Merge "Add sepolicy for resolver service"
diff --git a/Android.bp b/Android.bp
index 545cc80..eeb6f6c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -33,6 +33,27 @@
],
}
+se_filegroup {
+ name: "26.0.board.ignore.map",
+ srcs: [
+ "compat/26.0/26.0.ignore.cil",
+ ],
+}
+
+se_filegroup {
+ name: "27.0.board.ignore.map",
+ srcs: [
+ "compat/27.0/27.0.ignore.cil",
+ ],
+}
+
+se_filegroup {
+ name: "28.0.board.ignore.map",
+ srcs: [
+ "compat/28.0/28.0.ignore.cil",
+ ],
+}
+
se_cil_compat_map {
name: "26.0.cil",
bottom_half: [":26.0.board.compat.map"],
@@ -53,18 +74,18 @@
se_cil_compat_map {
name: "26.0.ignore.cil",
- bottom_half: ["private/compat/26.0/26.0.ignore.cil"],
+ bottom_half: [":26.0.board.ignore.map"],
top_half: "27.0.ignore.cil",
}
se_cil_compat_map {
name: "27.0.ignore.cil",
- bottom_half: ["private/compat/27.0/27.0.ignore.cil"],
+ bottom_half: [":27.0.board.ignore.map"],
top_half: "28.0.ignore.cil",
}
se_cil_compat_map {
name: "28.0.ignore.cil",
- bottom_half: ["private/compat/28.0/28.0.ignore.cil"],
+ bottom_half: [":28.0.board.ignore.map"],
// top_half: "29.0.ignore.cil",
}
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
index f6b21da..b718121 100644
--- a/apex/com.android.media.swcodec-file_contexts
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cc3502b..18604bc 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1538,6 +1538,7 @@
(typeattributeset swap_block_device_28_0 (swap_block_device))
(typeattributeset sysfs_28_0
( sysfs
+ sysfs_devices_block
sysfs_extcon
sysfs_loop))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fd2e4b6..4c0aa18 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -18,7 +18,7 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -29,6 +29,8 @@
# files, so we avoid adding redundant assertions here
neverallow crash_dump {
+ apexd
+ userdebug_or_eng(`-apexd')
bpfloader
init
kernel
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8700dc0..9eeb43a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -111,6 +111,7 @@
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
diff --git a/public/apexd.te b/public/apexd.te
index f990879..3957ed6 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -9,7 +9,7 @@
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server } apexd:binder call;
-neverallow domain apexd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
# only apexd can set apexd sysprop
neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3e18b5d..0bd6f83 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -92,6 +92,7 @@
allow dumpstate sysfs_type:dir r_dir_perms;
allow dumpstate {
+ sysfs_devices_block
sysfs_dm
sysfs_loop
sysfs_usb
@@ -102,6 +103,8 @@
allow dumpstate debugfs:file r_file_perms;
auditallow dumpstate debugfs:file r_file_perms;
+allow dumpstate debugfs_mmc:file r_file_perms;
+
# df for
allow dumpstate {
block_device
diff --git a/public/file.te b/public/file.te
index bdcaae7..514f23d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -73,6 +73,7 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e1739c2..dc46d07 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -35,4 +35,7 @@
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)
+
r_dir_file(gatekeeperd, cgroup)
diff --git a/public/hal_health.te b/public/hal_health.te
index 76efdef..019b523 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -22,3 +22,6 @@
# Write to /dev/kmsg
allow hal_health_server kmsg_device:chr_file w_file_perms;
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
diff --git a/public/property_contexts b/public/property_contexts
index bea017a..701b98d 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -344,6 +344,7 @@
wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
# public-readable
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string