Merge "dexoptanalyzer: Allow writing into installd's pipe"
diff --git a/private/domain.te b/private/domain.te
index 8431957..137d5f2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -279,6 +279,7 @@
neverallow ~{
dac_override_allowed
traced_probes
+ userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 1339673..98645a2 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -46,8 +46,18 @@
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
+ # Some dex files are not world-readable.
+ # We are still constrained by the SELinux rules above.
+ allow heapprofd self:global_capability_class_set dac_read_search;
')
+# This is going to happen on user but is benign because central heapprofd
+# does not actually need these permission.
+# If the dac_read_search capability check is rejected, the kernel then tries
+# to perform a dac_override capability check, so we need to dontaudit that
+# as well.
+dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
+
never_profile_heap(`{
bpfloader
init
diff --git a/private/priv_app.te b/private/priv_app.te
index ad39eb1..004908c 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -30,7 +30,10 @@
allow priv_app privapp_data_file:lnk_file create_file_perms;
+# Priv apps can find services that expose both @SystemAPI and normal APIs.
allow priv_app app_api_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
+
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
@@ -46,11 +49,10 @@
allow priv_app radio_service:service_manager find;
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-allow priv_app gpu_service:service_manager find;
# Allow privileged apps to interact with gpuservice
binder_call(priv_app, gpuservice)
+allow priv_app gpu_service:service_manager find;
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0bd6f83..2d5e240 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -127,6 +127,7 @@
binder_call(dumpstate, { appdomain netd wificond })
hal_client_domain(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_wifi)
hal_client_domain(dumpstate, hal_graphics_allocator)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 805adaf..ecc1359 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -23,9 +23,9 @@
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
allow hal_wifi proc_modules:file { getattr open read };
+# Allow hal_wifi to send dump info to dumpstate
+allow hal_wifi dumpstate:fifo_file write;
# allow hal_wifi to write into /data/vendor/tombstones/wifi
-userdebug_or_eng(`
- allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
- allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
-')
+allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
+allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
diff --git a/public/lmkd.te b/public/lmkd.te
index 518fb8f..51d1aa2 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -23,6 +23,7 @@
# setsched and send kill signals
allow lmkd appdomain:process { setsched sigkill };
+allow lmkd kernel:process { setsched };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };