commit ad82d6d5db9567554862a437938b9d89af9b5248
author Inseob Kim <inseob@google.com> Tue Apr 06 00:38:10 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Apr 06 00:38:10 2021 +0000
tree 6f9ce53c22472e8935b621252390ed9821ef56dc
parent d6d8a0fa5e57b1feaab343daa7cdce525e2b0681
parent 39fbcf7c967d78207183a886ca53080283f603ea

Merge "Add plat_vendor tag to se_build_files for microdroid"

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 99533b4..f89c2be 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -72,6 +72,7 @@
     mediatuner_service
     mediatuner
     mediatranscoding_tmpfs
+    memtrackproxy_service
     music_recognition_service
     nfc_logs_data_file
     odrefresh

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 306b40a..714737f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -591,7 +591,8 @@
 # default contexts only accessible by coredomain
 init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
 
-# vendor-init-readable init service props
+# Globally-readable init service props
+init.svc.adbd           u:object_r:init_service_status_prop:s0 exact string
 init.svc.bugreport      u:object_r:init_service_status_prop:s0 exact string
 init.svc.bugreportd     u:object_r:init_service_status_prop:s0 exact string
 init.svc.console        u:object_r:init_service_status_prop:s0 exact string

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index c86edd5..7b66e35 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -177,6 +177,7 @@
 media_router                              u:object_r:media_router_service:s0
 media_session                             u:object_r:media_session_service:s0
 meminfo                                   u:object_r:meminfo_service:s0
+memtrack.proxy                            u:object_r:memtrackproxy_service:s0
 midi                                      u:object_r:midi_service:s0
 mount                                     u:object_r:mount_service:s0
 music_recognition                         u:object_r:music_recognition_service:s0

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index e0940c9..0c37ee4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1075,6 +1075,9 @@
 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
 neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
 
+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
 # Android does not support System V IPCs.
 #
 # The reason for this is due to the fact that, by design, they lead to global

public/service.te

diff --git a/public/service.te b/public/service.te
index a69118e..760aa9d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -144,6 +144,7 @@
 type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;