Merge changes from topic "darkboot-sepolicy" into qt-dev

am: 0ad88f096a Change-Id: If142db3dd80990bdd420154a8a3d89e49c34fb5a
2019-05-22 13:27:48 -07:00 · 2019-05-22 13:27:48 -07:00 · 0754f42d33
commit 0754f42d33
parent db92f8735b 0ad88f096a
11 changed files with 35 additions and 0 deletions
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@ -142,6 +142,8 @@
    vendor_idc_file
    vendor_keychars_file
    vendor_keylayout_file
+    vendor_misc_writer
+    vendor_misc_writer_exec
    vendor_task_profiles_file
    vrflinger_vsync_service
    watchdogd_tmpfs))
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@ -350,6 +350,8 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0

+/vendor/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0

--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@ -603,6 +603,7 @@ neverallow {
  -uncrypt
  -update_engine
  -vendor_init
+  -vendor_misc_writer
  -vold
  -recovery
  -ueventd
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@ -161,6 +161,7 @@ wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
 # vendor-init-readable
 apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
 dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
 persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
 sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
 sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
--- a/prebuilts/api/29.0/public/vendor_misc_writer.te
+++ b/prebuilts/api/29.0/public/vendor_misc_writer.te
@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -142,6 +142,8 @@
    vendor_idc_file
    vendor_keychars_file
    vendor_keylayout_file
+    vendor_misc_writer
+    vendor_misc_writer_exec
    vendor_task_profiles_file
    vrflinger_vsync_service
    watchdogd_tmpfs))
--- a/private/file_contexts
+++ b/private/file_contexts
@ -350,6 +350,8 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0

+/vendor/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0

--- a/public/domain.te
+++ b/public/domain.te
@ -603,6 +603,7 @@ neverallow {
  -uncrypt
  -update_engine
  -vendor_init
+  -vendor_misc_writer
  -vold
  -recovery
  -ueventd
--- a/public/property_contexts
+++ b/public/property_contexts
@ -161,6 +161,7 @@ wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
 # vendor-init-readable
 apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
 dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
 persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
 sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
 sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
--- a/vendor/vendor_misc_writer.te
+++ b/vendor/vendor_misc_writer.te
@ -0,0 +1 @@
+init_daemon_domain(vendor_misc_writer)