Merge "hal_tetheroffload: move hwservice mapping to core policy"
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index cfda748..3e22734 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -112,6 +112,7 @@
untrusted_app_all_devpts
update_engine_log_data_file
vendor_default_prop
+ vendor_security_patch_level_prop
usbd
usbd_exec
usbd_tmpfs
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 0f86e25..c1f5e94 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -3,6 +3,7 @@
(type reboot_data_file)
(type rild)
(type webview_zygote_socket)
+(type vold_socket)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a3f7bb5..efc0166 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -35,12 +35,14 @@
exported_system_prop
exported_system_radio_prop
exported_vold_prop
+ fingerprint_vendor_data_file
fs_bpf
hal_authsecret_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
+ hal_wifi_hostapd_hwservice
incident_helper
incident_helper_exec
last_boot_reason_prop
@@ -91,6 +93,7 @@
usbd_tmpfs
vendor_default_prop
vendor_init
+ vendor_security_patch_level_prop
vendor_shell
vold_metadata_file
vold_prepare_subdirs
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3d2528d..f2b9699 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -146,12 +146,17 @@
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
@@ -163,12 +168,17 @@
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d8..ea58814 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -33,3 +33,9 @@
-coredomain
-appdomain
}, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401d..0a1a7c6 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -114,6 +114,9 @@
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
+# ingore spurious denials
+dontaudit zygote self:capability sys_resource;
+
###
### neverallow rules
###
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 6b6b986..f778d28 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -59,10 +59,8 @@
# Crash dump is not intended to access the following data types. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
- app_data_file
- bluetooth_data_file
- resourcecache_data_file
- vendor_overlay_file
+ core_data_file_type
+ vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:file read;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 8b240b1..181de4a 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,3 +4,5 @@
add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+
+dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/hal_health.te b/public/hal_health.te
index 068f23b..c0a0f80 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -25,3 +25,6 @@
# Allow to wake up to send periodic events
wakelock_use(hal_health_server)
+
+# Write to /dev/kmsg
+allow hal_health_server kmsg_device:chr_file w_file_perms;
diff --git a/public/property.te b/public/property.te
index 64f309d..6fa85dc 100644
--- a/public/property.te
+++ b/public/property.te
@@ -53,6 +53,7 @@
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
# Properties for whitelisting
type exported_config_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 20f6348..48e91a7 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -102,6 +102,7 @@
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
diff --git a/public/shell.te b/public/shell.te
index c5033ec..6641597 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
diff --git a/public/update_engine.te b/public/update_engine.te
index 00f70bc..2075985 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -19,6 +19,7 @@
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:capability sys_rawio;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir create_dir_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a13f69..dee2006 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -178,6 +178,7 @@
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)