Merge "Add rules for snapshotctl map/unmap." into main

commit: efcc8dbdd7cd3935152f30d0c9e9b6890fe38f58 [log] [tgz]
author: Jiakai Zhang <jiakaiz@google.com> Mon Mar 11 16:55:25 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Mar 11 16:55:25 2024 +0000
tree: 8f671656168d2d1d1cf45a40c4d2103270303847
parent: 210e8b5651236416e6eb16f37d9369e3f014ae75 [diff]
parent: b9cf68a2f5bd50fd0f6e50552cf4d0b56d8a1255 [diff]
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index e0f6610..4806270 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -361,6 +361,7 @@
 		"notification":                 EXCEPTION_NO_FUZZER,
 		"oem_lock":                     EXCEPTION_NO_FUZZER,
 		"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
+		"on_device_intelligence":             EXCEPTION_NO_FUZZER,
 		"otadexopt":                    EXCEPTION_NO_FUZZER,
 		"ot_daemon":                    []string{"ot_daemon_service_fuzzer"},
 		"overlay":                      EXCEPTION_NO_FUZZER,

diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 9a50f67..519b9dd 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te

@@ -54,6 +54,9 @@
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
 
+# adbd may try to restorecon files (see b/328753027)
+allow adbd file_contexts_file:file r_file_perms;
+
 # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
 # TODO(b/200902288): patch adb and remove this rule
 dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;

diff --git a/private/service.te b/private/service.te
index c4e7cbc..cce3be4 100644
--- a/private/service.te
+++ b/private/service.te

@@ -11,6 +11,7 @@
 type logcat_service,                system_server_service, service_manager_type;
 type logd_service,                  service_manager_type;
 type mediatuner_service,            app_api_service, service_manager_type;
+type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
 type profcollectd_service,          service_manager_type;
 type resolver_service,              system_server_service, service_manager_type;
 type rkpd_registrar_service,        service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index 3138d90..e45f87c 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -342,6 +342,7 @@
 notification                              u:object_r:notification_service:s0
 oem_lock                                  u:object_r:oem_lock_service:s0
 ondevicepersonalization_system_service    u:object_r:ondevicepersonalization_system_service:s0
+on_device_intelligence                    u:object_r:on_device_intelligence_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
 ot_daemon                                 u:object_r:ot_daemon_service:s0
 overlay                                   u:object_r:overlay_service:s0
commit	efcc8dbdd7cd3935152f30d0c9e9b6890fe38f58	[log] [tgz]
author	Jiakai Zhang <jiakaiz@google.com>	Mon Mar 11 16:55:25 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Mar 11 16:55:25 2024 +0000
tree	8f671656168d2d1d1cf45a40c4d2103270303847
parent	210e8b5651236416e6eb16f37d9369e3f014ae75 [diff]
parent	b9cf68a2f5bd50fd0f6e50552cf4d0b56d8a1255 [diff]