Merge "Allow zygote to access dir/file under /vendor/overlay" into oc-dev
diff --git a/private/app.te b/private/app.te
index f7c060b..c3f44dd 100644
--- a/private/app.te
+++ b/private/app.te
@@ -93,6 +93,16 @@
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
diff --git a/private/audioserver.te b/private/audioserver.te
index 61ccefc..b5bfe39 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -13,6 +13,9 @@
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
diff --git a/private/file_contexts b/private/file_contexts
index f6e8e6b..d547a9f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -266,7 +266,7 @@
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/vndk-stable(/.*)? u:object_r:vndk_stable_file:s0
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
diff --git a/public/domain.te b/public/domain.te
index 1fb648b..2487419 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -119,18 +119,22 @@
allow domain same_process_hal_file:dir r_dir_perms;
allow domain same_process_hal_file:file { execute read open getattr };
-# Any process can load vndk-stable libraries, which are system libraries
+# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
-allow domain vndk_stable_file:dir r_dir_perms;
-allow domain vndk_stable_file:file { execute read open getattr };
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr };
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr };
full_treble_only(`
- # This is required "most likely" for LD_LIBRARY_PATH
- # (b/36681074)
+ # Allow all domains to be able to follow /system/vendor symlink
+ allow domain vendor_file:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
allow domain vendor_file:dir { getattr search };
# Allow reading and executing out of /vendor to all vendor domains
@@ -546,7 +550,7 @@
-coredata_in_vendor_violators
}
core_data_file_type
- -zoneinfo_data_file # VNDK stable API provided by libc
+ -zoneinfo_data_file # Stable API provided by libc
:{
file_class_set
} ~{ append getattr ioctl read write };
@@ -561,7 +565,7 @@
} {
core_data_file_type
-system_data_file
- -zoneinfo_data_file # VNDK stable API provided by libc
+ -zoneinfo_data_file # Stable API provided by libc
}:dir *;
neverallow {
domain
diff --git a/public/file.te b/public/file.te
index 2d02e86..8133401 100644
--- a/public/file.te
+++ b/public/file.te
@@ -94,8 +94,8 @@
# Default type for all *same process* HALs.
# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-stable libs. /vendor/lib/vndk-stable
-type vndk_stable_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
# Default type for everything in /vendor/framework
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
diff --git a/public/recovery.te b/public/recovery.te
index d6aef1c..784596d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,6 +92,10 @@
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+ # Read /sys/class/thermal/*/temp for thermal info.
+ allow recovery sysfs_thermal:dir search;
+ allow recovery sysfs_thermal:file r_file_perms;
+
# Read files on /oem.
r_dir_file(recovery, oemfs);