Merge "Sepolicy changes for system_server to use libvintf" into oc-dev am: 1c8e8e0e

am: aa15c0af Change-Id: I2472fae6dec8202842dc35d36eb03248256dcd45

Merge "Sepolicy changes for system_server to use libvintf" into oc-dev am: 1c8e8e0e
am: aa15c0af Change-Id: I2472fae6dec8202842dc35d36eb03248256dcd45
b1040455 · Michael Schwartz · android-build-merger · 882c5216 · aa15c0af · b1040455
Commit b1040455 authored 7 years ago by Michael Schwartz Committed by android-build-merger 7 years ago
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -285,6 +285,7 @@
 # TODO: b/36790901 move this to /vendor/etc
 /(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -86,6 +86,9 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_io
 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
 # Use generic "sockets" where the address family is not known
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be