commit e58fa548038f563158ea4352d3942f487a9bbff2
author Treehugger Robot <treehugger-gerrit@google.com> Tue Jan 23 02:37:24 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jan 23 02:37:24 2018 +0000
tree b9c0ab76ca8cf594458b79118b42f635e7695bcd
parent 35c363897dee6ab1057f071bed816ca4bff09961
parent 623d9f06832ca167c6317ac93949e9f1014ec18e

Merge "Clarify sysfs_leds neverallow."

private/adbd.te

diff --git a/private/adbd.te b/private/adbd.te
index 9dcfc81..77c0d73 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
 
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
 # adb pull /data/misc/profman.
 allow adbd profman_dump_data_file:dir r_dir_perms;
 allow adbd profman_dump_data_file:file r_file_perms;

private/blank_screen.te

diff --git a/private/blank_screen.te b/private/blank_screen.te
new file mode 100644
index 0000000..43d273b
--- /dev/null
+++ b/private/blank_screen.te
@@ -0,0 +1,6 @@
+type blank_screen, domain, coredomain;
+type blank_screen_exec, exec_type, file_type;
+
+init_daemon_domain(blank_screen)
+
+hal_client_domain(blank_screen, hal_light)

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 95e617b..7bab012 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,9 @@
 (typeattributeset new_objects
   ( adbd_exec
     bootloader_boot_reason_prop
+    blank_screen
+    blank_screen_exec
+    blank_screen_tmpfs
     bpfloader
     bpfloader_exec
     broadcastradio_service
@@ -76,6 +79,7 @@
     timezone_service
     tombstoned_java_trace_socket
     tombstone_wifi_data_file
+    trace_data_file
     traceur_app
     traceur_app_tmpfs
     traced

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 8dfec78..2113945 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -179,6 +179,7 @@
 #
 /system(/.*)?		u:object_r:system_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
+/system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/e2fsck	--	u:object_r:fsck_exec:s0
@@ -349,6 +350,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
 /data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0

private/traceur_app.te

diff --git a/private/traceur_app.te b/private/traceur_app.te
index 194a28f..83c77b4 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -2,6 +2,9 @@
 
 userdebug_or_eng(`
   app_domain(traceur_app);
-  allow traceur_app debugfs_tracing:file r_file_perms;
+  allow traceur_app debugfs_tracing:file rw_file_perms;
+  allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+  allow traceur_app trace_data_file:file create_file_perms;
+  allow traceur_app trace_data_file:dir { add_name search write };
   allow traceur_app atrace_exec:file rx_file_perms;
 ')

public/file.te

diff --git a/public/file.te b/public/file.te
index d668746..91796c0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -108,8 +108,8 @@
 type debugfs, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing_instances, fs_type, debugfs_type;
 type debugfs_wifi_tracing, fs_type, debugfs_type;
 
@@ -244,6 +244,7 @@
 type shared_relro_file, file_type, data_file_type, core_data_file_type;
 type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
 type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type vpn_data_file, file_type, data_file_type, core_data_file_type;
 type wifi_data_file, file_type, data_file_type, core_data_file_type;
 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index 719036c..32ad770 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,6 +25,10 @@
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
 # Access /data/misc/profman.
 allow shell profman_dump_data_file:dir { search getattr write remove_name };
 allow shell profman_dump_data_file:file { getattr unlink };

public/traceur_app.te

diff --git a/public/traceur_app.te b/public/traceur_app.te
index ab08c62..46826d4 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -17,5 +17,7 @@
     -vr_hwc_service
   }:service_manager find;
 
+  dontaudit traceur_app service_manager_type:service_manager find;
+  dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
   dontaudit traceur_app domain:binder call;
 ')