commit f6fefa9d614bfe02b19c5cb80b9d36e4e1f42519
author Treehugger Robot <treehugger-gerrit@google.com> Thu May 19 08:58:37 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu May 19 08:58:37 2022 +0000
tree cac5efd99909be062bfe10b66fd3d72dc4c82251
parent 1fa1ef4e0d6808f827151d5921a13c8269161c49
parent b07c12c39df776666dff1adec6ad55e2e4d12b74

Merge "Iorapd and friends have been removed"

apex/Android.bp

diff --git a/apex/Android.bp b/apex/Android.bp
index 5d61303..8f11771 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -195,13 +195,6 @@
 }
 
 filegroup {
-  name: "com.android.telephony-file_contexts",
-  srcs: [
-    "com.android.telephony-file_contexts",
-  ],
-}
-
-filegroup {
   name: "com.android.tzdata-file_contexts",
   srcs: [
     "com.android.tzdata-file_contexts",

apex/com.android.telephony-file_contexts

diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
deleted file mode 100644
index f3a65d4..0000000
--- a/apex/com.android.telephony-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)?                u:object_r:system_file:s0

microdroid/system/private/tombstone_transmit.te

diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 588ebff..1887654 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -3,6 +3,8 @@
 
 init_daemon_domain(tombstone_transmit)
 
-r_dir_file(tombstone_transmit, tombstone_data_file)
+# permission required to read the file & remove it from directory
+allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
+allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
 
 allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;

prebuilts/api/33.0/public/vendor_init.te

diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -272,6 +272,8 @@
 get_prop(vendor_init, theme_prop)
 set_prop(vendor_init, dck_prop)
 
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
 
 ###
 ### neverallow rules

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 304f5a2..f716367 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -127,6 +127,7 @@
 
 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
 
 # Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
 neverallow {

private/crosvm.te

diff --git a/private/crosvm.te b/private/crosvm.te
index e47abd7..73ce3c6 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,9 +63,6 @@
 allow crosvm adbd:fd use;
 allow crosvm adbd:unix_stream_socket { read write };
 
-# For ACPI
-allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
-
 # crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
 # compliance tests and demo apps. Write access to instance.img is particularily important because
 # the VM has to initialize the disk image on its first boot. Note that open access is still not

private/net.te

diff --git a/private/net.te b/private/net.te
index 25bd538..c2bac03 100644
--- a/private/net.te
+++ b/private/net.te
@@ -12,6 +12,7 @@
   netdomain
   -ephemeral_app
   -mediaprovider
+  -priv_app
   -sdk_sandbox
   -untrusted_app_all
 } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -272,6 +272,8 @@
 get_prop(vendor_init, theme_prop)
 set_prop(vendor_init, dck_prop)
 
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
 
 ###
 ### neverallow rules