Merge "Don't require private types in mapping file."
diff --git a/private/priv_app.te b/private/priv_app.te
index 101c448..341101b 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -92,21 +92,6 @@
userdebug_or_eng(`
auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
-# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
-# removal.
-allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
-userdebug_or_eng(`
- auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
-')
-r_dir_file(priv_app, proc_qtaguid_stat)
-userdebug_or_eng(`
- auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
- auditallow priv_app proc_qtaguid_stat:file r_file_perms;
-')
-allow priv_app qtaguid_device:chr_file r_file_perms;
-userdebug_or_eng(`
- auditallow priv_app qtaguid_device:chr_file r_file_perms;
-')
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 48a7c45..61c9a81 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -41,12 +41,6 @@
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-# qtaguid access. This is not a public API. Access will be removed in a
-# future version of Android.
-allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file(untrusted_app_25, proc_qtaguid_stat)
-allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
-
# Text relocation support for API < 23
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 22a9343..79c7762 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -26,9 +26,3 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
-
-# qtaguid access. This is not a public API. Access will be removed in a
-# future version of Android.
-allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file(untrusted_app_27, proc_qtaguid_stat)
-allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 91c9230..3affec1 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -90,6 +90,8 @@
allow zygote mnt_user_file:lnk_file create_file_perms;
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
+# Allow mounting on sdcardfs dirs
+allow zygote sdcardfs:dir { mounton };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 1b199a3..7a0eb46 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -129,7 +129,6 @@
proc_meminfo
proc_modules
proc_pid_max
- proc_qtaguid_stat
proc_slabinfo
proc_stat
proc_timer
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index eb4cdc1..819b7a3 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -43,3 +43,12 @@
# Read files in /sys/firmware/devicetree/base/firmware/android/
r_dir_file(update_engine_common, sysfs_dt_firmware_android)
+
+# read / write on /dev/device-mapper to map / unmap devices
+allow update_engine_common dm_device:chr_file rw_file_perms;
+
+# apply / verify updates on devices mapped via device mapper
+allow update_engine_common dm_device:blk_file rw_file_perms;
+
+# read / write metadata on super device to resize partitions
+allow update_engine_common super_block_device:blk_file rw_file_perms;