commit fa767b0e4ab3da22d9f562d28e9e49125bf5028d
author Treehugger Robot <treehugger-gerrit@google.com> Sat Jan 14 00:14:23 2023 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sat Jan 14 00:14:23 2023 +0000
tree 48c1458058b409b8fcbb8d8fdca88cf920bfbbaf
parent 9a63dcb2ee410d521ead03761d5325258670b4ac
parent 42798af0cb6189d89a449b083c7e08d12aa39428

Merge "dontaudit crosvm reading VM's pipe"

private/bpfdomain.te

diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index ada65ae..7c8f5c0 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -19,3 +19,7 @@
 # so let's allow all bpffs_type's instead,
 # this will keep things working even if this is fixed.
 allow bpfdomain bpffs_type:lnk_file read;
+
+# Needed for //frameworks/libs/net:
+# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
+get_prop(bpfdomain, bpf_progs_loaded_prop)

private/gpuservice.te

diff --git a/private/gpuservice.te b/private/gpuservice.te
index 76a2370..8388e89 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -59,9 +59,6 @@
 # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
 allow gpuservice bpfloader:bpf { map_read map_write prog_run };
 
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
 add_service(gpuservice, gpu_service)
 
 # Only uncomment below line when in development

private/netd.te

diff --git a/private/netd.te b/private/netd.te
index 4aa288b..ae43e47 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -23,7 +23,6 @@
 set_prop(netd, netd_stable_secret_prop)
 
 get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
 get_prop(netd, hwservicemanager_prop)
 get_prop(netd, device_config_netd_native_prop)
 

private/rkpd_app.te

diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 21f9b0c..2d25540 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -12,6 +12,7 @@
 
 # Grant access to certain system properties related to RKP
 get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+get_prop(rkpdapp, remote_prov_prop)
 
 # Grant access to the normal services that are available to all apps
 allow rkpdapp app_api_service:service_manager find;

private/snapuserd.te

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 1be5a5e..2f2d3e7 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -55,3 +55,8 @@
 } snapuserd_prop:property_service set;
 
 allow snapuserd self:anon_inode create_file_perms;
+
+# Allow to read/write/create OTA metadata files
+allow snapuserd metadata_file:dir search;
+allow snapuserd ota_metadata_file:dir rw_dir_perms;
+allow snapuserd ota_metadata_file:file create_file_perms;

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 28982bc..561e778 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,6 +15,10 @@
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
+# Allow calling into the system server to find "permission_service".
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
+
 # Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
 # to mlock VM memory and page tables.
 allow virtualizationservice self:capability sys_resource;