Merge "Update perfprofd rules to allow wake_unlock inspection."
diff --git a/attributes b/attributes
index a9b211f..e42edd6 100644
--- a/attributes
+++ b/attributes
@@ -73,6 +73,3 @@
# All domains used for binder service domains.
attribute binderservicedomain;
-
-# All domains that are excluded from the domain.te auditallow.
-attribute service_manager_local_audit;
diff --git a/dumpstate.te b/dumpstate.te
index 43daac4..584b140 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -109,6 +109,5 @@
allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
-service_manager_local_audit_domain(dumpstate)
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/isolated_app.te b/isolated_app.te
index 1cede96..ef68986 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,8 +18,6 @@
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
-service_manager_local_audit_domain(isolated_app)
-
#####
##### Neverallow
#####
diff --git a/recovery.te b/recovery.te
index 29f1a50..1441db1 100644
--- a/recovery.te
+++ b/recovery.te
@@ -77,6 +77,9 @@
allow recovery cache_file:dir create_dir_perms;
allow recovery cache_file:file create_file_perms;
+ # Read files on /oem.
+ r_dir_file(recovery, oemfs);
+
# Reboot the device
set_prop(recovery, powerctl_prop)
diff --git a/shell.te b/shell.te
index ac55346..1be9eec 100644
--- a/shell.te
+++ b/shell.te
@@ -63,7 +63,6 @@
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
-service_manager_local_audit_domain(shell)
# allow shell to look through /proc/ for ps, top
allow shell domain:dir { search open read getattr };
diff --git a/su.te b/su.te
index 9c01fc5..d4a488b 100644
--- a/su.te
+++ b/su.te
@@ -50,5 +50,4 @@
dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
- service_manager_local_audit_domain(su)
')
diff --git a/system_server.te b/system_server.te
index a2093ff..4cb0e82 100644
--- a/system_server.te
+++ b/system_server.te
@@ -302,6 +302,7 @@
# Manage cache files.
allow system_server cache_file:dir { relabelfrom create_dir_perms };
allow system_server cache_file:file { relabelfrom create_file_perms };
+allow system_server cache_file:fifo_file create_file_perms;
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
diff --git a/te_macros b/te_macros
index 5248f18..a76bb5d 100644
--- a/te_macros
+++ b/te_macros
@@ -365,14 +365,6 @@
')
###########################################
-# service_manager_local_audit_domain(domain)
-# Has its own auditallow rule on service_manager
-# and should be excluded from the domain.te auditallow.
-define(`service_manager_local_audit_domain', `
- typeattribute $1 service_manager_local_audit;
-')
-
-###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
diff --git a/tools/Android.mk b/tools/Android.mk
index b9e3533..2a2e83d 100644
--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -4,7 +4,7 @@
LOCAL_MODULE := checkseapp
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include/
+LOCAL_C_INCLUDES := external/selinux/libsepol/include/
LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
LOCAL_SRC_FILES := check_seapp.c
LOCAL_STATIC_LIBRARIES := libsepol
@@ -17,7 +17,7 @@
LOCAL_MODULE := checkfc
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include \
+LOCAL_C_INCLUDES := external/selinux/libsepol/include \
external/libselinux/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := checkfc.c
@@ -41,7 +41,7 @@
LOCAL_MODULE := sepolicy-check
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include
+LOCAL_C_INCLUDES := external/selinux/libsepol/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-check.c
LOCAL_STATIC_LIBRARIES := libsepol
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index b9ce0f4..7568351 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -5,7 +5,7 @@
LOCAL_MODULE := sepolicy-analyze
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include
+LOCAL_C_INCLUDES := external/selinux/libsepol/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
LOCAL_STATIC_LIBRARIES := libsepol
diff --git a/uncrypt.te b/uncrypt.te
index f701084..752124d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -14,11 +14,12 @@
r_dir_file(uncrypt, shell_data_file)
')
-# Create tmp file /cache/recovery/command.tmp
# Read /cache/recovery/command
-# Rename /cache/recovery/command.tmp to /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+# Write to pipe file /cache/recovery/uncrypt_status
allow uncrypt cache_file:dir rw_dir_perms;
allow uncrypt cache_file:file create_file_perms;
+allow uncrypt cache_file:fifo_file w_file_perms;
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)