commit db4ac6f02cab44afbb1447d1b94b9b51830fba5f
author Treehugger Robot <treehugger-gerrit@google.com> Sun Mar 24 23:25:19 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sun Mar 24 23:25:19 2019 +0000
tree 1a514df2c6c7ec61690ba504fe86a99e6c81dcbd
parent d7148b99cb2d2f311394956ea51dc4805be3e9a4
parent 1eb26692186d43409619a263034c64374269c718

Merge "Fix mediaserver meets the void fd use denied"

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index ebad8e7..169f6b2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -58,6 +58,7 @@
         -idmap
         -init
         -installd
+        -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
         -app_zygote
@@ -74,6 +75,7 @@
         -idmap
         -init
         -installd
+        -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
         -app_zygote

private/incidentd.te

diff --git a/private/incidentd.te b/private/incidentd.te
index ad6fbf3..6f10955 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -151,6 +151,7 @@
   -dumpstate
   -incident
   -incidentd
+  -priv_app
   -statsd
   -system_app
   -system_server

private/otapreopt_chroot.te

diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index efde869..e2bc33e 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -11,6 +11,9 @@
 # APEX packages in /postinstall/apex.
 allow otapreopt_chroot block_device:dir search;
 allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# This is required for dynamic partitions.
+allow otapreopt_chroot dm_device:chr_file rw_file_perms;
+
 # This is required to unmount flattened APEX packages under
 # /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
 allow otapreopt_chroot postinstall_file:filesystem unmount;

private/postinstall_dexopt.te

diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index a463cb6..fd370c2 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -32,6 +32,8 @@
 r_dir_file(postinstall_dexopt, apk_data_file)
 # Read vendor app data (APKs) as input to dex2oat.
 r_dir_file(postinstall_dexopt, vendor_app_file)
+# Read vendor overlay files (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_overlay_file)
 # Access to app oat directory.
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)
 

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 004908c..c5251a9 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -152,6 +152,12 @@
 allow priv_app traced_tmpfs:file { read write getattr map };
 unix_socket_connect(priv_app, traced_producer, traced)
 
+# Allow priv_apps to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow priv_app incident_service:service_manager find;
+binder_call(priv_app, incidentd)
+allow priv_app incidentd:fifo_file { read write };
+
 # Allow heap profiling if the app opts in by being marked
 # profileable/debuggable.
 can_profile_heap(priv_app)

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index ab4a07c..8fff848 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -412,6 +412,10 @@
   allow system_server su:fifo_file append;
 ')
 
+# Allow system_server to read pipes from incidentd (used to deliver incident reports
+# to dropbox)
+allow system_server incidentd:fifo_file read;
+
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.
 allow system_server incident_data_file:file read;