Merge "Sepolicy: Give apexd permission for mounton"
diff --git a/private/runas_app.te b/private/runas_app.te
index 525aea1..e6fd953 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -15,3 +15,4 @@
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:unix_stream_socket connectto;
diff --git a/private/zygote.te b/private/zygote.te
index 1146f15..c8bd87e 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -100,7 +100,7 @@
# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
# sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcardfs media_rw_data_file vfat }:dir { search mounton getattr };
+allow zygote { sdcardfs media_rw_data_file vfat }:dir { create_dir_perms mounton };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/e2fs.te b/public/e2fs.te
index 1a2024e..dd5bd69 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -8,7 +8,7 @@
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
-allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
+allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 303f001..8890ca0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -18,8 +18,8 @@
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0