Merge "Allow system server to add StatsHal"
diff --git a/apex/Android.bp b/apex/Android.bp
index 4a860e1..d3acfdb 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -180,3 +180,10 @@
"com.android.tethering-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.extservices-file_contexts",
+ srcs: [
+ "com.android.extservices-file_contexts",
+ ],
+}
diff --git a/private/adbd.te b/private/adbd.te
index ec5c57e..dee3c9b 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -180,7 +180,7 @@
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
###
diff --git a/private/domain.te b/private/domain.te
index 9f3ad0a..3725e13 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -360,3 +360,7 @@
-installd
-zygote
} mirror_data_file:dir *;
+
+# This property is being removed. Remove remaining access.
+neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
+neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
diff --git a/private/platform_app.te b/private/platform_app.te
index 76eaae6..3beec38 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,7 +68,6 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/property_contexts b/private/property_contexts
index 4359806..07fbe7a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -160,6 +160,7 @@
ro.dalvik. u:object_r:dalvik_prop:s0
# Shared between system server and wificond
+wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
# Lowpan properties
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5d78a18..78853bb 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -27,6 +27,7 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, system_server);
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
@@ -116,6 +117,8 @@
# Allow supplying timestats statistics to statsd
allow surfaceflinger stats_service:service_manager find;
+allow surfaceflinger statsmanager_service:service_manager find;
+# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
###
diff --git a/private/system_server.te b/private/system_server.te
index f23eecf..4e74fee 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -659,6 +659,9 @@
# Read the property as feature flag for protecting apks with fs-verity.
get_prop(system_server, apk_verity_prop)
+# Read wifi.interface
+get_prop(system_server, wifi_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c0e470..3f11b6a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -302,11 +302,13 @@
dontaudit dumpstate {
mnt_vendor_file
mirror_data_file
+ mnt_user_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
linkerconfig_file
mirror_data_file
+ mnt_user_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
diff --git a/public/init.te b/public/init.te
index cc60b5a..19c7e4b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -546,7 +546,7 @@
allow init unencrypted_data_file:dir create_dir_perms;
# Set encryption policy on dirs in /data
-allowxperm init data_file_type:dir ioctl {
+allowxperm init { data_file_type unlabeled }:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};
diff --git a/public/property_contexts b/public/property_contexts
index 5e419ee..bdc862d 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -438,6 +438,7 @@
ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/service.te b/public/service.te
index 76e642d..79cce0e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,7 +101,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
-type platform_compat_service, system_server_service, service_manager_type;
+type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 0ffa119..07630de 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -96,9 +96,12 @@
allow vold media_rw_data_file:dir mounton;
# Allow setting extended attributes (for project quota IDs) on files and dirs
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
allowxperm vold media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
};
# Allow mounting of storage devices