Merge "SEPolicy updates for DeviceConfig Service."
diff --git a/Android.mk b/Android.mk
index 9900bfb..bb69f06 100644
--- a/Android.mk
+++ b/Android.mk
@@ -247,11 +247,6 @@
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
precompiled_sepolicy.plat_and_mapping.sha256 \
- vendor_file_contexts \
- vendor_mac_permissions.xml \
- vendor_property_contexts \
- vendor_seapp_contexts \
- vendor_hwservice_contexts \
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d3019ec..323fb0a 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1,4 +1,5 @@
;; types removed from current policy
+(type alarm_device)
(type audio_seq_device)
(type audio_timer_device)
(type commontime_management_service)
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 5cba2cd..4f3dda6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -34,6 +34,9 @@
# Allow dumpstate to talk to gpuservice over binder
binder_call(dumpstate, gpuservice);
+# Allow dumpstate to talk to idmap over binder
+binder_call(dumpstate, idmap);
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 493d782..abef72b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -71,7 +71,6 @@
/dev/adf[0-9]* u:object_r:graphics_device:s0
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/alarm u:object_r:alarm_device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/audio.* u:object_r:audio_device:s0
/dev/binder u:object_r:binder_device:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ca13998..5f7a042 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -150,11 +150,6 @@
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
@@ -172,11 +167,6 @@
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 30ad7f1..b7013d7 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -13,10 +13,10 @@
# Executables and libraries.
# These are needed to read the ELF binary data needed for unwinding.
- allow heapprofd system_file:file r_file_perms;
- allow heapprofd apk_data_file:file r_file_perms;
- allow heapprofd dalvikcache_data_file:file r_file_perms;
- allow heapprofd vendor_file_type:file r_file_perms;
+ r_dir_file(heapprofd, system_file_type)
+ r_dir_file(heapprofd, apk_data_file)
+ r_dir_file(heapprofd, dalvikcache_data_file)
+ r_dir_file(heapprofd, vendor_file_type)
')
# Write trace data to the Perfetto traced damon. This requires connecting to its
diff --git a/private/system_server.te b/private/system_server.te
index 5098760..3806d23 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -325,7 +325,6 @@
# Access devices.
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server alarm_device:chr_file rw_file_perms;
allow system_server gpu_device:chr_file rw_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index b0b87d8..ad6611c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -18,6 +18,7 @@
# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the blacklist/whitelist.
userdebug_or_eng(`
+allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
diff --git a/private/vold.te b/private/vold.te
index a6d1001..dea24a5 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -8,8 +8,8 @@
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, blkid_exec, blkid);
+domain_trans(vold, blkid_exec, blkid_untrusted);
domain_trans(vold, fsck_exec, fsck);
domain_trans(vold, fsck_exec, fsck_untrusted);
diff --git a/public/device.te b/public/device.te
index e55c86d..57b0503 100644
--- a/public/device.te
+++ b/public/device.te
@@ -1,6 +1,5 @@
# Device types
type device, dev_type, fs_type;
-type alarm_device, dev_type, mlstrustedobject;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index c536c12..d0e4e41 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -75,7 +75,6 @@
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain proc_random:dir r_dir_perms;
allow domain proc_random:file r_file_perms;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 9d0f8c0..3e4b65d 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -9,7 +9,6 @@
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
-allow hal_telephony_server alarm_device:chr_file rw_file_perms;
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index f735be5..805adaf 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -10,9 +10,9 @@
set_prop(hal_wifi, exported_wifi_prop)
set_prop(hal_wifi, wifi_prop)
-# allow hal wifi set interfaces up and down
+# allow hal wifi set interfaces up and down and get the factory MAC
allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
allow hal_wifi self:global_capability_class_set { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
diff --git a/public/init.te b/public/init.te
index 2a8036a..8b95e2b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -257,7 +257,6 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
allow init {
- alarm_device
ashmem_device
binder_device
console_device
diff --git a/public/property_contexts b/public/property_contexts
index f2362d5..1533a0f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -6,6 +6,7 @@
audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
audio.deep_buffer.media u:object_r:exported3_default_prop:s0 exact bool
audio.offload.video u:object_r:exported3_default_prop:s0 exact bool
+audio.offload.min.duration.secs u:object_r:exported3_default_prop:s0 exact int
camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
diff --git a/public/radio.te b/public/radio.te
index 05bfd8c..8a8bef3 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -12,7 +12,6 @@
allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
-allow radio alarm_device:chr_file rw_file_perms;
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
diff --git a/public/vold.te b/public/vold.te
index 6994776..0f5fb0f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,9 +31,6 @@
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
-# For sgdisk launched through popen()
-allow vold shell_exec:file rx_file_perms;
-
# For formatting adoptable storage devices
allow vold e2fs_exec:file rx_file_perms;