Merge 63e14d21 on remote branch

Change-Id: Ifc609cced2640c473c1ee91a47027d2a06dfe765

Merge 63e14d21 on remote branch
Change-Id: Ifc609cced2640c473c1ee91a47027d2a06dfe765
883aac29 · Linux Build Service Account · 1f70d69d · 63e14d21 · 883aac29 · 883aac29
Commit 883aac29 authored 5 years ago by Linux Build Service Account
--- a/prebuilts/api/29.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/29.0/private/dexoptanalyzer.te
@@ -22,7 +22,7 @@ allow dexoptanalyzer installd:fifo_file { getattr write };
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.

--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts
@@ -213,6 +213,7 @@ genfscon tracefs /events/power/cpu_idle/                                 u:objec
 genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
@@ -255,6 +256,7 @@ genfscon debugfs /tracing/events/power/cpu_idle/
 genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0

--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -283,6 +283,7 @@ allow system_server {
  hal_graphics_composer_server
  hal_health_server
  hal_omx_server
+  hal_power_stats_server
  hal_sensors_server
  hal_vr_server
 }:process { signal };

--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -1154,6 +1154,7 @@ neverallow {
  -system_server
  -system_app
  -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
  -vold_prepare_subdirs # For unlink
  with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@ neverallow {
  -hal_codec2_server
  -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -392,5 +392,7 @@ ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exa
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
--- a/prebuilts/api/29.0/public/service.te
+++ b/prebuilts/api/29.0/public/service.te
@@ -10,7 +10,7 @@ type dumpstate_service,         service_manager_type;
 type fingerprintd_service,      service_manager_type;
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
-type gpu_service,               service_manager_type;
+type gpu_service,               app_api_service, service_manager_type;
 type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
 type incident_service,          service_manager_type;

--- a/prebuilts/api/29.0/public/toolbox.te
+++ b/prebuilts/api/29.0/public/toolbox.te
@@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms;
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -22,7 +22,7 @@ allow dexoptanalyzer installd:fifo_file { getattr write };
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -213,6 +213,7 @@ genfscon tracefs /events/power/cpu_idle/                                 u:objec
 genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
@@ -255,6 +256,7 @@ genfscon debugfs /tracing/events/power/cpu_idle/
 genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -283,6 +283,7 @@ allow system_server {
  hal_graphics_composer_server
  hal_health_server
  hal_omx_server
+  hal_power_stats_server
  hal_sensors_server
  hal_vr_server
 }:process { signal };

--- a/public/domain.te
+++ b/public/domain.te
@@ -1154,6 +1154,7 @@ neverallow {
  -system_server
  -system_app
  -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
  -vold_prepare_subdirs # For unlink
  with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@ neverallow {
  -hal_codec2_server
  -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -392,5 +392,7 @@ ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exa
 ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
--- a/public/service.te
+++ b/public/service.te
@@ -10,7 +10,7 @@ type dumpstate_service,         service_manager_type;
 type fingerprintd_service,      service_manager_type;
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
-type gpu_service,               service_manager_type;
+type gpu_service,               app_api_service, service_manager_type;
 type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
 type incident_service,          service_manager_type;

--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms;
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };