Merge "mediaextractor: remove domain_deprecated attribute"
diff --git a/dumpstate.te b/dumpstate.te
index 5e45fc3..2ed725d 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -5,6 +5,7 @@
init_daemon_domain(dumpstate)
net_domain(dumpstate)
binder_use(dumpstate)
+wakelock_use(dumpstate)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
diff --git a/file.te b/file.te
index ec4a18e..75b4b3c 100644
--- a/file.te
+++ b/file.te
@@ -97,6 +97,8 @@
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, mlstrustedobject;
# /data/misc/profiles
type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index e92aec8..719c3d9 100644
--- a/file_contexts
+++ b/file_contexts
@@ -241,6 +241,7 @@
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
diff --git a/priv_app.te b/priv_app.te
index d5de58b..04a0509 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -45,6 +45,10 @@
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# Write to /data/ota_package for OTA packages.
+allow priv_app ota_package_file:dir rw_dir_perms;
+allow priv_app ota_package_file:file create_file_perms;
+
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
diff --git a/toolbox.te b/toolbox.te
index 55de7eb..7767079 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -1,7 +1,7 @@
# Any toolbox command run by init.
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain, domain_deprecated;
+type toolbox, domain;
type toolbox_exec, exec_type, file_type;
init_daemon_domain(toolbox)
diff --git a/uncrypt.te b/uncrypt.te
index d1dea78..308e0f6 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -19,6 +19,10 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
+# Read OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file r_file_perms;
+
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
diff --git a/update_engine.te b/update_engine.te
index 69e84cc..fa3f05c 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -30,3 +30,7 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;
diff --git a/zygote.te b/zygote.te
index 4708c3b..41b8c07 100644
--- a/zygote.te
+++ b/zygote.te
@@ -40,6 +40,12 @@
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
allow zygote self:capability sys_admin;
+# Allow zygote to stat the files that it opens. The zygote must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384
+allow zygote pmsg_device:chr_file { getattr };
+allow zygote debugfs_trace_marker:file { getattr };
+
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.