Merge "adbd should be able to shutdown shell:unix_stream_socket"
diff --git a/apex/Android.bp b/apex/Android.bp
index 4a860e1..d3acfdb 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -180,3 +180,10 @@
"com.android.tethering-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.extservices-file_contexts",
+ srcs: [
+ "com.android.extservices-file_contexts",
+ ],
+}
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 9e17d06..b8a365a 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -35,6 +35,10 @@
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
+# Needed for stats callback registration to statsd.
+allow gpuservice stats_service:service_manager find;
+binder_call(gpuservice, statsd);
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 5127803..f8399fe 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -36,5 +36,7 @@
hal_client_domain(snapshotctl, hal_bootctl)
# Logging
-allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
-allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+userdebug_or_eng(`
+ allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
+ allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/private/stats.te b/private/stats.te
index 26508f1..3e8a3d5 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
domain
-dumpstate
-gmscore_app
+ -gpuservice
-incidentd
-platform_app
-priv_app
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5d78a18..78853bb 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -27,6 +27,7 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, system_server);
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
@@ -116,6 +117,8 @@
# Allow supplying timestats statistics to statsd
allow surfaceflinger stats_service:service_manager find;
+allow surfaceflinger statsmanager_service:service_manager find;
+# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
###
diff --git a/public/init.te b/public/init.te
index cc60b5a..19c7e4b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -546,7 +546,7 @@
allow init unencrypted_data_file:dir create_dir_perms;
# Set encryption policy on dirs in /data
-allowxperm init data_file_type:dir ioctl {
+allowxperm init { data_file_type unlabeled }:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};