Merge "lmkd: grant read access to all of /sys"
diff --git a/domain.te b/domain.te
index 4ecca7e..d02db11 100644
--- a/domain.te
+++ b/domain.te
@@ -115,6 +115,9 @@
# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;
+# jemalloc needs to read /proc/sys/vm/overcommit_memory
+allow domain proc_overcommit_memory:file r_file_perms;
+
# toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr;
diff --git a/dumpstate.te b/dumpstate.te
index d31d45f..4a475d1 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -13,8 +13,13 @@
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
-# Send signals to processes
-allow dumpstate self:capability kill;
+allow dumpstate self:capability {
+ # Send signals to processes
+ kill
+ # Run iptables
+ net_raw
+ net_admin
+};
# Allow executing files on system, such as:
# /system/bin/toolbox
diff --git a/file.te b/file.te
index f30911a..cab2a5e 100644
--- a/file.te
+++ b/file.te
@@ -6,8 +6,8 @@
type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type;
-# Type for /proc/sys/vm/drop_caches
type proc_drop_caches, fs_type;
+type proc_overcommit_memory, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index d823476..891c686 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -23,6 +23,7 @@
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
diff --git a/property_contexts b/property_contexts
index d48473b..bbfea8a 100644
--- a/property_contexts
+++ b/property_contexts
@@ -43,6 +43,7 @@
persist.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+logd.logpersistd u:object_r:logpersistd_logging_prop:s0
persist.log.tag u:object_r:logd_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
diff --git a/update_engine.te b/update_engine.te
index 3c5bfa1..27d3767 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -55,6 +55,9 @@
# to execute those.
allow update_engine shell_exec:file rx_file_perms;
+# Allow update_engine to suspend, resume and kill the postinstall program.
+allow update_engine postinstall:process { signal sigstop };
+
# Register the service to perform Binder IPC.
binder_use(update_engine)
allow update_engine update_engine_service:service_manager { add };
