Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b584704c28270b6e859be225b1779059a7adef5a^2..b584704c28270b6e859be225b1779059a7adef5a / .
commitb584704c28270b6e859be225b1779059a7adef5a[log] [tgz]
authorNikolay Elenkov <nikolayelenkov@google.com>Wed Mar 27 05:55:38 2024 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Mar 27 05:55:38 2024 +0000
treea8d8fe19a54e4a185c04d7f540f5cbf91b22afd8
parent0e5b64af147b341459eb7cee32bedca835a29086 [diff]
parent3941b6874350fb1c8558fcd539ec0ec5038c1d7e [diff]
Merge "Allow system_server to call IKeystoreMaintenance.deleteAllKeys()" into main
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 2f7f1d5..60559fc 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te

@@ -34,10 +34,6 @@
 # allow aconfigd to log to the kernel.
 allow aconfigd kmsg_device:chr_file w_file_perms;
 
-# allow aconfigd to read system/system_ext/product partition storage files
-allow aconfigd system_aconfig_storage_file:file r_file_perms;
-allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
-
 # allow aconfigd to read vendor partition storage files
 allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
 allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;

diff --git a/private/domain.te b/private/domain.te
index aa0a5bb..2a26cf3 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -208,12 +208,12 @@
   -hal_omx_server
 } {shell_exec toolbox_exec}:file rx_file_perms;
 
-# Allow everyone to read from flag value boot snapshot files and general pb files
+# Allow all (except vendor) to read from flag value boot snapshot files and general pb files
 # The boot copy of the flag value files serves flag read traffic for all processes, thus
 # needs to be readable by everybody. Also, the metadata directory will contain pb file
 # that records where flag storage files are, so also needs to be readable by everbody.
-allow domain aconfig_storage_metadata_file:file r_file_perms;
-allow domain aconfig_storage_metadata_file:dir r_dir_perms;
+r_dir_file({ coredomain appdomain }, aconfig_storage_metadata_file);
+r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
 
 # processes needs to access storage file stored at /metadata/aconfig/boot, require search
 # permission on /metadata dir

diff --git a/private/property_contexts b/private/property_contexts
index b4458ee..83b6b8a 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -765,6 +765,7 @@
 ro.lmk.thrashing_limit          u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.thrashing_limit_decay    u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.direct_reclaim_threshold_ms u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.use_minfree_levels       u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.use_new_strategy         u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.use_psi                  u:object_r:lmkd_config_prop:s0 exact bool