Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c7be91d58b704e93aa08780c120868969f185308^2..c7be91d58b704e93aa08780c120868969f185308 / .
commitc7be91d58b704e93aa08780c120868969f185308[log] [tgz]
authorNicolas Geoffray <ngeoffray@google.com>Tue Nov 20 16:38:52 2018 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Nov 20 16:38:52 2018 +0000
tree74dda4a8ba05d88e65c8a7e9981e7cb431d71339
parentb78af6cdb40654ef6df88951b6b94cc421d4f98c [diff]
parentcf4d5265c2d6159b8547f556170d1ba35e947d67 [diff]
Merge "Allow webview_zygote to JIT."
diff --git a/private/perfetto.te b/private/perfetto.te
index c068dc5..4d8720a 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te

@@ -20,12 +20,11 @@
 binder_call(perfetto, system_server)
 allow perfetto dropbox_service:service_manager find;
 
-# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
-# print out on stdout/stderr.
-allow perfetto statsd:fd use;
-allow perfetto statsd:fifo_file { getattr read write };
-allow perfetto shell:fd use;
-allow perfetto shell:fifo_file { getattr read write };
+# Allow perfetto to read the trace config from statsd and shell
+# (both root and non-root) on stdin and also to write the resulting trace to
+# stdout.
+allow perfetto { statsd shell su }:fd use;
+allow perfetto { statsd shell su }:fifo_file { getattr read write };
 
 # Allow to communicate use, read and write over the adb connection.
 allow perfetto adbd:fd use;

diff --git a/private/system_server.te b/private/system_server.te
index 49bba86..7104135 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -941,6 +941,10 @@
 allow system_server system_server_startup_tmpfs:file { read write map };
 allow system_server system_server_startup:unix_dgram_socket write;
 
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;

diff --git a/public/apexd.te b/public/apexd.te
index 0f0f5ac..f990879 100644
--- a/public/apexd.te
+++ b/public/apexd.te

@@ -6,8 +6,8 @@
 add_service(apexd, apex_service)
 set_prop(apexd, apexd_prop)
 
-neverallow { domain -init -apexd } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
 
 neverallow domain apexd:process ptrace;