Merge "sepolicy: Allow prefetch to open/read rootfs" into main

commit: acc937e3ab13667748b70bb05668de3e8b3c1750 [log] [tgz]
author: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Thu Mar 20 19:45:51 2025 -0700
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Mar 20 19:45:51 2025 -0700
tree: e117ba84c57b51da3125dc26fe6a9e74cb5d29dd
parent: e3d40c22943d3348ebde6c8c40a3eb4c6886d01e [diff]
parent: 60647ea2f92945ef5235eccb8f5eec19d158e030 [diff]
diff --git a/prebuilts/api/202504/202504_general_sepolicy.conf b/prebuilts/api/202504/202504_general_sepolicy.conf
index 33ca1ac..bdea6b3 100644
--- a/prebuilts/api/202504/202504_general_sepolicy.conf
+++ b/prebuilts/api/202504/202504_general_sepolicy.conf

@@ -88152,6 +88152,7 @@
   -keystore
   -servicemanager
   -system_server
+  -tee
   
 }:binder call;
 

diff --git a/private/artd.te b/private/artd.te
index 15d7969..b3f1e5a 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -37,11 +37,12 @@
 # Read access to primary dex'es on writable partitions
 # ({/data,/mnt/expand/<volume-uuid>}/app/...).
 # Also allow creating the "oat" directory before restorecon.
+# Also allow deleting .sdm files.
 allow artd mnt_expand_file:dir { getattr search };
 allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
-allow artd apk_data_file:file r_file_perms;
+allow artd apk_data_file:file { r_file_perms unlink };
 allow artd apk_tmp_file:dir { rw_dir_perms create setattr relabelfrom };
-allow artd apk_tmp_file:file r_file_perms;
+allow artd apk_tmp_file:file { r_file_perms unlink };
 
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)

diff --git a/private/dumpstate.te b/private/dumpstate.te
index d960ff6..b92ca6f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -67,6 +67,9 @@
 # Allow dumpstate to talk to ot_daemon service over binder
 binder_call(dumpstate, ot_daemon)
 
+# Allow dumpstate to talk to mmd service over binder
+binder_call(dumpstate, mmd)
+
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
 

diff --git a/private/wifi_mainline_supplicant.te b/private/wifi_mainline_supplicant.te
index c18cef6..dce5a07 100644
--- a/private/wifi_mainline_supplicant.te
+++ b/private/wifi_mainline_supplicant.te

@@ -2,6 +2,7 @@
 type wifi_mainline_supplicant_exec, system_file_type, exec_type, file_type;
 
 binder_use(wifi_mainline_supplicant)
+binder_call(wifi_mainline_supplicant, system_server)
 init_daemon_domain(wifi_mainline_supplicant)
 add_service(wifi_mainline_supplicant, wifi_mainline_supplicant_service)
 
@@ -29,3 +30,7 @@
 allow wifi_mainline_supplicant self:netlink_route_socket { bind create read write nlmsg_readpriv nlmsg_write };
 allow wifi_mainline_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow wifi_mainline_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Dumpstate support
+allow wifi_mainline_supplicant dumpstate:fd use;
+allow wifi_mainline_supplicant dumpstate:fifo_file write;
commit	acc937e3ab13667748b70bb05668de3e8b3c1750	[log] [tgz]
author	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	Thu Mar 20 19:45:51 2025 -0700
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Mar 20 19:45:51 2025 -0700
tree	e117ba84c57b51da3125dc26fe6a9e74cb5d29dd
parent	e3d40c22943d3348ebde6c8c40a3eb4c6886d01e [diff]
parent	60647ea2f92945ef5235eccb8f5eec19d158e030 [diff]