Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d4536b0814d94c61f3651b0686fccac1ef041f09^2..d4536b0814d94c61f3651b0686fccac1ef041f09 / .
commitd4536b0814d94c61f3651b0686fccac1ef041f09[log] [tgz]
authorNicolas Geoffray <ngeoffray@google.com>Mon Mar 04 10:15:28 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Mon Mar 04 10:15:28 2019 +0000
tree0b9df450aad3e5181777e5991a9efd99790f8591
parent5ed5072e06db153ea1be7717cc2663b95f07257d [diff]
parent400147579a3233b26f9d0ac33f0e1c43924c0d78 [diff]
Merge "Allow ota_preopt to read runtime properties."
diff --git a/private/apexd.te b/private/apexd.te
index 80e115a..5b27101 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -45,11 +45,6 @@
 # because it doesn't have write permission for staging_data_file object.
 allow apexd staging_data_file:file unlink;
 
-# allow apexd to relabel apk_tmp_file to apex_data_file.
-# TODO(b/112669193) remove this when APEXes are staged via file descriptor
-allow apexd apk_tmp_file:file relabelfrom;
-allow apexd apex_data_file:file relabelto;
-
 # allow apexd to read files from /data/pkg_staging and hardlink them to /data/apex.
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };

diff --git a/private/bug_map b/private/bug_map
index 8e31eca..7d932db 100644
--- a/private/bug_map
+++ b/private/bug_map

@@ -22,7 +22,6 @@
 netd untrusted_app_25 unix_stream_socket 77870037
 netd untrusted_app_27 unix_stream_socket 77870037
 platform_app nfc_data_file dir 74331887
-priv_app mnt_user_file dir 118185801
 system_server crash_dump process 73128755
 system_server sdcardfs file 77856826
 system_server storage_stub_file dir 112609936

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 1879468..f7f3a54 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -123,8 +123,10 @@
     timezonedetector_service
     uri_grants_service
     use_memfd_prop
+    vendor_cgroup_desc_file
     vendor_idc_file
     vendor_keychars_file
     vendor_keylayout_file
+    vendor_task_profiles_file
     vrflinger_vsync_service
     watchdogd_tmpfs))

diff --git a/private/domain.te b/private/domain.te
index a48a186..bc05875 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -32,6 +32,7 @@
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
 
 # Allow all domains to read sys.use_memfd to determine
 # if memfd support can be used if device supports it

diff --git a/private/file_contexts b/private/file_contexts
index 988ee25..39244c1 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -336,6 +336,8 @@
 /(vendor|system/vendor)/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/bin/toolbox            u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json      u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json    u:object_r:vendor_task_profiles_file:s0
 
 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
 
@@ -432,6 +434,8 @@
 /data/adb(/.*)?		u:object_r:adb_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/apex(/.*)?		u:object_r:apex_data_file:s0
+/data/apex/active/(.*)?		u:object_r:staging_data_file:s0
+/data/apex/backup/(.*)?		u:object_r:staging_data_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0
 /data/app/vmdl[^/]+\.tmp(/.*)?           u:object_r:apk_tmp_file:s0

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 11edf66..8700dc0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -218,6 +218,7 @@
 genfscon tracefs /events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/sync/                                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/fence/                                          u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/dma_fence/                                      u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/      u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/kmem/rss_stat/                                  u:object_r:debugfs_tracing:s0
@@ -258,6 +259,7 @@
 genfscon debugfs /tracing/events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/sync/                                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/fence/                                          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/dma_fence/                                      u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/      u:object_r:debugfs_tracing:s0
 genfscon debugfs /events/kmem/rss_stat/                                          u:object_r:debugfs_tracing:s0

diff --git a/public/domain.te b/public/domain.te
index 21b9851..0d47401 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1037,6 +1037,7 @@
     -vendor_keylayout_file
     -vendor_overlay_file
     -vendor_public_lib_file
+    -vendor_task_profiles_file
     -vndk_sp_file
   }:file *;
 ')

diff --git a/public/file.te b/public/file.te
index 42491dc..bdcaae7 100644
--- a/public/file.te
+++ b/public/file.te

@@ -158,8 +158,12 @@
 type system_zoneinfo_file, system_file_type, file_type;
 # Cgroups description file under /system/etc/cgroups.json
 type cgroup_desc_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
 # Task profiles file under /system/etc/task_profiles.json
 type task_profiles_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
 
 # Default type for directories search for
 # HAL implementations

diff --git a/public/init.te b/public/init.te
index 7f5b3fc..88e8dba 100644
--- a/public/init.te
+++ b/public/init.te

@@ -109,6 +109,7 @@
 allow init cgroup:file rw_file_perms;
 allow init cgroup_rc_file:file rw_file_perms;
 allow init cgroup_desc_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
 
 # /config
 allow init configfs:dir mounton;

diff --git a/public/installd.te b/public/installd.te
index e767b25..04922f5 100644
--- a/public/installd.te
+++ b/public/installd.te

@@ -35,6 +35,8 @@
 r_dir_file(installd, system_file)
 # Scan through APKs in /vendor/app
 r_dir_file(installd, vendor_app_file)
+# Scan through JARs in /vendor/framework
+r_dir_file(installd, vendor_framework_file)
 # Scan through Runtime Resource Overlay APKs in /vendor/overlay
 r_dir_file(installd, vendor_overlay_file)
 # Get file context

diff --git a/public/statsd.te b/public/statsd.te
index 85523ef..8ba7f63 100644
--- a/public/statsd.te
+++ b/public/statsd.te

@@ -31,6 +31,9 @@
   binder_call(statsd, perfprofd)
 ')
 binder_call(statsd, system_server)
+
+# Allow statsd to interact with gpuservice
+allow statsd gpu_service:service_manager find;
 binder_call(statsd, gpuservice)
 
 # Allow logd access.