Merge "Add type for /system/bin/tcpdump."
diff --git a/public/domain.te b/public/domain.te
index 0f17fab..b479227 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -277,15 +277,19 @@
-untrusted_app_all
-priv_app
} cgroup:file w_file_perms;
-auditallow appdomain cgroup:file w_file_perms;
+userdebug_or_eng(`
+ auditallow appdomain cgroup:file w_file_perms;
+')
# TODO(b/110043362): Clean up cgroup access from non-system domains.
allow { domain -coredomain } cgroup:file w_file_perms;
-auditallow {
- domain
- -coredomain
- -vendor_init
-} cgroup:file w_file_perms;
+userdebug_or_eng(`
+ auditallow {
+ domain
+ -coredomain
+ -vendor_init
+ } cgroup:file w_file_perms;
+')
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
@@ -321,11 +325,17 @@
# named pipes, and named sockets)
allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };
+# Allow a process to make a determination whether a file descriptor
+# for a plain file is a tty. Note that granting this whitelist to domain
+# does not grant the ioctl permission to these files. That must be granted
+# separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+
# Support sqlite F2FS specific optimizations
# ioctl permission on the specific file type is still required
# TODO: consider only compiling these rules if we know the
# /data partition is F2FS
-allowxperm domain file_type:file ioctl {
+allowxperm domain { file_type sdcard_type }:file ioctl {
F2FS_IOC_ABORT_VOLATILE_WRITE
F2FS_IOC_COMMIT_ATOMIC_WRITE
F2FS_IOC_GET_FEATURES
diff --git a/public/fastbootd.te b/public/fastbootd.te
index a1c407b..b7e5fe1 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -14,6 +14,7 @@
allow fastbootd functionfs:dir search;
allow fastbootd functionfs:file rw_file_perms;
+ allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
# Log to serial
allow fastbootd kmsg_device:chr_file { open write };