Merge "sepolicy: add sepolicy rules for vold to write sysfs gc_urgent"
diff --git a/private/atrace.te b/private/atrace.te
index 7979fa1..0cdd35a 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -45,6 +45,7 @@
-dumpstate_service
-installd_service
-vold_service
+ -lpdump_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 40a001f..f4e2cd4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -84,6 +84,10 @@
llkd_prop
llkd_tmpfs
looper_stats_service
+ lpdumpd
+ lpdumpd_exec
+ lpdumpd_prop
+ lpdump_service
iorapd
iorapd_exec
iorapd_data_file
@@ -109,6 +113,7 @@
runas_app
runas_app_tmpfs
runtime_service
+ sdcard_block_device
sensor_privacy_service
server_configurable_flags_data_file
simpleperf_app_runner
diff --git a/private/coredomain.te b/private/coredomain.te
index ebad8e7..169f6b2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -58,6 +58,7 @@
-idmap
-init
-installd
+ -postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-app_zygote
@@ -74,6 +75,7 @@
-idmap
-init
-installd
+ -postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-app_zygote
diff --git a/private/domain.te b/private/domain.te
index 137d5f2..037a7d5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -76,7 +76,7 @@
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain mini-keyctl:key search;
+allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
@@ -297,3 +297,18 @@
-vold
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -gsid
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+ -hal_bootctl_server
+} self:global_capability_class_set sys_rawio;
diff --git a/private/file_contexts b/private/file_contexts
index a3723e2..b913e94 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,9 @@
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
+# TODO(/123600489): merge mini-keyctl into toybox
+/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
+/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -262,6 +264,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
new file mode 100644
index 0000000..c6a5edd
--- /dev/null
+++ b/private/fsverity_init.te
@@ -0,0 +1,25 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow this shell script to run and execute toybox
+allow fsverity_init shell_exec:file rx_file_perms;
+allow fsverity_init toolbox_exec:file rx_file_perms;
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit fsverity_init init:key view;
+dontaudit fsverity_init vold:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow fsverity_init proc_fs_verity:file w_file_perms;
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index def17aa..656c2e3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -245,7 +245,7 @@
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
@@ -261,19 +261,19 @@
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gsid.te b/private/gsid.te
index 62ac06b..5dcf746 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -22,17 +22,39 @@
# file names.
allow gsid sysfs_dm:dir r_dir_perms;
+# Needed to read fstab, which is used to validate that system verity does not
+# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
+# to get the A/B slot suffix).
+allow gsid proc_cmdline:file r_file_perms;
+allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
+allow gsid sysfs_dt_firmware_android:file r_file_perms;
+
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
# liblp queries these block alignment properties.
-allowxperm gsid userdata_block_device:blk_file ioctl {
+allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
+# When installing images to an sdcard, gsid needs to be able to stat() the
+# block device. gsid also calls realpath() to remove symlinks.
+allow gsid mnt_media_rw_file:dir r_dir_perms;
+
+# When installing images to an sdcard, gsid must bypass sdcardfs and install
+# directly to vfat, which supports the FIBMAP ioctl.
+allow gsid vfat:dir rw_dir_perms;
+allow gsid vfat:file create_file_perms;
+allow gsid sdcard_block_device:blk_file r_file_perms;
+# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
+# requirement, but the kernel does not implement FIEMAP support for VFAT.
+allow gsid self:global_capability_class_set sys_rawio;
+
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
+# Needed when running gsi_tool through "su root" rather than adb root.
+allow gsid adbd:unix_stream_socket rw_socket_perms;
neverallow { domain -gsid -init } gsid_prop:property_service set;
diff --git a/private/incidentd.te b/private/incidentd.te
index ad6fbf3..6f10955 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -151,6 +151,7 @@
-dumpstate
-incident
-incidentd
+ -priv_app
-statsd
-system_app
-system_server
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
new file mode 100644
index 0000000..9acd22b
--- /dev/null
+++ b/private/lpdumpd.te
@@ -0,0 +1,45 @@
+type lpdumpd, domain, coredomain;
+type lpdumpd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(lpdumpd)
+
+# Allow lpdumpd to register itself as a service.
+binder_use(lpdumpd)
+add_service(lpdumpd, lpdump_service)
+
+# Allow lpdumpd to find the super partition block device.
+allow lpdumpd block_device:dir r_dir_perms;
+
+# Allow lpdumpd to read super partition metadata. This may live on
+# super_block_device, or system_block_device (on retrofit devices).
+allow lpdumpd {
+ super_block_device
+ system_block_device
+}:blk_file r_file_perms;
+
+# Allow lpdumpd to read fstab.
+allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
+allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
+
+# Triggered when lpdumpd tries to read default fstab.
+dontaudit lpdumpd metadata_file:dir r_dir_perms;
+dontaudit lpdumpd metadata_file:file r_file_perms;
+dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
+dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+
+### Neverallow rules
+
+# Disallow other domains to get lpdump_service and call lpdumpd.
+neverallow {
+ domain
+ -dumpstate
+ -lpdumpd
+ -shell
+} lpdump_service:service_manager find;
+
+neverallow {
+ domain
+ -dumpstate
+ -lpdumpd
+ -shell
+} lpdumpd:binder call;
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
deleted file mode 100644
index 53dbfce..0000000
--- a/private/mini_keyctl.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type mini-keyctl, domain, coredomain;
-type mini-keyctl_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(mini-keyctl)
-
-allow mini-keyctl proc_keys:file r_file_perms;
-
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit mini-keyctl init:key view;
-dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write setattr };
-allow mini-keyctl mini-keyctl:key { view search write };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit mini-keyctl kernel:system module_request;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index efde869..e2bc33e 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -11,6 +11,9 @@
# APEX packages in /postinstall/apex.
allow otapreopt_chroot block_device:dir search;
allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# This is required for dynamic partitions.
+allow otapreopt_chroot dm_device:chr_file rw_file_perms;
+
# This is required to unmount flattened APEX packages under
# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
allow otapreopt_chroot postinstall_file:filesystem unmount;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index a463cb6..fd370c2 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -32,6 +32,8 @@
r_dir_file(postinstall_dexopt, apk_data_file)
# Read vendor app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_app_file)
+# Read vendor overlay files (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_overlay_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
diff --git a/private/priv_app.te b/private/priv_app.te
index 004908c..c5251a9 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -152,6 +152,12 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
+# Allow priv_apps to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow priv_app incident_service:service_manager find;
+binder_call(priv_app, incidentd)
+allow priv_app incidentd:fifo_file { read write };
+
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
can_profile_heap(priv_app)
diff --git a/private/property_contexts b/private/property_contexts
index 3261014..3622d12 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
service. u:object_r:system_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 7ee4827..de56972 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -103,6 +103,7 @@
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
looper_stats u:object_r:looper_stats_service:s0
+lpdump_service u:object_r:lpdump_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
diff --git a/private/shell.te b/private/shell.te
index 0d1cf03..02b01f5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -70,3 +70,7 @@
# Renderscript host side tests depend on being able to execute
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
+
+# Allow shell to start and comminicate with lpdumpd.
+set_prop(shell, lpdumpd_prop);
+binder_call(shell, lpdumpd)
diff --git a/private/system_app.te b/private/system_app.te
index 9a5e455..05831a3 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -80,6 +80,7 @@
-installd_service
-iorapd_service
-ipmemorystore_service
+ -lpdump_service
-netd_service
-system_suspend_control_service
-virtual_touchpad_service
diff --git a/private/system_server.te b/private/system_server.te
index ab4a07c..8fff848 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -412,6 +412,10 @@
allow system_server su:fifo_file append;
')
+# Allow system_server to read pipes from incidentd (used to deliver incident reports
+# to dropbox)
+allow system_server incidentd:fifo_file read;
+
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
diff --git a/private/system_suspend.te b/private/system_suspend.te
index e93a73d..961cd67 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,6 +10,11 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
+# TODO(b/128923994): remove once all debugging info moves to SystemSuspend.
+# Access to /sys/power/{ wake_lock, wake_unlock } suspend blocker interface.
+allow system_suspend self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/zygote.te b/private/zygote.te
index bfb45f5..759fc34 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -103,6 +103,9 @@
allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
+# Allow zygote to expand app files while preloading libraries
+allow zygote mnt_expand_file:dir getattr;
+
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/attributes b/public/attributes
index 4cae0ff..dbb9356 100644
--- a/public/attributes
+++ b/public/attributes
@@ -308,3 +308,6 @@
attribute mediaswcodec_server;
attribute system_suspend_server;
attribute camera_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;
diff --git a/public/device.te b/public/device.te
index 57b0503..e20a68b 100644
--- a/public/device.te
+++ b/public/device.te
@@ -104,4 +104,9 @@
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, dev_type;
+type super_block_device, super_block_device_type, dev_type;
+
+# sdcard devices; normally vold uses the vold_block_device label and creates a
+# separate device node. gsid, however, accesses the original devide node
+# created through uevents, so we use a separate label.
+type sdcard_block_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 8331d2d..5a964c9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -349,20 +349,6 @@
-vold
} self:global_capability_class_set mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
- -hal_bootctl_server
-} self:global_capability_class_set sys_rawio;
-
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
@@ -643,6 +629,11 @@
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
')
+
+# libcutils can probe for /dev/binder permissions with access(). Ignore
+# generated denials. See b/129073672 for details.
+dontaudit domain binder_device:chr_file audit_access;
+
full_treble_only(`
neverallow {
domain
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 7b71c2c..d63af83 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -16,7 +16,7 @@
allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
# Log to serial
- allow fastbootd kmsg_device:chr_file { open write };
+ allow fastbootd kmsg_device:chr_file { open getattr write };
# battery info
allow fastbootd sysfs_batteryinfo:file r_file_perms;
diff --git a/public/hal_health.te b/public/hal_health.te
index 019b523..dc7d083 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -21,7 +21,7 @@
wakelock_use(hal_health_server)
# Write to /dev/kmsg
-allow hal_health_server kmsg_device:chr_file w_file_perms;
+allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
# Allow to use timerfd to wake itself up periodically to send health info.
allow hal_health_server self:capability2 wake_alarm;
diff --git a/public/init.te b/public/init.te
index f5f42e7..6cbb164 100644
--- a/public/init.te
+++ b/public/init.te
@@ -11,7 +11,7 @@
#
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { write relabelto };
+allow init kmsg_device:chr_file { getattr write relabelto };
# /dev/kmsg_debug
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { write relabelto };
@@ -529,9 +529,6 @@
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow init proc_fs_verity:file w_file_perms;
-
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
diff --git a/public/logd.te b/public/logd.te
index 6aac302..0cbefb4 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -11,7 +11,7 @@
allow logd self:global_capability2_class_set syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file w_file_perms;
+allow logd kmsg_device:chr_file { getattr w_file_perms };
allow logd system_data_file:{ file lnk_file } r_file_perms;
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index ee2d2ec..77aefe1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -127,6 +127,9 @@
allow mediaserver system_server:fd use;
+# b/120491318 allow mediaserver to access void:fd
+allow mediaserver vold:fd use;
+
hal_client_domain(mediaserver, hal_allocator)
###
diff --git a/public/property.te b/public/property.te
index 044e5eb..473baa2 100644
--- a/public/property.te
+++ b/public/property.te
@@ -58,6 +58,7 @@
type log_prop, property_type, log_property_type;
type log_tag_prop, property_type, log_property_type;
type lowpan_prop, property_type;
+type lpdumpd_prop, property_type;
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
@@ -430,6 +431,7 @@
-logd_prop
-logpersistd_logging_prop
-lowpan_prop
+ -lpdumpd_prop
-mmc_prop
-net_dns_prop
-net_radio_prop
diff --git a/public/service.te b/public/service.te
index 852e3df..a6385b8 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type keystore_service, service_manager_type;
+type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
@@ -130,7 +131,7 @@
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type package_native_service, system_server_service, service_manager_type;
+type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 7ded147..4dea890 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -14,6 +14,7 @@
-installd_service
-ipmemorystore_service
-iorapd_service
+ -lpdump_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/update_engine.te b/public/update_engine.te
index 6521726..7bcaca6 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -13,7 +13,7 @@
# denial.
dontaudit update_engine self:global_capability_class_set fsetid;
-allow update_engine kmsg_device:chr_file w_file_perms;
+allow update_engine kmsg_device:chr_file { getattr w_file_perms };
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 0a9090c..8d40cdd 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -22,7 +22,7 @@
allow update_verifier dm_device:blk_file r_file_perms;
# Write to kernel message.
-allow update_verifier kmsg_device:chr_file w_file_perms;
+allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)
diff --git a/public/vdc.te b/public/vdc.te
index b59dcf6..e638e50 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -12,7 +12,7 @@
allow vdc devpts:chr_file rw_file_perms;
# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file w_file_perms;
+allow vdc kmsg_device:chr_file { getattr w_file_perms };
# vdc talks to vold over Binder
binder_use(vdc)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6ed7b02..5a3e918 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -5,7 +5,7 @@
allow vendor_init init:unix_stream_socket { read write };
# Logging to kmsg
-allow vendor_init kmsg_device:chr_file { open write };
+allow vendor_init kmsg_device:chr_file { open getattr write };
# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;