Merge "allow apps tun_device ioctl TUNGETIFF;"
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 617291e..2caedda 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -34,6 +34,7 @@
heapprofd
heapprofd_exec
heapprofd_socket
+ idmap_service
intelligence_service
iris_service
llkd
diff --git a/private/dumpstate.te b/private/dumpstate.te
index d1fbacc..293998d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -28,6 +28,9 @@
# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)
+# Allow dumpstate to talk to gpuservice over binder
+binder_call(dumpstate, gpuservice);
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 6d64c9b..282120c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -277,6 +277,7 @@
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
diff --git a/private/idmap.te b/private/idmap.te
index 73abf35..c982783 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/service_contexts b/private/service_contexts
index cdf6521..55c2a35 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -67,6 +67,7 @@
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
ians u:object_r:radio_service:s0
+idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 01f0211..c2033db 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,6 +186,7 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
@@ -656,6 +657,7 @@
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa..d76558a 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/service.te b/public/service.te
index 8024a78..f674180 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index ccc3352..078a41b 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -64,3 +64,12 @@
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common {
+ system_block_device
+ super_block_device
+}:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;