Merge "Set sepolicy for vmnic in AVF" into main
diff --git a/Android.bp b/Android.bp
index ae9c4a7..496de06 100644
--- a/Android.bp
+++ b/Android.bp
@@ -390,39 +390,6 @@
product_specific: true,
}
-// HACK to support vendor blobs using 1000000.0
-// TODO(b/314010177): remove after new ToT (202404) fully propagates
-se_versioned_policy {
- name: "plat_mapping_file_1000000.0",
- base: ":plat_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
-}
-
-se_versioned_policy {
- name: "system_ext_mapping_file_1000000.0",
- base: ":system_ext_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [":plat_mapping_file"],
- relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
- system_ext_specific: true,
-}
-
-se_versioned_policy {
- name: "product_mapping_file_1000000.0",
- base: ":pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ],
- relative_install_path: "mapping", // install to /product/etc/selinux/mapping
- product_specific: true,
-}
-
//////////////////////////////////
// vendor/odm sepolicy
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index 09e253a..6b30fb2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -210,12 +210,6 @@
plat_sepolicy.cil \
secilc \
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += plat_mapping_file_1000000.0
-endif
-
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
endif
@@ -284,12 +278,6 @@
LOCAL_REQUIRED_MODULES += \
system_ext_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file_1000000.0
-endif
-
system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
@@ -338,12 +326,6 @@
LOCAL_REQUIRED_MODULES += \
product_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += product_mapping_file_1000000.0
-endif
-
product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
diff --git a/private/property.te b/private/property.te
index 4ce2d54..a5a1d07 100644
--- a/private/property.te
+++ b/private/property.te
@@ -229,9 +229,10 @@
neverallow {
domain
-init
+ -crash_dump
-dumpstate
-misctrl
- -crash_dump
+ -statsd
userdebug_or_eng(`-su')
} misctrl_prop:file no_rw_file_perms;
neverallow {
diff --git a/private/statsd.te b/private/statsd.te
index 1e43160..5820d23 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -29,6 +29,9 @@
get_prop(statsd, device_config_statsd_native_prop)
get_prop(statsd, device_config_statsd_native_boot_prop)
+# Allow statsd to read misctl properties (for 16 KB)
+get_prop(statsd, misctrl_prop)
+
# Allow statsd to write uprobestats configs.
allow statsd uprobestats_configs_data_file:dir rw_dir_perms;
allow statsd uprobestats_configs_data_file:file create_file_perms;