cf0fa67 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -228,7 +228,6 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index edc9aac..6648338 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -85,6 +85,7 @@
soc_prop
speech_recognition_service
sysfs_devices_cs_etm
+ sysfs_dmabuf_stats
sysfs_uhid
system_server_dumper_service
system_suspend_control_internal_service
@@ -95,5 +96,6 @@
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
+ vpnmanager_service
watchdog_metadata_file
zygote_config_prop))
diff --git a/private/domain.te b/private/domain.te
index 94bd059..57e93e4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,10 +54,6 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
-allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
-
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 2b7b228..16f4add 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -51,6 +51,7 @@
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
+allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
dontaudit dumpstate update_engine:binder call;
# Read files in /proc
diff --git a/private/genfs_contexts b/private/genfs_contexts
index c5baf79..960110f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -154,6 +154,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
diff --git a/private/logpersist.te b/private/logpersist.te
index ab2c9c6..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,7 +4,6 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
- r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 4c1d782..4b0218e 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -170,6 +170,9 @@
# on the Incremental File System.
allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
+# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
+get_prop(priv_app, incremental_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
@@ -232,7 +235,6 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/service_contexts b/private/service_contexts
index 5369b54..3eee0d5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -276,6 +276,7 @@
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
+vpnmanager u:object_r:vpnmanager_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8549bd5..37601b9 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,7 +100,6 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/system_app.te b/private/system_app.te
index 8938931..4284835 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -149,7 +149,6 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index 4eb2d38..abfafa9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -872,7 +872,6 @@
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir { remove_name rmdir };
# /oem access
r_dir_file(system_server, oemfs)
@@ -951,8 +950,9 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 1a3bcc6..23fed52 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -108,8 +108,6 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -192,10 +190,7 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
+dontaudit zygote self:global_capability_class_set sys_resource;
# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials
diff --git a/public/charger.te b/public/charger.te
index 37359e3..f57853a 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,7 +7,6 @@
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;
diff --git a/public/credstore.te b/public/credstore.te
index a2376d2..db16a8d 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -14,4 +14,3 @@
allow credstore dropbox_service:service_manager find;
r_dir_file(credstore, cgroup)
-r_dir_file(credstore, cgroup_v2)
diff --git a/public/dhcp.te b/public/dhcp.te
index 1d875ab..67fd038 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,7 +4,6 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
-allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
diff --git a/public/domain.te b/public/domain.te
index 7c2e3fe..29b0258 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1320,12 +1320,10 @@
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
diff --git a/public/drmserver.te b/public/drmserver.te
index eede0fc..a24ad41 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -61,5 +61,4 @@
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 45540b3..2c5086f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -134,7 +134,6 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
-r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
diff --git a/public/file.te b/public/file.te
index 39581c4..0cf465c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,6 +88,7 @@
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f8..7295c24 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -39,4 +39,3 @@
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)
-r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index e699a6b..7de6a13 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,10 +16,6 @@
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
-r_dir_file(hal_cas, cgroup_v2)
-allow hal_cas cgroup_v2:dir { search write };
-allow hal_cas cgroup_v2:file w_file_perms;
-
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..5987491 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,10 +20,6 @@
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
-r_dir_file(hal_drm, cgroup_v2)
-allow hal_drm cgroup_v2:dir { search write };
-allow hal_drm cgroup_v2:file w_file_perms;
-
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 444cfda..99b6065 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -14,7 +14,6 @@
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..4cb0c5a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,8 +11,6 @@
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
-allow hal_telephony_server cgroup_v2:dir create_dir_perms;
-allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 36bcc65..79a0667 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -13,7 +13,6 @@
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/public/healthd.te b/public/healthd.te
index 05acb84..8673846 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,7 +11,6 @@
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
diff --git a/public/init.te b/public/init.te
index e546ece..59e6b4e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -103,6 +103,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
+allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -131,8 +132,6 @@
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/inputflinger.te b/public/inputflinger.te
index b62c06d..c3f4da8 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,4 +13,3 @@
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
-r_dir_file(inputflinger, cgroup_v2)
diff --git a/public/installd.te b/public/installd.te
index 61c8bce..b9c7b3e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,7 +26,6 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
-allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
diff --git a/public/keystore.te b/public/keystore.te
index c6e0daa..8c64090 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -23,7 +23,6 @@
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules
diff --git a/public/lmkd.te b/public/lmkd.te
index de6052d..c9f2e64 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,11 +26,9 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
-allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
-allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
diff --git a/public/logd.te b/public/logd.te
index 8187179..b0acb14 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,7 +4,6 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..1f34030 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,7 +20,6 @@
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
-r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..0e56b07 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,7 +12,6 @@
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
-r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 388001d..d32b9d9 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,7 +9,6 @@
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
-r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
diff --git a/public/performanced.te b/public/performanced.te
index d694fda..7dcb5ea 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,4 +28,3 @@
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
-r_dir_file(performanced, cgroup_v2)
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..6888740 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,7 +12,6 @@
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index bb1c919..1ae3770 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,7 +2,6 @@
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
diff --git a/public/service.te b/public/service.te
index 34c161f..cf223da 100644
--- a/public/service.te
+++ b/public/service.te
@@ -215,6 +215,7 @@
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vpnmanager_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 39ed2f6..1e73e49 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -125,7 +125,6 @@
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 16dca64..685317b 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,8 +16,6 @@
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
@@ -214,6 +212,9 @@
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)