Merge "[RTT] Update Wi-Fi RTT service name"
diff --git a/Android.mk b/Android.mk
index 409ffa0..ba99f59 100644
--- a/Android.mk
+++ b/Android.mk
@@ -889,12 +889,10 @@
$(plat_property_contexts.tmp): $(plat_pcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
-$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
- $(hide) $(PRIVATE_FC_SORT) $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $@
built_plat_pc := $(LOCAL_BUILT_MODULE)
plat_pcfiles :=
@@ -924,12 +922,10 @@
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
-$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
- $(hide) $(PRIVATE_FC_SORT) $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $@
built_nonplat_pc := $(LOCAL_BUILT_MODULE)
nonplat_pcfiles :=
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ab4a49a..77d1b4f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,8 @@
timezone_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
+ traceur_app
+ traceur_app_tmpfs
update_engine_log_data_file
vendor_init
vold_prepare_subdirs
diff --git a/private/domain.te b/private/domain.te
index ff7f1b3..1fd75bc 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -72,6 +72,7 @@
-init
userdebug_or_eng(`-perfprofd')
-shell
+ userdebug_or_eng(`-traceur_app')
-vendor_init
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a97fc70..76f2998 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -95,6 +95,7 @@
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/statsd.te b/private/statsd.te
index 82691d3..617021a 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -51,7 +51,7 @@
### neverallow rules
###
-# Only system_server, system_app, and stats command can find the stats service.
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
@@ -60,6 +60,7 @@
-statsd
-system_app
-system_server
+ userdebug_or_eng(`-traceur_app')
} stats_service:service_manager find;
# Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
new file mode 100644
index 0000000..194a28f
--- /dev/null
+++ b/private/traceur_app.te
@@ -0,0 +1,7 @@
+typeattribute traceur_app coredomain;
+
+userdebug_or_eng(`
+ app_domain(traceur_app);
+ allow traceur_app debugfs_tracing:file r_file_perms;
+ allow traceur_app atrace_exec:file rx_file_perms;
+')
diff --git a/public/domain.te b/public/domain.te
index f9b6688..142c10b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1116,10 +1116,12 @@
neverallow * same_process_hwservice:hwservice_manager add;
# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
full_treble_only(`
neverallow {
coredomain
- -halclientdomain
+ -appdomain
+ -bootanim
-init
-ueventd
-crash_dump
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5dc6894..dd7c1ab 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -272,8 +272,14 @@
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ userdebug_or_eng(`-traceur_app')
+ -dumpstate
+} dumpstate_service:service_manager find;
# Dumpstate should not be writing to any generically labeled sysfs files.
# Create a specific label for the file type
diff --git a/public/traceur_app.te b/public/traceur_app.te
new file mode 100644
index 0000000..ab08c62
--- /dev/null
+++ b/public/traceur_app.te
@@ -0,0 +1,21 @@
+type traceur_app, domain;
+
+userdebug_or_eng(`
+ allow traceur_app servicemanager:service_manager list;
+ allow traceur_app hwservicemanager:hwservice_manager list;
+
+ set_prop(traceur_app, debug_prop)
+
+ allow traceur_app {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+ }:service_manager find;
+
+ dontaudit traceur_app domain:binder call;
+')