Merge "Allow vendor-init-settable to persist.radio.multisim.config"
diff --git a/Android.mk b/Android.mk
index 5179fef..ba1f8ae 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1568,7 +1568,7 @@
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
@@ -1639,6 +1639,7 @@
built_sepolicy_neverallows :=
built_plat_svc :=
built_vendor_svc :=
+built_plat_sepolicy :=
mapping_policy :=
my_target_arch :=
plat_pub_policy.cil :=
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 9c249fd..4da5410 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -2,3 +2,7 @@
typeattribute perfprofd coredomain;
init_daemon_domain(perfprofd)
')
+
+# Only servicemanager, statsd, su and systemserver can communicate.
+neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call;
+neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call;
diff --git a/private/statsd.te b/private/statsd.te
index c63cba9..dfec7a4 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -30,6 +30,9 @@
binder_call(statsd, appdomain)
binder_call(statsd, healthd)
binder_call(statsd, incidentd)
+userdebug_or_eng(`
+ binder_call(statsd, perfprofd)
+')
binder_call(statsd, statscompanion_service)
binder_call(statsd, system_server)
diff --git a/public/healthd.te b/public/healthd.te
index 50952d5..87217d5 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -7,6 +7,8 @@
# Read access to pseudo filesystems.
allow healthd sysfs_type:dir search;
+# Allow to read /sys/class/power_supply directory.
+allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index d4062aa..494e75b 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -113,9 +113,5 @@
# Allow perfprofd to submit to dropbox.
allow perfprofd dropbox_service:service_manager find;
- allow perfprofd system_server:binder call;
-
- # Only servicemanager, su and systemserver can communicate.
- neverallow domain perfprofd:binder call;
- neverallow perfprofd { domain -servicemanager -su -system_server }:binder call;
+ binder_call(perfprofd, system_server)
')
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index ac8c808..5f419d1 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -19,7 +19,7 @@
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)