Merge "Allow recovery to read /proc/cmdline"
diff --git a/Android.mk b/Android.mk
index cb67f72..4ae0dab 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1188,7 +1188,7 @@
$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests \
$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) python $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
@@ -1304,7 +1304,7 @@
$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(built_plat_sepolicy) \
$(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) python $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
$(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
diff --git a/private/service_contexts b/private/service_contexts
index 7dc8341..86a6032 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -126,6 +126,7 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
rttmanager u:object_r:rttmanager_service:s0
+rttmanager2 u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index b33035e..ed67597 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -84,7 +84,6 @@
allow surfaceflinger self:capability sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/public/domain.te b/public/domain.te
index c471a50..9bc9e4e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -39,7 +39,6 @@
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
allow { domain -init } su:binder { call transfer };
- allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
diff --git a/public/lmkd.te b/public/lmkd.te
index 208720c..0ff9518 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -18,7 +18,7 @@
allow lmkd system_server:file write;
## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_type)
+r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
# Send kill signals
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 67189ae..4437ab7 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -39,7 +39,7 @@
r_dir_file(uncrypt, rootfs)
# uncrypt reads /proc/cmdline
-allow uncrypt proc:file r_file_perms;
+allow uncrypt proc_cmdline:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs)
diff --git a/public/update_engine.te b/public/update_engine.te
index b8f0035..f67afc2 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -39,3 +39,13 @@
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc and /proc/sys/kernel/random/boot_id
+allow update_engine proc:file r_file_perms;
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
+
+# Read files in /sys
+r_dir_file(update_engine, sysfs)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 7680e07..61d393a 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -37,13 +37,3 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/misc and /proc/sys/kernel/random/boot_id
-allow update_engine proc:file r_file_perms;
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
-
-# Read files in /sys
-r_dir_file(uncrypt, sysfs)
diff --git a/tests/Android.bp b/tests/Android.bp
index 8fe89e5..8dc3330 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -19,6 +19,7 @@
name: "py2_only",
version: {
py2: {
+ embedded_launcher: true,
enabled: true,
},
py3: {
diff --git a/tests/policy.py b/tests/policy.py
index a0ddb90..4bc9c91 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -2,6 +2,7 @@
import re
import os
import sys
+import platform
###
# Check whether the regex will match a file path starting with the provided
@@ -252,12 +253,13 @@
# load ctypes-ified libsepol wrapper
def __InitLibsepolwrap(self, LibPath):
- if "linux" in sys.platform:
+ if "linux" in platform.system().lower():
lib = CDLL(LibPath + "/libsepolwrap.so")
- elif "darwin" in sys.platform:
+ elif "darwin" in platform.system().lower():
lib = CDLL(LibPath + "/libsepolwrap.dylib")
else:
- sys.exit("only Linux and Mac currrently supported")
+ sys.exit("policy.py: " + platform.system() + " not supported." +
+ " Only Linux and Darwin platforms are currently supported.")
# int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp);
lib.get_allow_rule.restype = c_int