Merge "Set context for partition.*.verified.root_digest properties."

commit: e4623f32198cb09b9cc94840ef60cf652c89e929 [log] [tgz]
author: Tianjie Xu <xunchang@google.com> Wed Sep 01 17:47:11 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Sep 01 17:47:11 2021 +0000
tree: 7843ce8333e9597280aaa5d144ae6b2c51451010
parent: 4442c1f7eb94abfd1f20dec02eb731fee5242e80 [diff]
parent: ade005f8dd7f82a0a68d89cbed38ca795fe2b0c9 [diff]
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index f84f5f0..893469c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -7,9 +7,10 @@
 init_daemon_domain(microdroid_manager)
 
 # microdroid_manager accesses a virtual disk block device to read VM payload
+# It needs write access as it updates the instance image
 allow microdroid_manager block_device:dir r_dir_perms;
 allow microdroid_manager block_device:lnk_file r_file_perms;
-allow microdroid_manager vd_device:blk_file r_file_perms;
+allow microdroid_manager vd_device:blk_file rw_file_perms;
 # microdroid_manager verifies DM-verity mounted APK payload
 allow microdroid_manager dm_device:blk_file r_file_perms;
 

diff --git a/private/file_contexts b/private/file_contexts
index 5433726..0c8bf78 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -575,6 +575,7 @@
 /data/misc/apexdata/com\.android\.compos(/.*)?        u:object_r:apex_compos_data_file:s0
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)?           u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.wifi(/.*)?          u:object_r:apex_system_server_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0

diff --git a/private/installd.te b/private/installd.te
index 726e5aa..251a14f 100644
--- a/private/installd.te
+++ b/private/installd.te

@@ -46,3 +46,5 @@
 # Allow installd to delete files in /data/staging
 allow installd staging_data_file:file unlink;
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
+
+allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };

diff --git a/public/installd.te b/public/installd.te
index 1134aaa..1ef4fc7 100644
--- a/public/installd.te
+++ b/public/installd.te

@@ -2,7 +2,7 @@
 type installd, domain;
 type installd_exec, system_file_type, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
 
 # Allow labeling of files under /data/app/com.example/oat/
 allow installd dalvikcache_data_file:dir relabelto;
commit	e4623f32198cb09b9cc94840ef60cf652c89e929	[log] [tgz]
author	Tianjie Xu <xunchang@google.com>	Wed Sep 01 17:47:11 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Sep 01 17:47:11 2021 +0000
tree	7843ce8333e9597280aaa5d144ae6b2c51451010
parent	4442c1f7eb94abfd1f20dec02eb731fee5242e80 [diff]
parent	ade005f8dd7f82a0a68d89cbed38ca795fe2b0c9 [diff]