Merge "Improve CIL parsing" into main
diff --git a/private/crosvm.te b/private/crosvm.te
index 25157a0..cddab36 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -97,6 +97,10 @@
allow crosvm servicemanager:binder { call transfer };
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
+
+ # Allow crosvm to play sound.
+ binder_call(crosvm, audioserver)
+ allow crosvm audioserver_service:service_manager find;
')
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
diff --git a/private/lmkd.te b/private/lmkd.te
index 8d22552..5369c79 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -86,6 +86,9 @@
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
+# Allow lmkd to create io_uring
+allow lmkd self:anon_inode { create map read write };
+
### neverallow rules
# never honor LD_PRELOAD
diff --git a/private/system_server.te b/private/system_server.te
index 8326628..e7ae9fc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1652,6 +1652,20 @@
# /proc/self/fd/<fd> with a classloader.
allow system_server system_server_tmpfs:file open;
+# Allow system_server to read from postinstall scripts through STDIN, to check if the
+# otapreopt_script is still alive.
+allow system_server postinstall:fifo_file read;
+
+# Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing
+# files in chroot when we teardown chroot.
+allow system_server {
+ artd
+ derive_classpath
+ dex2oat
+ odrefresh
+ profman
+}:process sigkill;
+
# Do not allow any domain other than init or system server to get or set the property
neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;