Merge "untrusted_app_30: add new targetSdk domain"
diff --git a/private/crosvm.te b/private/crosvm.te
index f7729fd..b139286 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,3 +14,10 @@
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+
+# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
+# as they must be passed via virtualizationservice.
+allow crosvm apk_data_file:file { getattr read };
+allow crosvm app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow crosvm shell_data_file:file { getattr read write };
diff --git a/private/odsign.te b/private/odsign.te
index 0ff3b7b..57ca048 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -41,7 +41,7 @@
# For ART apex data dir access
allow odsign apex_module_data_file:dir { getattr search };
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
# Run odrefresh to refresh ART artifacts
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 382795d..ea9d4ee 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -96,8 +96,3 @@
# allow otapreopt_chroot to run the linkerconfig from the new image.
allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
-
-# allow otapreopt_chroot to talk with otadexopt binder service
-allow otapreopt_chroot otadexopt_service:service_manager find;
-binder_use(otapreopt_chroot)
-binder_call(otapreopt_chroot, system_server)
diff --git a/private/property_contexts b/private/property_contexts
index 326232d..593274f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -52,6 +52,7 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc. u:object_r:nfc_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
logd. u:object_r:logd_prop:s0
@@ -439,6 +440,8 @@
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
+
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f99ce96..9900600 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -61,7 +61,7 @@
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
-get_prop(network_stack, device_config_surface_flinger_native_boot_prop)
+get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4c6f1f9..9b82e01 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -23,3 +23,21 @@
# Let virtualizationservice access its data directory.
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+
+# virtualizationservice_use(client)
+define(`virtualizationservice_use', `
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let the client pass file descriptors to virtualizationservice.
+allow virtualizationservice $1:fd use;
+')
+
+# Let the shell user call virtualizationservice for debugging.
+virtualizationservice_use(shell)
+
+# Let virtualizationservice read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationservice apk_data_file:file { getattr read };
+allow virtualizationservice app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationservice shell_data_file:file { getattr read write };
diff --git a/public/app.te b/public/app.te
index e8178d1..7de9c00 100644
--- a/public/app.te
+++ b/public/app.te
@@ -569,6 +569,9 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+# allow system_app to access Nfc-related system properties.
+set_prop(system_app, nfc_prop)
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;