Merge "Allow TunerService to find and call native Package Manager Service"
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3793195..835f901 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -22,6 +22,7 @@
ctl_snapuserd_prop
debugfs_kprobes
debugfs_mm_events_tracing
+ debugfs_bootreceiver_tracing
device_config_profcollect_native_boot_prop
device_config_connectivity_prop
device_config_swcodec_native_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 21a1ae9..79b0313 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -177,6 +177,8 @@
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
diff --git a/private/init.te b/private/init.te
index 348673b..4e8289a 100644
--- a/private/init.te
+++ b/private/init.te
@@ -83,3 +83,6 @@
# Only init can set keystore.boot_level
neverallow { -init } keystore_listen_prop:property_service set;
+
+# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
+allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 5f4a943..372bde6 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -36,6 +36,9 @@
allow mediatranscoding app_data_file:file { getattr read write };
allow mediatranscoding shell_data_file:file { getattr read write };
+# allow mediatranscoding service write permission to statsd socket
+unix_socket_send(mediatranscoding, statsdw, statsd)
+
# mediatranscoding should never execute any executable without a
# domain transition
neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 097098b..9c615fa 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -5,7 +5,7 @@
# Allow odrefresh to create files and directories for on device signing.
allow odrefresh apex_module_data_file:dir { getattr search };
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
+allow odrefresh apex_art_data_file:file create_file_perms;
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
# sets up files here and passes file descriptors for dex2oat to write to.
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 44f6434..875ef5b 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -18,6 +18,9 @@
# Allow profcollectd to read executable binaries.
allow profcollectd system_file_type:file r_file_perms;
allow profcollectd vendor_file_type:file r_file_perms;
+
+ # Allow profcollectd to read system bootstrap libs.
+ allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
# Allow profcollectd to access tracefs.
diff --git a/private/system_server.te b/private/system_server.te
index c0c7c16..8bee1bf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1021,6 +1021,10 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow BootReceiver to watch trace error_report events.
+allow system_server debugfs_bootreceiver_tracing:dir search;
+allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
+
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
allow system_server debugfs_tracing:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 4e17f12..243148f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -557,6 +557,9 @@
# vndservice_contexts file
type vndservice_contexts_file, file_type;
+# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 0f3f825..98ec3b4 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -12,3 +12,4 @@
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
+dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;