Android.mk: conditional compilation of odm_sepolicy.cil am: 1b2ea497aa am: 7913fb01e8
am: c8e489be83

Change-Id: Ia1bffa0026fc1e5fa4c4f2eee743dfa2545a83c0
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index a91ffee..c2b7335 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -4,10 +4,10 @@
 (type mediacodec_exec)
 (type qtaguid_proc)
 (type reboot_data_file)
-(type vold_socket)
 (type rild)
 (type untrusted_v2_app)
 (type webview_zygote_socket)
+(type vold_socket)
 
 (expandtypeattribute (accessibility_service_27_0) true)
 (expandtypeattribute (account_service_27_0) true)
diff --git a/private/service_contexts b/private/service_contexts
index e04227b..fd1a5ce 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -64,6 +64,7 @@
 hardware                                  u:object_r:hardware_service:s0
 hardware_properties                       u:object_r:hardware_properties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
+ianas                                     u:object_r:radio_service:s0
 incident                                  u:object_r:incident_service:s0
 inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7b0ddaa..57f9b8b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -145,10 +145,6 @@
 auditallow system_server debugfs:file r_file_perms;
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;
 
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 11cea6e..32eec26 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,18 +135,6 @@
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app_all)
 
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
-# limited through a mechanism other than SELinux.
-r_dir_file(untrusted_app_all, proc_net_type)
-userdebug_or_eng(`
-  auditallow untrusted_app_all {
-    proc_net_type
-    -proc_net_vpn
-  }:{ dir file lnk_file } { getattr open read };
-')
-
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
diff --git a/public/property_contexts b/public/property_contexts
index d6a33df..8a60b80 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -60,6 +60,7 @@
 dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index a446721..b6b9e09 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -9,7 +9,7 @@
 type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
 
 # Allow wpa_supplicant to configure nl80211
-allow hal_wifi_supplicant_default proc_net:file write;
+allow hal_wifi_supplicant_default proc_net_type:file write;
 
 # Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
 hwbinder_use(hal_wifi_supplicant_default)