Merge "Add sepolicy for radio sap 1.2"
diff --git a/private/bug_map b/private/bug_map
index 127a7e6..5e94594 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,8 +1,43 @@
+dexoptanalyzer apk_data_file file 77853712
+dexoptanalyzer app_data_file file 77853712
+dexoptanalyzer app_data_file lnk_file 77853712
+dexoptanalyzer system_data_file lnk_file 77853712
+dnsmasq netd fifo_file 77868789
+dnsmasq netd unix_stream_socket 77868789
+init app_data_file file 77873135
+init cache_file blk_file 77873135
+init logpersist file 77873135
+init nativetest_data_file dir 77873135
+init pstorefs dir 77873135
+init shell_data_file dir 77873135
+init shell_data_file file 77873135
+init shell_data_file lnk_file 77873135
+init shell_data_file sock_file 77873135
+init system_data_file chr_file 77873135
+mediaextractor app_data_file file 77923736
+mediaextractor radio_data_file file 77923736
+mediaprovider cache_file blk_file 77925342
+mediaprovider mnt_media_rw_file dir 77925342
+mediaprovider shell_data_file dir 77925342
+netd priv_app unix_stream_socket 77870037
+netd untrusted_app unix_stream_socket 77870037
+netd untrusted_app_25 unix_stream_socket 77870037
+netd untrusted_app_27 unix_stream_socket 77870037
platform_app nfc_data_file dir 74331887
+postinstall postinstall capability 77958490
+postinstall_dexopt postinstall_dexopt capability 77958490
+postinstall_dexopt user_profile_data_file file 77958490
priv_app system_data_file dir 72811052
+profman apk_data_file dir 77922323
+statsd hal_health_default binder 77919007
storaged storaged capability 77634061
+surfaceflinger mediacodec binder 77924251
system_server crash_dump process 73128755
+system_server logd_socket sock_file 64734187
+system_server sdcardfs file 77856826
+system_server zygote process 77856826
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
system_server sysfs file 77816522
+zygote untrusted_app_25 process 77925912
diff --git a/public/domain.te b/public/domain.te
index 31345be..41e0903 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -560,7 +560,7 @@
} serialno_prop:file r_file_perms;
# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
neverallow {
domain
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0fad5e1..8807157 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -232,16 +232,8 @@
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(dumpstate, bootloader_boot_reason_prop)
-get_prop(dumpstate, last_boot_reason_prop)
-get_prop(dumpstate, system_boot_reason_prop)
+# Read any system properties
+get_prop(dumpstate, property_type)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
diff --git a/public/netd.te b/public/netd.te
index 545ad7c..7262072 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,7 +141,7 @@
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.