Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 4b6eabed21af436f46619b6037cf96678b14bb17^2..4b6eabed21af436f46619b6037cf96678b14bb17 / .
commit4b6eabed21af436f46619b6037cf96678b14bb17[log] [tgz]
authorKiyoung Kim <kiyoungkim@google.com>Thu Jul 20 01:46:44 2023 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Jul 20 01:46:44 2023 +0000
treebae7db070ce266da216b7d48704effd419fe756f
parentae8d16940504182f424712118f2655410c81e6a8 [diff]
parent0c3a3fd7997f18cc96642e246a765b10abb3d060 [diff]
Merge "Label former VNDK-SP libraries in vendor as sphal" into main
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 9f5f87e..09ba079 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te

@@ -18,6 +18,16 @@
 allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
 read_fstab(lpdumpd)
 
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(lpdumpd, sysfs_dt_firmware_android);
+allow lpdumpd proc_cmdline:file r_file_perms;
+
+# Allow reading Virtual A/B status information.
+get_prop(lpdumpd, virtual_ab_prop)
+allow lpdumpd metadata_file:dir search;
+allow lpdumpd ota_metadata_file:dir { r_dir_perms lock };
+allow lpdumpd ota_metadata_file:file r_file_perms;
+
 ### Neverallow rules
 
 # Disallow other domains to get lpdump_service and call lpdumpd.

diff --git a/private/property_contexts b/private/property_contexts
index d556acf..5c08328 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -706,6 +706,7 @@
 ro.lmk.critical                 u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.critical_upgrade         u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.debug                    u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.delay_monitors_until_boot u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.downgrade_pressure       u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.filecache_min_kb         u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.kill_heaviest_task       u:object_r:lmkd_config_prop:s0 exact bool

diff --git a/private/seapp_contexts b/private/seapp_contexts
index abd6c7b..c22c046 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -47,9 +47,11 @@
 # be mapped to isolated_compute_app by default. It is expected to be used together
 # with user=_isolated. This selector should not be used unless it is intended
 # to provide isolated processes with relaxed security restrictions.
+# An unspecified isIsolatedComputeApp defaults to false.
 #
 # isSdkSandboxNext=true means sdk sandbox processes will get
 # sdk_sandbox_next sepolicy applied to them.
+# An unspecified isSdkSandboxNext defaults to false.
 #
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
@@ -67,8 +69,6 @@
 #              minTargetSdkVersion= integer. Note that minTargetSdkVersion=
 #              defaults to 0 if unspecified.
 #       (8) fromRunAs=true before fromRunAs=false.
-#       (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
-#       (10) isSdkSandboxNext=true before isSdkSandboxNext=false
 # (A fixed selector is more specific than a prefix, i.e. ending in *, and a
 # longer prefix is more specific than a shorter prefix.)
 # Apps are checked against entries in precedence order until the first match,