DO NOT MERGE - Merge pie-platform-release (PPRL.181205.001) into master
Bug: 120502534
Change-Id: I8711d074ffe68f57c40b8b08e9b9c7208b3f1999
diff --git a/OWNERS b/OWNERS
index 9d3f1b1..e6fbbd4 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,9 +1,9 @@
alanstokes@google.com
bowgotsai@google.com
-dcashman@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
+nnk@google.com
sspatil@google.com
tomcherry@google.com
trong@google.com
diff --git a/private/file_contexts b/private/file_contexts
deleted file mode 100644
index c078e97..0000000
--- a/private/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
diff --git a/private/preloads_copy.te b/private/preloads_copy.te
deleted file mode 100644
index 4ee52b9..0000000
--- a/private/preloads_copy.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type preloads_copy, domain, coredomain;
-type preloads_copy_exec, exec_type, file_type;
-
-init_daemon_domain(preloads_copy)
-
-allow preloads_copy shell_exec:file rx_file_perms;
-allow preloads_copy toolbox_exec:file rx_file_perms;
-allow preloads_copy preloads_data_file:dir create_dir_perms;
-allow preloads_copy preloads_data_file:file create_file_perms;
-allow preloads_copy preloads_media_file:dir create_dir_perms;
-allow preloads_copy preloads_media_file:file create_file_perms;
-
-# Allow to copy from /postinstall
-allow preloads_copy system_file:dir r_dir_perms;
diff --git a/vendor/google/bug_map b/vendor/google/bug_map
index 6e372ad..670225a 100644
--- a/vendor/google/bug_map
+++ b/vendor/google/bug_map
@@ -1,27 +1,10 @@
-bootanim vendor_default_prop file 78460200
+bootanim vendor_default_prop file 79617173
cdsprpcd system_file dir 109882276
-dataservice_app vendor_default_prop file 78460200
-drmserver sdcardfs dir 77869200
-hal_graphics_composer_default mnt_vendor_file dir 80078218
-hal_keymaster_citadel exported3_system_prop file 110231496
-hal_rcsservice sysfs_soc dir 78460200
-hal_sensors_default mnt_vendor_file dir 110926064
-hardware_info_app sysfs_msm_subsys dir 78460200
-ims default_prop file 78119118
-init proc file 110466938
-netmgrd proc_net file 110926064
-per_proxy exported3_system_prop file 80153956
-platform_app vendor_default_prop file 78460200
-priv_app vendor_default_prop file 78460200
-rild socket_device dir 78460200
-rmt_storage sysfs_msm_subsys dir 78460200
-sensors mnt_vendor_file dir 110926064
-sensors vendor_modem_diag_prop file 78460200
-shell sysfs_wlc dir 79757453
-ssr_setup vendor_ssr_prop file 78460200
-system_app vendor_default_prop file 78460200
-system_server vendor_default_prop file 78460200
-untrusted_app vendor_default_prop file 78460200
-wcnss_service exported3_system_prop file 80153956
-crash_dump hexagon_halide_file file 78460200
-hal_sensors_default persist_debug_prop file 80249631
+dataservice_app vendor_default_prop file 79617173
+factory_ota_app vendor_default_prop file 79617173
+netmgrd system_file file 117232795
+platform_app vendor_default_prop file 79617173
+priv_app vendor_default_prop file 79617173
+system_app vendor_default_prop file 79617173
+system_server vendor_default_prop file 79617173
+untrusted_app vendor_default_prop file 79617173
diff --git a/vendor/google/dumpstate.te b/vendor/google/dumpstate.te
deleted file mode 100644
index f261798..0000000
--- a/vendor/google/dumpstate.te
+++ /dev/null
@@ -1 +0,0 @@
-allow dumpstate proc_slabinfo:file r_file_perms;
diff --git a/vendor/google/file.te b/vendor/google/file.te
index 4a58066..ce6a826 100644
--- a/vendor/google/file.te
+++ b/vendor/google/file.te
@@ -1,6 +1,5 @@
type sysfs_pstore, sysfs_type, fs_type;
type ramoops_vendor_data_file, file_type, data_file_type, mlstrustedobject;
-type proc_slabinfo, fs_type, proc_type;
type proc_touch, proc_type, fs_type;
type sysfs_display, sysfs_type, fs_type;
type sysfs_pixelstats, sysfs_type, fs_type;
diff --git a/vendor/google/genfs_contexts b/vendor/google/genfs_contexts
index a3ba4b7..cba7474 100644
--- a/vendor/google/genfs_contexts
+++ b/vendor/google/genfs_contexts
@@ -4,5 +4,4 @@
genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_iv u:object_r:sysfs_pstore:s0
genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_tag u:object_r:sysfs_pstore:s0
genfscon sysfs /devices/virtual/ramoops/pstore/use_alt u:object_r:sysfs_pstore:s0
-genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /fts/driver_test u:object_r:proc_touch:s0
diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te
new file mode 100644
index 0000000..729f29b
--- /dev/null
+++ b/vendor/google/grilservice_app.te
@@ -0,0 +1,7 @@
+type grilservice_app, domain;
+
+app_domain(grilservice_app)
+
+allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
+allow grilservice_app activity_service:service_manager find;
+binder_call(grilservice_app, hal_radioext_default)
diff --git a/vendor/google/hal_health_default.te b/vendor/google/hal_health_default.te
index 49e6207..71d7a7f 100644
--- a/vendor/google/hal_health_default.te
+++ b/vendor/google/hal_health_default.te
@@ -8,6 +8,8 @@
allow hal_health_default hal_pixelstats_hwservice:hwservice_manager find;
allow hal_health_default pixelstats_system:binder call;
+allow hal_health_default fwk_stats_hwservice:hwservice_manager find;
+binder_call(hal_health_default, statsd)
allow hal_health_default persist_file:dir search;
allow hal_health_default persist_battery_file:file create_file_perms;
allow hal_health_default persist_battery_file:dir rw_dir_perms;
diff --git a/vendor/qcom/common/hal_radioext_default.te b/vendor/google/hal_radioext_default.te
similarity index 94%
rename from vendor/qcom/common/hal_radioext_default.te
rename to vendor/google/hal_radioext_default.te
index 795d823..1a1e08d 100644
--- a/vendor/qcom/common/hal_radioext_default.te
+++ b/vendor/google/hal_radioext_default.te
@@ -5,7 +5,7 @@
hwbinder_use(hal_radioext_default)
get_prop(hal_radioext_default, hwservicemanager_prop)
add_hwservice(hal_radioext_default, hal_radioext_hwservice)
-binder_call(hal_radioext_default, radio)
+binder_call(hal_radioext_default, grilservice_app)
r_dir_file(hal_radioext_default, sysfs_msm_subsys)
diff --git a/vendor/google/pixelstats.te b/vendor/google/pixelstats.te
index eac0297..307f128 100644
--- a/vendor/google/pixelstats.te
+++ b/vendor/google/pixelstats.te
@@ -7,4 +7,6 @@
hal_server_domain(pixelstats_system, hal_pixelstats)
init_daemon_domain(pixelstats_system)
-type pixelstats_system_exec, exec_type, file_type;
+type pixelstats_system_exec, system_file_type, exec_type, file_type;
+
+unix_socket_send(pixelstats_system, statsdw, statsd)
diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te
index 44c1957..2665f92 100644
--- a/vendor/google/pixelstats_vendor.te
+++ b/vendor/google/pixelstats_vendor.te
@@ -9,6 +9,9 @@
allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find;
binder_call(pixelstats_vendor, pixelstats_system)
+allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
+binder_call(pixelstats_vendor, statsd)
+
unix_socket_connect(pixelstats_vendor, chre, chre)
allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
@@ -16,4 +19,4 @@
allow pixelstats_vendor sysfs_batteryinfo:file r_file_perms;
allow pixelstats_vendor sysfs_pixelstats:dir search;
allow pixelstats_vendor sysfs_pixelstats:file rw_file_perms;
-allow pixelstats_vendor self:netlink_kobject_uevent_socket { create setopt bind read };
+allow pixelstats_vendor self:netlink_kobject_uevent_socket { create getopt setopt bind read };
diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts
new file mode 100644
index 0000000..fbf4d07
--- /dev/null
+++ b/vendor/google/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for grilservice
+user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all
diff --git a/vendor/google/shell.te b/vendor/google/shell.te
new file mode 100644
index 0000000..f63f5cf
--- /dev/null
+++ b/vendor/google/shell.te
@@ -0,0 +1 @@
+dontaudit shell sysfs_wlc:dir search;
diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts
index e3f3730..d90f8c1 100644
--- a/vendor/qcom/common/file_contexts
+++ b/vendor/qcom/common/file_contexts
@@ -229,12 +229,8 @@
/vendor/dsp(/.*)? u:object_r:adsprpcd_file:s0
-# files in firmware
-/vender/firmware_mnt(/.*)? u:object_r:firmware_file:s0
-
# TODO: Remove them once no need to maintain the backward compatibility. (b/111219177)
/persist u:object_r:rootfs:s0
-/firmware u:object_r:rootfs:s0
/dsp u:object_r:rootfs:s0
# /persist
diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts
index 78e3ce6..ab58600 100644
--- a/vendor/qcom/common/genfs_contexts
+++ b/vendor/qcom/common/genfs_contexts
@@ -34,8 +34,6 @@
genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0
genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0
-genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-
genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /class/uio u:object_r:sysfs_uio:s0
genfscon sysfs /devices/platform/soc/894000.i2c u:object_r:sysfs_msm_subsys:s0
@@ -66,6 +64,8 @@
genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /devices/virtual/wahoo_laser u:object_r:sysfs_laser:s0
genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/soc/17d41000.qcom,cpucc/17d41000.qcom,cpucc:qcom,limits-dcvs@0 u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/soc/17d41000.qcom,cpucc/17d41000.qcom,cpucc:qcom,limits-dcvs@1 u:object_r:sysfs_thermal:s0
genfscon sysfs /devices/platform/soc/18800000.qcom,icnss/net u:object_r:sysfs_net:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
diff --git a/vendor/qcom/common/hal_camera_default.te b/vendor/qcom/common/hal_camera_default.te
index bee51fe..32d628d 100644
--- a/vendor/qcom/common/hal_camera_default.te
+++ b/vendor/qcom/common/hal_camera_default.te
@@ -4,12 +4,10 @@
vndbinder_use(hal_camera_default);
allow hal_camera_default qdisplay_service:service_manager { find };
-allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager find;
+hal_client_domain(hal_camera_default, hal_graphics_allocator)
binder_call(hal_camera_default, hal_graphics_composer)
binder_call(hal_camera_default, system_server)
-binder_call(hal_camera_default, hal_graphics_allocator)
# For camera team debugging
userdebug_or_eng(`
diff --git a/vendor/qcom/common/hal_dumpstate_impl.te b/vendor/qcom/common/hal_dumpstate_impl.te
index 2780dcf..72a9427 100644
--- a/vendor/qcom/common/hal_dumpstate_impl.te
+++ b/vendor/qcom/common/hal_dumpstate_impl.te
@@ -40,8 +40,6 @@
r_dir_file(hal_dumpstate_impl, sysfs_thermal)
r_dir_file(hal_dumpstate_impl, sysfs_easel)
-allow hal_dumpstate_impl sysfs_thermal:dir search;
-allow hal_dumpstate_impl sysfs_thermal:file r_file_perms;
allow hal_dumpstate_impl sysfs_rpm:file r_file_perms;
allow hal_dumpstate_impl sysfs_system_sleep_stats:file r_file_perms;
diff --git a/vendor/qcom/common/ims.te b/vendor/qcom/common/ims.te
index 5d0cd9e..23541e9 100644
--- a/vendor/qcom/common/ims.te
+++ b/vendor/qcom/common/ims.te
@@ -24,6 +24,8 @@
allow ims self:netlink_generic_socket create_socket_perms_no_ioctl;
allow ims netmgrd_socket:dir search;
allow ims netmgrd_socket:sock_file w_file_perms;
+allow ims radio_vendor_data_file:dir rw_dir_perms;
+allow ims radio_vendor_data_file:file create_file_perms;
allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
allowxperm ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED;
diff --git a/vendor/qcom/common/netmgrd.te b/vendor/qcom/common/netmgrd.te
index 1390c1b..ef0ae88 100644
--- a/vendor/qcom/common/netmgrd.te
+++ b/vendor/qcom/common/netmgrd.te
@@ -26,8 +26,6 @@
allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
allow netmgrd sysfs_msm_subsys:file r_file_perms;
-allow netmgrd system_file:file lock;
-
r_dir_file(netmgrd, sysfs_msm_subsys)
wakelock_use(netmgrd)
@@ -48,7 +46,6 @@
allow netmgrd proc_net:file rw_file_perms;
allow netmgrd netmgr_data_file:dir rw_dir_perms;
allow netmgrd netmgr_data_file:file create_file_perms;
-allow netmgrd system_file:file execute_no_trans;
allow netmgrd netmgr_recovery_data_file:file create_file_perms;
allow netmgrd netmgr_recovery_data_file:dir rw_dir_perms;
diff --git a/vendor/qcom/common/radio.te b/vendor/qcom/common/radio.te
index 4e33dfe..d504f00 100644
--- a/vendor/qcom/common/radio.te
+++ b/vendor/qcom/common/radio.te
@@ -11,7 +11,6 @@
allow radio vnd_ims_radio_hwservice:hwservice_manager find;
allow radio vnd_qcrilhook_hwservice:hwservice_manager find;
allow radio hal_imsrtp_hwservice:hwservice_manager find;
-allow radio hal_radioext_hwservice:hwservice_manager find;
add_service(radio, radio_service)
allow radio {
@@ -25,4 +24,3 @@
allow radio avtimer_device:chr_file r_file_perms;
binder_call(radio, hal_imsrtp)
-binder_call(radio, hal_radioext_default)
diff --git a/vendor/qcom/common/ssr_detector.te b/vendor/qcom/common/ssr_detector.te
index a5ffd3b..0fd4cc7 100644
--- a/vendor/qcom/common/ssr_detector.te
+++ b/vendor/qcom/common/ssr_detector.te
@@ -19,3 +19,5 @@
allow ssr_detector_app sysfs:lnk_file r_file_perms;
r_dir_file(ssr_detector_app, sysfs_msm_subsys)
+
+allow ssr_detector_app cgroup:file w_file_perms;
diff --git a/vendor/qcom/common/subsystem_ramdump.te b/vendor/qcom/common/subsystem_ramdump.te
index 9b65cb1..e19c774 100644
--- a/vendor/qcom/common/subsystem_ramdump.te
+++ b/vendor/qcom/common/subsystem_ramdump.te
@@ -23,7 +23,10 @@
allow subsystem_ramdump ssr_log_file:dir rw_dir_perms;
allow subsystem_ramdump ssr_log_file:file create_file_perms;
+ allow subsystem_ramdump proc_sysrq:file w_file_perms;
+
set_prop(subsystem_ramdump, vendor_ssr_prop);
+ get_prop(subsystem_ramdump, vendor_ramdump_prop);
dontaudit subsystem_ramdump kernel:system module_request;
')
diff --git a/vendor/qcom/common/time_daemon.te b/vendor/qcom/common/time_daemon.te
index d77bc57..2133482 100644
--- a/vendor/qcom/common/time_daemon.te
+++ b/vendor/qcom/common/time_daemon.te
@@ -26,3 +26,6 @@
allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;
dontaudit time_daemon kernel:system module_request;
+
+# b/68864350
+dontaudit time_daemon unlabeled:dir search;
diff --git a/vendor/qcom/common/wcnss_service.te b/vendor/qcom/common/wcnss_service.te
index 9b00774..3e2eaeb 100644
--- a/vendor/qcom/common/wcnss_service.te
+++ b/vendor/qcom/common/wcnss_service.te
@@ -36,7 +36,7 @@
allow wcnss_service sysfs_soc:dir search;
allow wcnss_service sysfs_soc:file r_file_perms;
-# request_firmware causes a denial for /firmware. It can be safely ignored
+# request_firmware causes a denial. It can be safely ignored
dontaudit wcnss_service firmware_file:dir search;
r_dir_file(wcnss_service, sysfs_net)
