Merge "Adding permission for traceur to use content provider"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf9d0d3..bb9142d 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -183,6 +183,7 @@
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
+ hal_confirmationui_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9d173be..9dd2ee7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -466,6 +466,7 @@
proc_kmsg
proc_loadavg
proc_max_map_count
+ proc_min_free_order_shift
proc_mounts
proc_page_cluster
proc_pagetypeinfo
@@ -478,6 +479,7 @@
proc_uid_time_in_state
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
+ proc_uid_cpupower
proc_uptime
proc_version
proc_vmallocinfo
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3a906e9..ca26357 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
diff --git a/private/file_contexts b/private/file_contexts
index 9083b0c..b2a22a2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,6 +38,7 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
+/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 76f5bdd..8f0d489 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -66,6 +66,7 @@
genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -77,6 +78,7 @@
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 661e2ae..38a9af2 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index b885263..a887a61 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -99,7 +99,14 @@
###
# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+neverallow {
+ domain
+ -incident
+ -incidentd
+ -statsd
+ -system_app
+ -system_server
+} incident_service:service_manager find;
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
diff --git a/private/keystore.te b/private/keystore.te
index a9647c6..90c4727 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -5,6 +5,12 @@
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/statsd.te b/private/statsd.te
index b04a7da..dad3c6c 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -41,8 +41,9 @@
# Grant statsd with permissions to register the services.
allow statsd {
- statscompanion_service
app_api_service
+ incident_service
+ statscompanion_service
system_api_service
}:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 6ebcab5..642c8bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -718,6 +718,7 @@
}:file r_file_perms;
allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
r_dir_file(system_server, rootfs)
diff --git a/public/app.te b/public/app.te
index 582995a..3c29946 100644
--- a/public/app.te
+++ b/public/app.te
@@ -547,3 +547,6 @@
# Apps cannot access proc_uid_concurrent_policy_time
neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
diff --git a/public/attributes b/public/attributes
index 11ffd2e..66ce7d0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -209,6 +209,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(configstore);
+hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(drm);
hal_attribute(cas);
diff --git a/public/file.te b/public/file.te
index c6b2a79..02a4360 100644
--- a/public/file.te
+++ b/public/file.te
@@ -8,6 +8,7 @@
type proc_security, fs_type;
type proc_drop_caches, fs_type;
type proc_overcommit_memory, fs_type;
+type proc_min_free_order_shift, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -55,6 +56,7 @@
type proc_uid_time_in_state, fs_type;
type proc_uid_concurrent_active_time, fs_type;
type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
type proc_uptime, fs_type;
type proc_version, fs_type;
type proc_vmallocinfo, fs_type;
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
new file mode 100644
index 0000000..228e864
--- /dev/null
+++ b/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09e3068..f6ab621 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index ddbe323..c3e36ea 100644
--- a/public/init.te
+++ b/public/init.te
@@ -287,6 +287,7 @@
proc_extra_free_kbytes
proc_net
proc_max_map_count
+ proc_min_free_order_shift
proc_overcommit_memory
proc_panic
proc_page_cluster
diff --git a/public/su.te b/public/su.te
index 88065f6..edc62c3 100644
--- a/public/su.te
+++ b/public/su.te
@@ -62,6 +62,7 @@
typeattribute su hal_bootctl_client;
typeattribute su hal_camera_client;
typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
typeattribute su hal_contexthub_client;
typeattribute su hal_drm_client;
typeattribute su hal_cas_client;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b1efe1d..c56b45c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -33,127 +33,47 @@
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -system_ndebug_socket
- -unlabeled
- -vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init {
- file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
-runtime_event_log_tags_file
- -exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
+ -core_data_file_type
+ -exec_type
-system_file
-vendor_file_type
- -exec_type
- -vold_data_file
- -keystore_data_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index f754db7..a490e06 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -11,7 +11,7 @@
r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
@@ -89,9 +89,6 @@
allow vold domain:process { signal sigkill };
allow vold self:global_capability_class_set { sys_ptrace kill };
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b4961d7..e2d3ef7 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,6 +9,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
diff --git a/vendor/hal_confirmationui_default.te b/vendor/hal_confirmationui_default.te
new file mode 100644
index 0000000..832c687
--- /dev/null
+++ b/vendor/hal_confirmationui_default.te
@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)