Commit graph

369 commits

Author SHA1 Message Date
Thiébaud Weksteen
9ec532752d Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-28 13:18:46 +02:00
Alexander Dorokhine
0b2553a32b Allow the appsearch apex access to the apexdata misc_ce dir.
Bug: 177685938
Test: AppSearchSessionCtsTest
Change-Id: I727860a02cb9e612ce6c322662d418cddc2ff358
2021-05-26 09:47:19 -07:00
Hridya Valsaraju
f35c70b0dd Merge changes If26ba23d,Ibea38822
* changes:
  Revert "Revert "Exclude vendor_modprobe from debugfs neverallow restrictions""
  Revert "Revert "Add neverallows for debugfs access""
2021-05-05 17:31:35 +00:00
Songchun Fan
633f7ca868 [sepolicy] allow system server to read incfs metrics from sysfs
Address denial messages like:

05-05 05:02:21.480  1597  1597 W Binder:1597_12: type=1400 audit(0.0:140): avc: denied { read } for name="reads_delayed_min" dev="sysfs" ino=107358 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

BUG: 184844615
Test: atest android.cts.statsdatom.incremental.AppErrorAtomTests#testAppCrashOnIncremental
Change-Id: I201e27e48a08f99f41a030e06c6f22518294e056
2021-05-04 22:56:41 -07:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Hridya Valsaraju
7362f58895 Merge changes from topic "revert-1668411-MWQWEZISXF"
* changes:
  Revert "Add a neverallow for debugfs mounting"
  Revert "Add neverallows for debugfs access"
  Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
  Revert "Check that tracefs files are labelled as tracefs_type"
2021-04-23 22:06:31 +00:00
Hridya Valsaraju
e95e0ec0a5 Revert "Add neverallows for debugfs access"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
2021-04-23 16:38:20 +00:00
Treehugger Robot
005ae599cd Merge changes from topic "debugfs_neverallow"
* changes:
  Check that tracefs files are labelled as tracefs_type
  Exclude vendor_modprobe from debugfs neverallow restrictions
  Add neverallows for debugfs access
  Add a neverallow for debugfs mounting
2021-04-22 16:41:06 +00:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00
David Massoud
c50fecd8ef Allow traced_probes to read devfreq
- Add dir read access to /sys/class/devfreq/
- Add file read access to /sys/class/devfreq/$DEVICE/cur_freq

Resolves the following denials:
W traced_probes: type=1400 audit(0.0:8):
avc: denied { read } for name="devfreq" dev="sysfs"
ino=28076 scontext=u:r:traced_probes:s0
tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0

W traced_probes: type=1400 audit(0.0:226):
avc: denied { read } for name="cur_freq" dev="sysfs"
ino=54729 scontext=u:r:traced_probes:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

See ag/14187061 for device specific sysfs_devfreq_cur labels

Bug: 181850306
Test: ls -Z, record perfetto trace
Change-Id: I23cebb16505313160e14b49e82e24da9b81cad70
2021-04-16 20:02:06 +08:00
Yabin Cui
49806a1067 Merge "Add vendor_kernel_modules type to public." 2021-04-08 17:49:16 +00:00
Yabin Cui
2e2df6b3a7 Add vendor_kernel_modules type to public.
Bug: 166559473
Bug: 183135316
Test: build and boot
Change-Id: Idc9f6235a1b69236ce274d9b3173f6d39ee04c82
Merged-In: Idc9f6235a1b69236ce274d9b3173f6d39ee04c82
(cherry picked from commit 3b23f17eae)
2021-04-06 14:28:36 -07:00
Yi-Yo Chiang
806898db48 Split gsi_metadata_file and add gsi_metadata_file_type attribute
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
2021-03-29 03:09:35 +00:00
Alexander Potapenko
3d52817da4 Selinux policy for bootreceiver tracing instance
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
2021-03-05 08:53:39 +01:00
Wonsik Kim
08a25e6709 Revert "Selinux policy for bootreceiver tracing instance"
Revert submission 1572240-kernel_bootreceiver

Reason for revert: DroidMonitor: Potential culprit for Bug 181778620 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
Ic1c49a695:init.rc: set up a tracing instance for BootReceive...
I828666ec3:Selinux policy for bootreceiver tracing instance

Change-Id: I9a8da7ae501a4b7c3d6cb5bf365458cfd1bef906
2021-03-03 22:47:02 +00:00
Alexander Potapenko
31251aa6ec Selinux policy for bootreceiver tracing instance
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.

Bug: 172316664
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I828666ec3154aadf138cfa552832a66ad8f4a201
2021-03-02 16:53:12 +01:00
Devin Moore
840d4f3bf3 Add sepolicy for /proc/bootconfig
Vendor boot hal, init, and vold processes all require permission.

Test: build and boot aosp_cf_x86_64_phone
Bug: 173815685
Change-Id: I15692dcd39dfc9c3a3b7d8c12d03eff0a7c96f72
2021-02-23 07:42:06 -08:00
Kelvin Zhang
a1e58814a8 Add necessary sepolicy for update_engine to reserve space on data
Test: serve an OTA, make sure /data/apex/reserved is present
Bug: 172911822

Change-Id: I9f7967c9047ae834eb55a48d56ffc34a7b37f5db
2021-02-19 11:30:50 +00:00
Gavin Corkery
3bb3559e2e Merge "Add sepolicy for scheduling module data directories" 2021-02-18 20:51:51 +00:00
Gavin Corkery
cd3bb575ab Add sepolicy for scheduling module data directories
Test: Manually test writing and reading files
Bug: 161353402
Change-Id: Ifbc0e4db0ec51f6565a0f52df06b1d148577b788
2021-02-15 22:31:27 +00:00
Maciej Żenczykowski
d68cb48e90 apply 'fs_bpf_tethering' label to /sys/fs/bpf/tethering
We want to label /sys/fs/bpf/tethering/... with a new label distinct
from /sys/fs/bpf, as this will allow locking down the programs/maps
tighter then is currently possible with the existing system.

These programs and maps are provided via the tethering mainline module,
and as such their number, names, key/value types, etc. are all prone to
be changed by a tethering mainline module update.

Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifc4108d76a1106a936b941a3dda1abc5a65c05b0
2021-02-11 17:45:06 -08:00
Hridya Valsaraju
2c3ef29ed5 Allow dumpsys to read total DMA-BUF heap pool size
These permissions are added to allow dumpsys to read
/sys/kernel/dma_heap/total_pools_kb.

Fixes the following sepolicy denials:
avc: denied { read } for name="total_pools_kb" dev="sysfs" ino=3252
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/kernel/dma_heap/total_pools_kb"
dev="sysfs" ino=3252 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0
tclass=file permissive=1
avc: denied { getattr } for path="/sys/kernel/dma_heap/total_pools_kb"
dev="sysfs" ino=3252 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0
tclass=file permissive=1

Bug: 167709539
Test: dumpsys meminfo
Change-Id: I1c15b41b067da84a7b629cafe27972f30c86ae27
2021-02-03 21:42:09 -08:00
Hridya Valsaraju
6217b6657d Allow dumpstate to read DMA-BUF sysfs stats
These permissions are required for dumpstate to read the DMA-BUF sysfs
stats present at /sys/kernel/dmabuf/buffers

Bug: 167709539
Test: adb shell am bug-report
Change-Id: I1c00843775452b7a7aa39b059e1d77d77aed1e9c
2021-02-02 13:28:18 -08:00
Treehugger Robot
883de3cd2e Merge "Add vendor_public_framework_file type to SEPolicy" 2021-01-28 11:41:00 +00:00
Andrei Onea
850842f77c Add data directory for appcompat
This directory is used to store override config, so that they can
persist across reboot.

Test: atest CompatConfigTest
Bug: 145509340
Change-Id: I5e8f2b3093daeccd6c95dff24a8c6c0ff31235ca
2021-01-27 15:04:31 +00:00
Dorin Drimus
84cd7087d5 Add vendor_public_framework_file type to SEPolicy
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.

Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
2021-01-26 15:59:37 +01:00
Kalesh Singh
d37f2e9d65 Merge "Sepolicy for mm events trace instance" 2021-01-26 14:33:39 +00:00
Kalesh Singh
aab7a73868 Sepolicy for mm events trace instance
Allow traced_probes read write access to configure
mm_events trace instance and poll trace_pipe_raw

Bug: 155928119
Test: No denials in logcat
Change-Id: Ib65ab2e7be8daa6b8c412ffea909072583db7002
2021-01-25 12:01:27 -05:00
Linzhao Ye
bab989d315 Merge "Add SePolicy for system_server accessing sysfs uhid." 2021-01-23 17:08:47 +00:00
Chris Ye
c0e7206c73 Add SePolicy for system_server accessing sysfs uhid.
Add SePolicy to allow Android input manager accessing sysfs uhid folder.

Bug: 161633432
Test: dumpsys input and watch for input device battery status.
Change-Id: I6ed1ab45f1cff409982c36627e12e62667819f37
2021-01-22 17:56:45 +00:00
Yurii Zubrytskyi
80dfa06984 IncFS: update SE policies for the new API
IncFS in S adds a bunch of new ioctls, and requires the users
to read its features in sysfs directory. This change adds
all the features, maps them into the processes that need to
call into them, and allows any incfs user to query the features

Bug: 170231230
Test: incremental unit tests
Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
2021-01-19 12:57:15 -08:00
Marco Ballesio
3eabc1d541 sepolicy: allow system_server to read /proc/locks
Access to /proc/locks is necessary to activity manager to determine
wheter a process holds a lock or not prior freezing it.

Test: verified access of /proc/locks while testing other CLs in the same
topic.
Bug: 176928302

Change-Id: I14a65da126ff26c6528edae137d3ee85d3611509
2021-01-12 10:47:58 -08:00
Gavin Corkery
b46e956d97 Merge "Add sepolicy for /metadata/watchdog" 2021-01-08 08:20:45 +00:00
Gavin Corkery
b0aae28b41 Add sepolicy for /metadata/watchdog
See go/rescue-party-reboot for more context.

One integer will be stored in a file in this
directory, which will be read and then deleted at the
next boot. No userdata is stored.

Test: Write and read from file from PackageWatchdog
Bug: 171951174

Change-Id: I18f59bd9ad324a0513b1184b2f4fe78c592640db
2021-01-07 19:42:56 +00:00
Chiachang Wang
813c25fc91 Add new selinux type for radio process
ConnectivityService is going to become mainline and can not
access hidden APIs. Telephony and Settings were both accessing
the hidden API ConnectivityManager#getMobileProvisioningUrl.
Moving #getMobileProvisioningUrl method into telephony means
that there is one less access to a hidden API within the overall
framework since the Connectivity stack never needed this value.
Thus, move getMobileProvisioningUrl parsing to telephony surface
and provide the corresponding sepolicy permission for its access.

The exsting radio_data_file is an app data type and may allow
more permission than necessary. Thus create a new type and give
the necessary read access only.

Bug: 175177794
Test: verify that the radio process could read
      /data/misc/radio/provisioning_urls.xml successfully
Change-Id: I191261a57667dc7936c22786d75da971f94710ef
2020-12-24 15:11:15 +08:00
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
Suren Baghdasaryan
37f1a137b6 Add rules for per-API level task profiles and cgroup description files
Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.

Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3
2020-11-23 09:30:26 -08:00
Alan Stokes
f8ad33985d Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-11-11 14:43:36 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Florian Mayer
12376168b4 New type for printk_formats, allow traced_probes.
Test: ls -lZ /sys/kernel/tracing/printk_formats
      [...] u:object_r:debugfs_tracing_printk_formats:s0 [...]

Test: setenforce 0;
      runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats
      logcat complains about /sys/kernel/tracing/printk_formats

Test: setenforce 0;
      runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats
      logcat does not complain about /sys/kernel/tracing/printk_formats

(need to setenforce 0, because otherwise the exec of ls is denied).

Bug: 70292203
Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
2020-11-05 12:55:50 +00:00
David Anderson
45ac6e8400 Merge "Add sepolicy for dm-user devices and the snapuserd daemon." 2020-10-27 16:39:14 +00:00
David Anderson
fe30369efb Add sepolicy for dm-user devices and the snapuserd daemon.
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.

snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.

Bug: 168259959
Test: ctl.start snapuserd, no denials
      vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
2020-10-26 23:23:01 -07:00
Primiano Tucci
cd452300a7 Allow tracing service to access kallsyms on userdebug
This CL allows the traced_probes service to temporarily
lower kptr_restrict and read /proc/kallsyms.
This is allowed only on userdebug/eng builds.
The lowering of kptr_restrict is done via an init
property because the kernel checks that the kptr_restrict
writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1].

[1] 4cbffc461e/kernel/sysctl.c (L2254)

Bug: 136133013
Design doc: go/perfetto-kallsyms
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882

Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
2020-10-23 14:03:08 +01:00
Maciej Żenczykowski
159c6e13dc public/file.te: add 'allow proc_net proc:filesystem associate'
Per http://cs/aosp-master/system/sepolicy/private/genfs_contexts?l=21

  genfscon proc /net u:object_r:proc_net:s0

/proc/net/... portion of proc should be 'proc_net' not the default of 'proc'

For example on a bonito:
  $ adbb shell ls -alZd /proc /proc/net/xt_quota
  dr-xr-xr-x 757 root root u:object_r:proc:s0      0 1969-12-31 16:00 /proc
  dr-xr-xr-x   2 root root u:object_r:proc_net:s0  0 2020-10-20 11:02 /proc/net/xt_quota

This already mostly works, but occasionally on 4.19 devices we see
(apparently spurious) denials (my gut feeling is kernel behaviour
changed and/or is racy):

[   37.434457] type=1400 audit(1574821413.359:2102): avc: denied { associate } for comm="Binder:762_1" name="globalAlert" scontext=u:object_r:proc_net:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=1

Presumably caused by a binder rpc into netd:
  http://cs/aosp-master/system/netd/server/BandwidthController.cpp?l=635&rcl=cdd79f13c670605819333de2d7b67d7f8a42210c

Things seem to work anyway, presumably because eventually it does somehow
get set to 'proc_net' anyway...

This patch will allow the removal of:
    allow proc_net proc:filesystem { associate };
and
    dontaudit proc_net proc:filesystem associate;
from device specific configs.

Bug: 145579144
Bug: 170265025
Test: treehugger will
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I46294d8b1526e846a5eddb350adf51c76634b8f1
2020-10-20 18:25:39 +00:00
Jack Yu
dd5c5d7960 Merge "Add sepolicy to allow read/write nfc snoop log data" 2020-10-16 07:56:10 +00:00
Alan Stokes
c7229c760f Make shared_relro levelFrom=all.
Also make shared_relro_file mlstrustedobject to ensure these files can
still be read by any app in any user.

Bug: 170622707
Test: Manual: delete the files, check they are re-created and accessible.
Test: Manual: no denials seen
Test: Presubmits
Change-Id: Icce4ee858219e3fd0e307f3edfb3c66005872a45
2020-10-12 14:43:01 +01:00
Yifan Hong
f5f4c1207a Revert "Add /boot files as ramdisk_boot_file."
This reverts commit 2576a2fc30.

Reason for revert: conflict with device-specific sepolicy

Bug: 170411692
Change-Id: Ie5fde9dd91b603f155cee7a9d7ef432a05dc6827
Test: pass
2020-10-08 22:13:44 +00:00
Yifan Hong
2576a2fc30 Add /boot files as ramdisk_boot_file.
/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.

The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.

Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
2020-10-08 07:55:12 -07:00
Jack Yu
dd64813204 Add sepolicy to allow read/write nfc snoop log data
Bug: 153704838
Test: nfc snoop log could be accessed
Change-Id: I694426ddb776114e5028b9e33455dd98fb502f0a
2020-09-24 17:36:07 +08:00