Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e335de9aeb94eb29c3fabad695dfc66f041d1eca^2..e335de9aeb94eb29c3fabad695dfc66f041d1eca / .
commite335de9aeb94eb29c3fabad695dfc66f041d1eca[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Tue Feb 08 11:49:33 2022 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Feb 08 11:49:33 2022 +0000
treea535ee904d606f7b2f20d168ce94e372bdd53318
parent2e468b48c5854574f5dbad623d207f30dc8785ed [diff]
parent55803ca5726eeb706b3d6c5f3b482a68d77d34b4 [diff]
Merge "Allow reading hypervisor capabilities"
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 1db1c2a..6539e2c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -14,6 +14,11 @@
 # microdroid_manager verifies DM-verity mounted APK payload
 allow microdroid_manager dm_device:blk_file r_file_perms;
 
+# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
+# requires sys_admin cap as well.
+allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
+allow microdroid_manager self:global_capability_class_set sys_admin;
+
 # Allow microdroid_manager to start payload tasks
 domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
 domain_auto_trans(microdroid_manager, compos_exec, compos)

diff --git a/private/bpfloader.te b/private/bpfloader.te
index 650117e..02337a0 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -3,6 +3,9 @@
 type bpfloader_exec, system_file_type, exec_type, file_type;
 typeattribute bpfloader coredomain;
 
+# allow bpfloader to write to the kernel log (starts early)
+allow bpfloader kmsg_device:chr_file w_file_perms;
+
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
 allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };

diff --git a/private/priv_app.te b/private/priv_app.te
index 2535222..c7d6ab1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -269,3 +269,6 @@
 
 # Do not follow untrusted app provided symlinks
 neverallow priv_app app_data_file:lnk_file { open read getattr };
+
+# Allow reporting off body events to keystore.
+allow priv_app keystore:keystore2 report_off_body;

diff --git a/private/service_contexts b/private/service_contexts
index a22f272..1ada543 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -342,7 +342,7 @@
 translation                               u:object_r:translation_service:s0
 transparency                              u:object_r:transparency_service:s0
 trust                                     u:object_r:trust_service:s0
-tv_iapp                                   u:object_r:tv_iapp_service:s0
+tv_interactive_app                        u:object_r:tv_iapp_service:s0
 tv_input                                  u:object_r:tv_input_service:s0
 tv_tuner_resource_mgr                     u:object_r:tv_tuner_resource_mgr_service:s0
 uce                                       u:object_r:uce_service:s0