Merge ""Add shared library into i18n APEX and add the required sepolicy" Attempt 2"
diff --git a/private/property_contexts b/private/property_contexts
index f18a23d..99637d4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -437,6 +437,7 @@
ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.swap_util_max u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1bad9c1..12e46dc 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -153,12 +153,12 @@
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
-user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
+user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
diff --git a/private/update_engine.te b/private/update_engine.te
index a76ab49..539399e 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -11,3 +11,6 @@
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
+
+# Allow to get the DSU status
+get_prop(update_engine, gsid_prop)
diff --git a/public/domain.te b/public/domain.te
index 8e6e150..0ab5f22 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -948,6 +948,23 @@
')
full_treble_only(`
+ # Do not allow coredomain to access entrypoint for files other
+ # than system_file_type and postinstall_file
+ neverallow coredomain {
+ file_type
+ -system_file_type
+ -postinstall_file
+ }:file entrypoint;
+ # Do not allow domains other than coredomain to access entrypoint
+ # for anything but vendor_file_type and init_exec for vendor_init.
+ neverallow { domain -coredomain } {
+ file_type
+ -vendor_file_type
+ -init_exec
+ }:file entrypoint;
+')
+
+full_treble_only(`
# Do not allow system components to execute files from vendor
# except for the ones whitelisted here.
neverallow {
diff --git a/public/modprobe.te b/public/modprobe.te
index 1190409..2c7d64b 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -1,6 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 7689ca5..61df9e0 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -4,6 +4,7 @@
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
+allow vendor_modprobe proc_cmdline:file r_file_perms;
allow vendor_modprobe self:global_capability_class_set sys_module;
allow vendor_modprobe kernel:key search;