Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a2b90b5efc722234260facbfba5ca10760ef8fe7^2..a2b90b5efc722234260facbfba5ca10760ef8fe7 / .
commita2b90b5efc722234260facbfba5ca10760ef8fe7[log] [tgz]
authorNick Kralevich <nnk@google.com>Tue Mar 26 20:06:49 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Mar 26 20:06:49 2019 +0000
treec74382e19c1bcd1f491fd8bdd6ac4c43a47afdff
parentf3e8dce5d42912544ba3649b9c9aa35a4c10bce7 [diff]
parent94b5fe4af527f7d11b36b578f60ce3849404b42c [diff]
Merge "Temporarily hide denial to fix tests."
diff --git a/private/system_suspend.te b/private/system_suspend.te
index e93a73d..961cd67 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te

@@ -10,6 +10,11 @@
 # Access to /sys/power/{ wakeup_count, state } suspend interface.
 allow system_suspend sysfs_power:file rw_file_perms;
 
+# TODO(b/128923994): remove once all debugging info moves to SystemSuspend.
+# Access to /sys/power/{ wake_lock, wake_unlock } suspend blocker interface.
+allow system_suspend self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+
 neverallow {
     domain
     -atrace # tracing

diff --git a/public/attributes b/public/attributes
index 4cae0ff..dbb9356 100644
--- a/public/attributes
+++ b/public/attributes

@@ -308,3 +308,6 @@
 attribute mediaswcodec_server;
 attribute system_suspend_server;
 attribute camera_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;

diff --git a/public/device.te b/public/device.te
index 57b0503..41b4edb 100644
--- a/public/device.te
+++ b/public/device.te

@@ -104,4 +104,4 @@
 type misc_block_device, dev_type;
 
 # 'super' partition to be used for logical partitioning.
-type super_block_device, dev_type;
+type super_block_device, super_block_device_type, dev_type;

diff --git a/public/domain.te b/public/domain.te
index 8331d2d..978c9bf 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -643,6 +643,11 @@
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } binder_device:chr_file rw_file_perms;
 ')
+
+# libcutils can probe for /dev/binder permissions with access(). Ignore
+# generated denials. See b/129073672 for details.
+dontaudit domain binder_device:chr_file audit_access;
+
 full_treble_only(`
   neverallow {
     domain

diff --git a/public/service.te b/public/service.te
index 852e3df..bc4be2a 100644
--- a/public/service.te
+++ b/public/service.te

@@ -130,7 +130,7 @@
 type otadexopt_service, system_server_service, service_manager_type;
 type overlay_service, system_api_service, system_server_service, service_manager_type;
 type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type package_native_service, system_server_service, service_manager_type;
+type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;