Merge "Add PLATFORM_SEPOLICY_VERSION." into oc-dev
diff --git a/private/adbd.te b/private/adbd.te
index 5fa83e2..b402335 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,6 +63,15 @@
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
diff --git a/private/app.te b/private/app.te
index f7c060b..c3f44dd 100644
--- a/private/app.te
+++ b/private/app.te
@@ -93,6 +93,16 @@
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
diff --git a/private/audioserver.te b/private/audioserver.te
index 61ccefc..b5bfe39 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -13,6 +13,9 @@
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
diff --git a/private/init.te b/private/init.te
index fb4335a..f84d87e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/zygote.te b/private/zygote.te
index 52250f8..daabbc0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,9 +51,8 @@
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
-# /vendor/overlay existence is checked before
-# passing it on as an argument to idmap in AssetManager
-allow zygote vendor_overlay_file:dir { getattr open read search };
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 24c8696..66029f8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -129,8 +129,12 @@
allow domain vendor_configs_file:file { read open getattr };
full_treble_only(`
- # This is required "most likely" for LD_LIBRARY_PATH
- # (b/36681074)
+ # Allow all domains to be able to follow /system/vendor symlink
+ allow domain vendor_file:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
allow domain vendor_file:dir { getattr search };
# Allow reading and executing out of /vendor to all vendor domains
@@ -994,7 +998,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.
diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173d..24a6b3b 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,5 @@
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })
diff --git a/public/recovery.te b/public/recovery.te
index d6aef1c..784596d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,6 +92,10 @@
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+ # Read /sys/class/thermal/*/temp for thermal info.
+ allow recovery sysfs_thermal:dir search;
+ allow recovery sysfs_thermal:file r_file_perms;
+
# Read files on /oem.
r_dir_file(recovery, oemfs);