Merge "Add permissions for sys.use_memfd property"
diff --git a/private/file_contexts b/private/file_contexts
index 0c37525..d616285 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -326,6 +326,7 @@
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
+/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
#############################
# Vendor files
@@ -482,6 +483,7 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
new file mode 100644
index 0000000..ef1fd4f
--- /dev/null
+++ b/private/notify_traceur.te
@@ -0,0 +1,12 @@
+type notify_traceur, domain, coredomain;
+type notify_traceur_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(notify_traceur);
+binder_use(notify_traceur);
+
+# This is to execute am
+allow notify_traceur activity_service:service_manager find;
+allow notify_traceur shell_exec:file rx_file_perms;
+allow notify_traceur system_file:file rx_file_perms;
+
+binder_call(notify_traceur, system_server);
diff --git a/private/system_server.te b/private/system_server.te
index 27407f0..4a48983 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -195,6 +195,7 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
+binder_call(system_server, notify_traceur)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2d07ecd..f1419b9 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,6 +25,10 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow untrusted_app_all system_linker_exec:file execute_no_trans;
+
# Follow priv-app symlinks. This is used for dynamite functionality.
allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
diff --git a/public/healthd.te b/public/healthd.te
index a383dcf..5fe4add 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -14,6 +14,7 @@
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
+dontaudit healthd self:global_capability_class_set sys_resource;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/vold.te b/public/vold.te
index 41df2b1..d442fd5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -238,6 +238,8 @@
# vold might need to search or mount /mnt/vendor/*
allow vold mnt_vendor_file:dir search;
+dontaudit vold self:global_capability_class_set sys_resource;
+
neverallow {
domain
-vold