Initial commit, syncing up to v115

2019-08-08 02:52:03 +00:00
commit b71d406ba3
91 changed files with 7298 additions and 0 deletions
--- a/patches/platform_system_sepolicy/0001-Don-t-set-esdfs-or-exfat-genfscon.-Assume-OEM-does.patch
+++ b/patches/platform_system_sepolicy/0001-Don-t-set-esdfs-or-exfat-genfscon.-Assume-OEM-does.patch
@@ -0,0 +1,51 @@
+From 733830ed8d84a76325977baf8b9132e65672b85f Mon Sep 17 00:00:00 2001
+From: Pierre-Hugues Husson <phh@phh.me>
+Date: Tue, 14 Aug 2018 20:56:54 +0200
+Subject: [PATCH 01/26] Don't set esdfs or exfat genfscon. Assume OEM does
+
+---
+ prebuilts/api/28.0/private/genfs_contexts | 4 ++--
+ private/genfs_contexts                    | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
+index 7e2ea509..56cd92da 100644
+--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
+@@ -231,12 +231,12 @@ genfscon debugfs /tracing/events/fence/
+ 
+ genfscon inotifyfs / u:object_r:inotify:s0
+ genfscon vfat / u:object_r:vfat:s0
+-genfscon exfat / u:object_r:exfat:s0
+#genfscon exfat / u:object_r:exfat:s0
+ genfscon debugfs / u:object_r:debugfs:s0
+ genfscon fuse / u:object_r:fuse:s0
+ genfscon configfs / u:object_r:configfs:s0
+ genfscon sdcardfs / u:object_r:sdcardfs:s0
+-genfscon esdfs / u:object_r:sdcardfs:s0
+#genfscon esdfs / u:object_r:sdcardfs:s0
+ genfscon pstore / u:object_r:pstorefs:s0
+ genfscon functionfs / u:object_r:functionfs:s0
+ genfscon usbfs / u:object_r:usbfs:s0
+diff --git a/private/genfs_contexts b/private/genfs_contexts
+index 7e2ea509..56cd92da 100644
+--- a/private/genfs_contexts
+++ b/private/genfs_contexts
+@@ -231,12 +231,12 @@ genfscon debugfs /tracing/events/fence/
+ 
+ genfscon inotifyfs / u:object_r:inotify:s0
+ genfscon vfat / u:object_r:vfat:s0
+-genfscon exfat / u:object_r:exfat:s0
+#genfscon exfat / u:object_r:exfat:s0
+ genfscon debugfs / u:object_r:debugfs:s0
+ genfscon fuse / u:object_r:fuse:s0
+ genfscon configfs / u:object_r:configfs:s0
+ genfscon sdcardfs / u:object_r:sdcardfs:s0
+-genfscon esdfs / u:object_r:sdcardfs:s0
+#genfscon esdfs / u:object_r:sdcardfs:s0
+ genfscon pstore / u:object_r:pstorefs:s0
+ genfscon functionfs / u:object_r:functionfs:s0
+ genfscon usbfs / u:object_r:usbfs:s0
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0009-Allow-mmap-for-vendor_init.patch
+++ b/patches/platform_system_sepolicy/0009-Allow-mmap-for-vendor_init.patch
@@ -0,0 +1,88 @@
+From cd432a8d8114feda09c47ca985aa7f9f8cc2d4e9 Mon Sep 17 00:00:00 2001
+From: Nick Kralevich <nnk@google.com>
+Date: Mon, 30 Jul 2018 18:52:46 -0700
+Subject: [PATCH 09/26] Allow mmap for vendor_init
+
+vendor_init needs to touch a bunch of files. Forgotten within this set
+of permissions is the ability to mmap files.
+
+Addresses the following denial:
+
+  avc:  denied  { map } for  pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0
+
+While I'm here, add mmap() support to other areas where it's likely
+needed.
+
+Bug: 111742629
+Test: make -j80, ran emulator
+Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75
+---
+ prebuilts/api/28.0/public/vendor_init.te | 6 +++---
+ public/vendor_init.te                    | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te
+index 740d0d9e..9784095a 100644
+--- a/prebuilts/api/28.0/public/vendor_init.te
+++ b/prebuilts/api/28.0/public/vendor_init.te
+@@ -60,7 +60,7 @@ allow vendor_init {
+   -unlabeled
+   -vendor_file_type
+   -vold_metadata_file
+-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
+ 
+ allow vendor_init {
+   file_type
+@@ -107,7 +107,7 @@ allow vendor_init {
+   -proc_uid_time_in_state
+   -proc_uid_concurrent_active_time
+   -proc_uid_concurrent_policy_time
+-}:file { open read setattr };
+}:file { open read setattr map };
+ 
+ allow vendor_init {
+   fs_type
+@@ -149,7 +149,7 @@ allow vendor_init self:process { setfscreate };
+ r_dir_file(vendor_init, vendor_file_type)
+ 
+ # Vendor init can read properties
+-allow vendor_init serialno_prop:file { getattr open read };
+allow vendor_init serialno_prop:file { getattr open read map };
+ 
+ # Vendor init can perform operations on trusted and security Extended Attributes
+ allow vendor_init self:global_capability_class_set sys_admin;
+diff --git a/public/vendor_init.te b/public/vendor_init.te
+index 740d0d9e..9784095a 100644
+--- a/public/vendor_init.te
+++ b/public/vendor_init.te
+@@ -60,7 +60,7 @@ allow vendor_init {
+   -unlabeled
+   -vendor_file_type
+   -vold_metadata_file
+-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
+ 
+ allow vendor_init {
+   file_type
+@@ -107,7 +107,7 @@ allow vendor_init {
+   -proc_uid_time_in_state
+   -proc_uid_concurrent_active_time
+   -proc_uid_concurrent_policy_time
+-}:file { open read setattr };
+}:file { open read setattr map };
+ 
+ allow vendor_init {
+   fs_type
+@@ -149,7 +149,7 @@ allow vendor_init self:process { setfscreate };
+ r_dir_file(vendor_init, vendor_file_type)
+ 
+ # Vendor init can read properties
+-allow vendor_init serialno_prop:file { getattr open read };
+allow vendor_init serialno_prop:file { getattr open read map };
+ 
+ # Vendor init can perform operations on trusted and security Extended Attributes
+ allow vendor_init self:global_capability_class_set sys_admin;
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0010-sepolicy-grant-dac_read_search-to-domains-with-dac_o.patch
+++ b/patches/platform_system_sepolicy/0010-sepolicy-grant-dac_read_search-to-domains-with-dac_o.patch
@@ -0,0 +1,680 @@
+From a71e956183b20a4be92b0fd78691c35f904bfa03 Mon Sep 17 00:00:00 2001
+From: Benjamin Gordon <bmgordon@google.com>
+Date: Thu, 6 Sep 2018 16:19:40 -0600
+Subject: [PATCH 10/26] sepolicy: grant dac_read_search to domains with
+ dac_override
+
+kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
+of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
+dac_override and dac_read_search checks.  Domains that have dac_override
+will now generate spurious denials for dac_read_search unless they also
+have that permission.  Since dac_override is a strict superset of
+dac_read_search, grant dac_read_search to all domains that already have
+dac_override to get rid of the denials.
+
+Bug: 114280985
+Bug: crbug.com/877588
+Test: Booted on a device running 4.14.
+Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
+---
+ prebuilts/api/28.0/private/storaged.te        |  2 +-
+ .../api/28.0/private/vold_prepare_subdirs.te  |  2 +-
+ prebuilts/api/28.0/private/zygote.te          |  2 +-
+ prebuilts/api/28.0/public/dnsmasq.te          |  2 +-
+ prebuilts/api/28.0/public/domain.te           | 51 +++++++++++--------
+ prebuilts/api/28.0/public/dumpstate.te        |  2 +-
+ prebuilts/api/28.0/public/init.te             |  2 +-
+ prebuilts/api/28.0/public/install_recovery.te |  2 +-
+ prebuilts/api/28.0/public/installd.te         |  2 +-
+ prebuilts/api/28.0/public/lmkd.te             |  2 +-
+ prebuilts/api/28.0/public/netd.te             |  2 +-
+ prebuilts/api/28.0/public/perfprofd.te        |  2 +-
+ .../api/28.0/public/postinstall_dexopt.te     |  2 +-
+ prebuilts/api/28.0/public/recovery.te         |  1 +
+ prebuilts/api/28.0/public/runas.te            |  2 +-
+ prebuilts/api/28.0/public/sdcardd.te          |  2 +-
+ prebuilts/api/28.0/public/ueventd.te          |  2 +-
+ prebuilts/api/28.0/public/uncrypt.te          |  2 +-
+ prebuilts/api/28.0/public/vendor_init.te      |  2 +-
+ prebuilts/api/28.0/public/vold.te             |  2 +-
+ private/storaged.te                           |  2 +-
+ private/vold_prepare_subdirs.te               |  2 +-
+ private/zygote.te                             |  2 +-
+ public/dnsmasq.te                             |  2 +-
+ public/domain.te                              | 51 +++++++++++--------
+ public/dumpstate.te                           |  2 +-
+ public/init.te                                |  2 +-
+ public/install_recovery.te                    |  2 +-
+ public/installd.te                            |  2 +-
+ public/lmkd.te                                |  2 +-
+ public/netd.te                                |  2 +-
+ public/perfprofd.te                           |  2 +-
+ public/postinstall_dexopt.te                  |  2 +-
+ public/recovery.te                            |  1 +
+ public/runas.te                               |  2 +-
+ public/sdcardd.te                             |  2 +-
+ public/ueventd.te                             |  2 +-
+ public/uncrypt.te                             |  2 +-
+ public/vendor_init.te                         |  2 +-
+ public/vold.te                                |  2 +-
+ 40 files changed, 96 insertions(+), 80 deletions(-)
+
+diff --git a/prebuilts/api/28.0/private/storaged.te b/prebuilts/api/28.0/private/storaged.te
+index 8ad872f6..65b83b98 100644
+--- a/prebuilts/api/28.0/private/storaged.te
+++ b/prebuilts/api/28.0/private/storaged.te
+@@ -49,7 +49,7 @@ allow storaged package_native_service:service_manager find;
+ 
+ # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
+ # running as root. See b/35323867 #3.
+-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # For collecting bugreports.
+ allow storaged dumpstate:fifo_file write;
+diff --git a/prebuilts/api/28.0/private/vold_prepare_subdirs.te b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
+index 0a115584..0d062e99 100644
+--- a/prebuilts/api/28.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
+@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
+ allow vold_prepare_subdirs vold:fd use;
+ allow vold_prepare_subdirs vold:fifo_file { read write };
+ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
+ allow vold_prepare_subdirs self:process setfscreate;
+ allow vold_prepare_subdirs {
+   system_data_file
+diff --git a/prebuilts/api/28.0/private/zygote.te b/prebuilts/api/28.0/private/zygote.te
+index 2dcbdf1a..8d0be613 100644
+--- a/prebuilts/api/28.0/private/zygote.te
+++ b/prebuilts/api/28.0/private/zygote.te
+@@ -7,7 +7,7 @@ init_daemon_domain(zygote)
+ read_runtime_log_tags(zygote)
+ 
+ # Override DAC on files and switch uid/gid.
+-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
+ 
+ # Drop capabilities from bounding set.
+ allow zygote self:global_capability_class_set setpcap;
+diff --git a/prebuilts/api/28.0/public/dnsmasq.te b/prebuilts/api/28.0/public/dnsmasq.te
+index 3aaefd3e..e97e964e 100644
+--- a/prebuilts/api/28.0/public/dnsmasq.te
+++ b/prebuilts/api/28.0/public/dnsmasq.te
+@@ -6,7 +6,7 @@ net_domain(dnsmasq)
+ allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
+ 
+ # TODO:  Run with dhcp group to avoid need for dac_override.
+-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
+ 
+ allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
+ 
+diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
+index fe03c95d..42a26cf2 100644
+--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
+@@ -1342,28 +1342,35 @@ full_treble_only(`
+ # Minimize dac_override and dac_read_search.
+ # Instead of granting them it is usually better to add the domain to
+ # a Unix group or change the permissions of a file.
+-neverallow {
+-  domain
+-  -dnsmasq
+-  -dumpstate
+-  -init
+-  -installd
+-  -install_recovery
+-  -lmkd
+-  -netd
+-  -perfprofd
+-  -postinstall_dexopt
+-  -recovery
+-  -sdcardd
+-  -tee
+-  -ueventd
+-  -uncrypt
+-  -vendor_init
+-  -vold
+-  -vold_prepare_subdirs
+-  -zygote
+-} self:capability dac_override;
+-neverallow { domain -traced_probes } self:capability dac_read_search;
+define(`dac_override_allowed', `{
+  dnsmasq
+  dumpstate
+  init
+  installd
+  install_recovery
+  lmkd
+  netd
+  perfprofd
+  postinstall_dexopt
+  recovery
+  sdcardd
+  tee
+  ueventd
+  uncrypt
+  vendor_init
+  vold
+  vold_prepare_subdirs
+  zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials.  Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+  dac_override_allowed
+  traced_probes
+} self:global_capability_class_set dac_read_search;
+ 
+ # If an already existing file is opened with O_CREAT, the kernel might generate
+ # a false report of a create denial. Silence these denials and make sure that
+diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te
+index 03fc737e..23af7dac 100644
+--- a/prebuilts/api/28.0/public/dumpstate.te
+++ b/prebuilts/api/28.0/public/dumpstate.te
+@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
+ allow dumpstate system_file:dir r_dir_perms;
+ 
+ # Create and write into /data/anr/
+-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
+ allow dumpstate anr_data_file:dir rw_dir_perms;
+ allow dumpstate anr_data_file:file create_file_perms;
+ 
+diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
+index dafc06f9..2284689d 100644
+--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
+@@ -105,7 +105,7 @@ allow init metadata_file:dir mounton;
+ allow init tmpfs:dir relabelfrom;
+ 
+ # Create directories under /dev/cpuctl after chowning it to system.
+-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # Set system clock.
+ allow init self:global_capability_class_set sys_time;
+diff --git a/prebuilts/api/28.0/public/install_recovery.te b/prebuilts/api/28.0/public/install_recovery.te
+index ab688386..24819c2e 100644
+--- a/prebuilts/api/28.0/public/install_recovery.te
+++ b/prebuilts/api/28.0/public/install_recovery.te
+@@ -2,7 +2,7 @@
+ type install_recovery, domain;
+ type install_recovery_exec, exec_type, file_type;
+ 
+-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # /system/bin/install-recovery.sh is a shell script.
+ # Needs to execute /system/bin/sh
+diff --git a/prebuilts/api/28.0/public/installd.te b/prebuilts/api/28.0/public/installd.te
+index 6aba962d..f34ef0c5 100644
+--- a/prebuilts/api/28.0/public/installd.te
+++ b/prebuilts/api/28.0/public/installd.te
+@@ -2,7 +2,7 @@
+ type installd, domain;
+ type installd_exec, exec_type, file_type;
+ typeattribute installd mlstrustedsubject;
+-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
+ 
+ # Allow labeling of files under /data/app/com.example/oat/
+ allow installd dalvikcache_data_file:dir relabelto;
+diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
+index 5b4a235a..79cb2889 100644
+--- a/prebuilts/api/28.0/public/lmkd.te
+++ b/prebuilts/api/28.0/public/lmkd.te
+@@ -2,7 +2,7 @@
+ type lmkd, domain, mlstrustedsubject;
+ type lmkd_exec, exec_type, file_type;
+ 
+-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
+ 
+ # lmkd locks itself in memory, to prevent it from being
+ # swapped out and unable to kill other memory hogs.
+diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
+index 18113e75..a550b258 100644
+--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
+@@ -61,7 +61,7 @@ allow netd fs_bpf:file create_file_perms;
+ # TODO: netd previously thought it needed these permissions to do WiFi related
+ #       work.  However, after all the WiFi stuff is gone, we still need them.
+ #       Why?
+-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
+ 
+ # Needed to update /data/misc/net/rt_tables
+ allow netd net_data_file:file create_file_perms;
+diff --git a/prebuilts/api/28.0/public/perfprofd.te b/prebuilts/api/28.0/public/perfprofd.te
+index f067af5d..b5c01458 100644
+--- a/prebuilts/api/28.0/public/perfprofd.te
+++ b/prebuilts/api/28.0/public/perfprofd.te
+@@ -23,7 +23,7 @@ userdebug_or_eng(`
+   # perfprofd reads a config file from /data/data/com.google.android.gms/files
+   allow perfprofd app_data_file:file r_file_perms;
+   allow perfprofd app_data_file:dir search;
+-  allow perfprofd self:global_capability_class_set { dac_override };
+  allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
+ 
+   # perfprofd opens a file for writing in /data/misc/perfprofd
+   allow perfprofd perfprofd_data_file:file create_file_perms;
+diff --git a/prebuilts/api/28.0/public/postinstall_dexopt.te b/prebuilts/api/28.0/public/postinstall_dexopt.te
+index ffd8bc57..8b6d6cc1 100644
+--- a/prebuilts/api/28.0/public/postinstall_dexopt.te
+++ b/prebuilts/api/28.0/public/postinstall_dexopt.te
+@@ -5,7 +5,7 @@
+ 
+ type postinstall_dexopt, domain;
+ 
+-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
+ 
+ allow postinstall_dexopt postinstall_file:filesystem getattr;
+ allow postinstall_dexopt postinstall_file:dir { getattr search };
+diff --git a/prebuilts/api/28.0/public/recovery.te b/prebuilts/api/28.0/public/recovery.te
+index 57ad2028..6745bd6f 100644
+--- a/prebuilts/api/28.0/public/recovery.te
+++ b/prebuilts/api/28.0/public/recovery.te
+@@ -15,6 +15,7 @@ recovery_only(`
+   allow recovery self:global_capability_class_set {
+     chown
+     dac_override
+    dac_read_search
+     fowner
+     setuid
+     setgid
+diff --git a/prebuilts/api/28.0/public/runas.te b/prebuilts/api/28.0/public/runas.te
+index 053a87f6..6c5de7cf 100644
+--- a/prebuilts/api/28.0/public/runas.te
+++ b/prebuilts/api/28.0/public/runas.te
+@@ -18,7 +18,7 @@ allow runas system_data_file:lnk_file getattr;
+ allow runas system_data_file:lnk_file read;
+ 
+ # run-as checks and changes to the app data dir.
+-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
+ allow runas app_data_file:dir { getattr search };
+ 
+ # run-as switches to the app UID/GID.
+diff --git a/prebuilts/api/28.0/public/sdcardd.te b/prebuilts/api/28.0/public/sdcardd.te
+index 4a88f54d..6749d16e 100644
+--- a/prebuilts/api/28.0/public/sdcardd.te
+++ b/prebuilts/api/28.0/public/sdcardd.te
+@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
+ allow sdcardd storage_file:dir search;
+ allow sdcardd storage_stub_file:dir { search mounton };
+ allow sdcardd sdcard_type:filesystem { mount unmount };
+-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
+ 
+ allow sdcardd sdcard_type:dir create_dir_perms;
+ allow sdcardd sdcard_type:file create_file_perms;
+diff --git a/prebuilts/api/28.0/public/ueventd.te b/prebuilts/api/28.0/public/ueventd.te
+index 9b9eacb2..c6260519 100644
+--- a/prebuilts/api/28.0/public/ueventd.te
+++ b/prebuilts/api/28.0/public/ueventd.te
+@@ -5,7 +5,7 @@ type ueventd, domain;
+ # Write to /dev/kmsg.
+ allow ueventd kmsg_device:chr_file rw_file_perms;
+ 
+-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
+ allow ueventd device:file create_file_perms;
+ 
+ r_dir_file(ueventd, rootfs)
+diff --git a/prebuilts/api/28.0/public/uncrypt.te b/prebuilts/api/28.0/public/uncrypt.te
+index 1e48b831..e64ce3ec 100644
+--- a/prebuilts/api/28.0/public/uncrypt.te
+++ b/prebuilts/api/28.0/public/uncrypt.te
+@@ -2,7 +2,7 @@
+ type uncrypt, domain, mlstrustedsubject;
+ type uncrypt_exec, exec_type, file_type;
+ 
+-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # Read OTA zip file from /data/data/com.google.android.gsf/app_download
+ r_dir_file(uncrypt, app_data_file)
+diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te
+index 9784095a..ba835ed6 100644
+--- a/prebuilts/api/28.0/public/vendor_init.te
+++ b/prebuilts/api/28.0/public/vendor_init.te
+@@ -25,7 +25,7 @@ allow vendor_init configfs:dir create_dir_perms;
+ allow vendor_init configfs:{ file lnk_file } create_file_perms;
+ 
+ # Create directories under /dev/cpuctl after chowning it to system.
+-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+ # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+diff --git a/prebuilts/api/28.0/public/vold.te b/prebuilts/api/28.0/public/vold.te
+index 4d15f11e..852e91ea 100644
+--- a/prebuilts/api/28.0/public/vold.te
+++ b/prebuilts/api/28.0/public/vold.te
+@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
+ allow vold tmpfs:filesystem { mount unmount };
+ allow vold tmpfs:dir create_dir_perms;
+ allow vold tmpfs:dir mounton;
+-allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
+ allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+ allow vold app_data_file:dir search;
+ allow vold app_data_file:file rw_file_perms;
+diff --git a/private/storaged.te b/private/storaged.te
+index 8ad872f6..65b83b98 100644
+--- a/private/storaged.te
+++ b/private/storaged.te
+@@ -49,7 +49,7 @@ allow storaged package_native_service:service_manager find;
+ 
+ # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
+ # running as root. See b/35323867 #3.
+-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # For collecting bugreports.
+ allow storaged dumpstate:fifo_file write;
+diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
+index 0a115584..0d062e99 100644
+--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
+@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
+ allow vold_prepare_subdirs vold:fd use;
+ allow vold_prepare_subdirs vold:fifo_file { read write };
+ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
+ allow vold_prepare_subdirs self:process setfscreate;
+ allow vold_prepare_subdirs {
+   system_data_file
+diff --git a/private/zygote.te b/private/zygote.te
+index 2dcbdf1a..8d0be613 100644
+--- a/private/zygote.te
+++ b/private/zygote.te
+@@ -7,7 +7,7 @@ init_daemon_domain(zygote)
+ read_runtime_log_tags(zygote)
+ 
+ # Override DAC on files and switch uid/gid.
+-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
+ 
+ # Drop capabilities from bounding set.
+ allow zygote self:global_capability_class_set setpcap;
+diff --git a/public/dnsmasq.te b/public/dnsmasq.te
+index 3aaefd3e..e97e964e 100644
+--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
+@@ -6,7 +6,7 @@ net_domain(dnsmasq)
+ allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
+ 
+ # TODO:  Run with dhcp group to avoid need for dac_override.
+-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
+ 
+ allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
+ 
+diff --git a/public/domain.te b/public/domain.te
+index fe03c95d..42a26cf2 100644
+--- a/public/domain.te
+++ b/public/domain.te
+@@ -1342,28 +1342,35 @@ full_treble_only(`
+ # Minimize dac_override and dac_read_search.
+ # Instead of granting them it is usually better to add the domain to
+ # a Unix group or change the permissions of a file.
+-neverallow {
+-  domain
+-  -dnsmasq
+-  -dumpstate
+-  -init
+-  -installd
+-  -install_recovery
+-  -lmkd
+-  -netd
+-  -perfprofd
+-  -postinstall_dexopt
+-  -recovery
+-  -sdcardd
+-  -tee
+-  -ueventd
+-  -uncrypt
+-  -vendor_init
+-  -vold
+-  -vold_prepare_subdirs
+-  -zygote
+-} self:capability dac_override;
+-neverallow { domain -traced_probes } self:capability dac_read_search;
+define(`dac_override_allowed', `{
+  dnsmasq
+  dumpstate
+  init
+  installd
+  install_recovery
+  lmkd
+  netd
+  perfprofd
+  postinstall_dexopt
+  recovery
+  sdcardd
+  tee
+  ueventd
+  uncrypt
+  vendor_init
+  vold
+  vold_prepare_subdirs
+  zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials.  Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+  dac_override_allowed
+  traced_probes
+} self:global_capability_class_set dac_read_search;
+ 
+ # If an already existing file is opened with O_CREAT, the kernel might generate
+ # a false report of a create denial. Silence these denials and make sure that
+diff --git a/public/dumpstate.te b/public/dumpstate.te
+index 03fc737e..23af7dac 100644
+--- a/public/dumpstate.te
+++ b/public/dumpstate.te
+@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
+ allow dumpstate system_file:dir r_dir_perms;
+ 
+ # Create and write into /data/anr/
+-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
+ allow dumpstate anr_data_file:dir rw_dir_perms;
+ allow dumpstate anr_data_file:file create_file_perms;
+ 
+diff --git a/public/init.te b/public/init.te
+index dafc06f9..2284689d 100644
+--- a/public/init.te
+++ b/public/init.te
+@@ -105,7 +105,7 @@ allow init metadata_file:dir mounton;
+ allow init tmpfs:dir relabelfrom;
+ 
+ # Create directories under /dev/cpuctl after chowning it to system.
+-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # Set system clock.
+ allow init self:global_capability_class_set sys_time;
+diff --git a/public/install_recovery.te b/public/install_recovery.te
+index ab688386..24819c2e 100644
+--- a/public/install_recovery.te
+++ b/public/install_recovery.te
+@@ -2,7 +2,7 @@
+ type install_recovery, domain;
+ type install_recovery_exec, exec_type, file_type;
+ 
+-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # /system/bin/install-recovery.sh is a shell script.
+ # Needs to execute /system/bin/sh
+diff --git a/public/installd.te b/public/installd.te
+index 6aba962d..f34ef0c5 100644
+--- a/public/installd.te
+++ b/public/installd.te
+@@ -2,7 +2,7 @@
+ type installd, domain;
+ type installd_exec, exec_type, file_type;
+ typeattribute installd mlstrustedsubject;
+-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
+ 
+ # Allow labeling of files under /data/app/com.example/oat/
+ allow installd dalvikcache_data_file:dir relabelto;
+diff --git a/public/lmkd.te b/public/lmkd.te
+index 5b4a235a..79cb2889 100644
+--- a/public/lmkd.te
+++ b/public/lmkd.te
+@@ -2,7 +2,7 @@
+ type lmkd, domain, mlstrustedsubject;
+ type lmkd_exec, exec_type, file_type;
+ 
+-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
+ 
+ # lmkd locks itself in memory, to prevent it from being
+ # swapped out and unable to kill other memory hogs.
+diff --git a/public/netd.te b/public/netd.te
+index 18113e75..a550b258 100644
+--- a/public/netd.te
+++ b/public/netd.te
+@@ -61,7 +61,7 @@ allow netd fs_bpf:file create_file_perms;
+ # TODO: netd previously thought it needed these permissions to do WiFi related
+ #       work.  However, after all the WiFi stuff is gone, we still need them.
+ #       Why?
+-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
+ 
+ # Needed to update /data/misc/net/rt_tables
+ allow netd net_data_file:file create_file_perms;
+diff --git a/public/perfprofd.te b/public/perfprofd.te
+index f067af5d..b5c01458 100644
+--- a/public/perfprofd.te
+++ b/public/perfprofd.te
+@@ -23,7 +23,7 @@ userdebug_or_eng(`
+   # perfprofd reads a config file from /data/data/com.google.android.gms/files
+   allow perfprofd app_data_file:file r_file_perms;
+   allow perfprofd app_data_file:dir search;
+-  allow perfprofd self:global_capability_class_set { dac_override };
+  allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
+ 
+   # perfprofd opens a file for writing in /data/misc/perfprofd
+   allow perfprofd perfprofd_data_file:file create_file_perms;
+diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
+index ffd8bc57..8b6d6cc1 100644
+--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
+@@ -5,7 +5,7 @@
+ 
+ type postinstall_dexopt, domain;
+ 
+-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
+ 
+ allow postinstall_dexopt postinstall_file:filesystem getattr;
+ allow postinstall_dexopt postinstall_file:dir { getattr search };
+diff --git a/public/recovery.te b/public/recovery.te
+index 57ad2028..6745bd6f 100644
+--- a/public/recovery.te
+++ b/public/recovery.te
+@@ -15,6 +15,7 @@ recovery_only(`
+   allow recovery self:global_capability_class_set {
+     chown
+     dac_override
+    dac_read_search
+     fowner
+     setuid
+     setgid
+diff --git a/public/runas.te b/public/runas.te
+index 053a87f6..6c5de7cf 100644
+--- a/public/runas.te
+++ b/public/runas.te
+@@ -18,7 +18,7 @@ allow runas system_data_file:lnk_file getattr;
+ allow runas system_data_file:lnk_file read;
+ 
+ # run-as checks and changes to the app data dir.
+-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
+ allow runas app_data_file:dir { getattr search };
+ 
+ # run-as switches to the app UID/GID.
+diff --git a/public/sdcardd.te b/public/sdcardd.te
+index 4a88f54d..6749d16e 100644
+--- a/public/sdcardd.te
+++ b/public/sdcardd.te
+@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
+ allow sdcardd storage_file:dir search;
+ allow sdcardd storage_stub_file:dir { search mounton };
+ allow sdcardd sdcard_type:filesystem { mount unmount };
+-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
+ 
+ allow sdcardd sdcard_type:dir create_dir_perms;
+ allow sdcardd sdcard_type:file create_file_perms;
+diff --git a/public/ueventd.te b/public/ueventd.te
+index 9b9eacb2..c6260519 100644
+--- a/public/ueventd.te
+++ b/public/ueventd.te
+@@ -5,7 +5,7 @@ type ueventd, domain;
+ # Write to /dev/kmsg.
+ allow ueventd kmsg_device:chr_file rw_file_perms;
+ 
+-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
+ allow ueventd device:file create_file_perms;
+ 
+ r_dir_file(ueventd, rootfs)
+diff --git a/public/uncrypt.te b/public/uncrypt.te
+index 1e48b831..e64ce3ec 100644
+--- a/public/uncrypt.te
+++ b/public/uncrypt.te
+@@ -2,7 +2,7 @@
+ type uncrypt, domain, mlstrustedsubject;
+ type uncrypt_exec, exec_type, file_type;
+ 
+-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # Read OTA zip file from /data/data/com.google.android.gsf/app_download
+ r_dir_file(uncrypt, app_data_file)
+diff --git a/public/vendor_init.te b/public/vendor_init.te
+index 9784095a..ba835ed6 100644
+--- a/public/vendor_init.te
+++ b/public/vendor_init.te
+@@ -25,7 +25,7 @@ allow vendor_init configfs:dir create_dir_perms;
+ allow vendor_init configfs:{ file lnk_file } create_file_perms;
+ 
+ # Create directories under /dev/cpuctl after chowning it to system.
+-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+ 
+ # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+ # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+diff --git a/public/vold.te b/public/vold.te
+index 4d15f11e..852e91ea 100644
+--- a/public/vold.te
+++ b/public/vold.te
+@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
+ allow vold tmpfs:filesystem { mount unmount };
+ allow vold tmpfs:dir create_dir_perms;
+ allow vold tmpfs:dir mounton;
+-allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
+ allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+ allow vold app_data_file:dir search;
+ allow vold app_data_file:file rw_file_perms;
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0011-more-mmaps.patch
+++ b/patches/platform_system_sepolicy/0011-more-mmaps.patch
@@ -0,0 +1,320 @@
+From 9616351aeee2207446602498ae6fd78b6b180abc Mon Sep 17 00:00:00 2001
+From: Nick Kralevich <nnk@google.com>
+Date: Mon, 13 Aug 2018 10:31:58 -0700
+Subject: [PATCH 11/26] more mmaps
+
+Linux kernel 4.14+ SELinux starts explicit map
+permission check for file mmap operations. For backards
+compat, add mmap in more places where we explicitly
+list out individual file permissions.
+
+Test: policy compiles
+Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e
+---
+ prebuilts/api/28.0/public/app.te       | 14 +++++++-------
+ prebuilts/api/28.0/public/dex2oat.te   | 14 +++++++-------
+ prebuilts/api/28.0/public/drmserver.te | 12 ++++++------
+ prebuilts/api/28.0/public/init.te      |  2 +-
+ prebuilts/api/28.0/public/te_macros    |  4 ++--
+ public/app.te                          | 14 +++++++-------
+ public/dex2oat.te                      | 14 +++++++-------
+ public/drmserver.te                    | 12 ++++++------
+ public/init.te                         |  2 +-
+ public/te_macros                       |  4 ++--
+ 10 files changed, 46 insertions(+), 46 deletions(-)
+
+diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
+index 439c1f80..239332c1 100644
+--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
+@@ -120,16 +120,16 @@ r_dir_file(appdomain, vendor_framework_file)
+ allow appdomain dex2oat_exec:file rx_file_perms;
+ 
+ # Read/write wallpaper file (opened by system).
+-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
+ 
+ # Read/write cached ringtones (opened by system).
+-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
+ 
+ # Read ShortcutManager icon files (opened by system).
+-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
+ 
+ # Read icon file (opened by system).
+-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
+ 
+ # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+ #
+@@ -236,12 +236,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
+ 
+ # Backup ability for every app. BMS opens and passes the fd
+ # to any app that has backup ability. Hence, no open permissions here.
+-allow appdomain backup_data_file:file { read write getattr };
+-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+ allow appdomain cache_backup_file:dir getattr;
+ # Backup ability using 'adb backup'
+ allow appdomain system_data_file:lnk_file r_file_perms;
+-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
+ 
+ # Allow read/stat of /data/media files passed by Binder or local socket IPC.
+ allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+diff --git a/prebuilts/api/28.0/public/dex2oat.te b/prebuilts/api/28.0/public/dex2oat.te
+index 608ba798..52dae8ca 100644
+--- a/prebuilts/api/28.0/public/dex2oat.te
+++ b/prebuilts/api/28.0/public/dex2oat.te
+@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file)
+ r_dir_file(dex2oat, vendor_app_file)
+ # Access /vendor/framework
+ allow dex2oat vendor_framework_file:dir { getattr search };
+-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
+ 
+-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
+ 
+ r_dir_file(dex2oat, dalvikcache_data_file)
+ allow dex2oat dalvikcache_data_file:file write;
+@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock;
+ # Read already open asec_apk_file file descriptors passed by installd.
+ # Also allow reading unlabeled files, to allow for upgrading forward
+ # locked APKs.
+-allow dex2oat asec_apk_file:file read;
+-allow dex2oat unlabeled:file read;
+-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
+ allow dex2oat apk_tmp_file:dir search;
+ allow dex2oat apk_tmp_file:file r_file_perms;
+-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
+ 
+ # Allow dex2oat to compile app's secondary dex files which were reported back to
+ # the framework.
+-allow dex2oat app_data_file:file { getattr read write lock };
+allow dex2oat app_data_file:file { getattr read write lock map };
+ 
+ ##################
+ # A/B OTA Dexopt #
+diff --git a/prebuilts/api/28.0/public/drmserver.te b/prebuilts/api/28.0/public/drmserver.te
+index f752c13e..5cdd273f 100644
+--- a/prebuilts/api/28.0/public/drmserver.te
+++ b/prebuilts/api/28.0/public/drmserver.te
+@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search;
+ allow drmserver drm_data_file:dir create_dir_perms;
+ allow drmserver drm_data_file:file create_file_perms;
+ allow drmserver tee_device:chr_file rw_file_perms;
+-allow drmserver app_data_file:file { read write getattr };
+-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
+ r_dir_file(drmserver, efs_file)
+ 
+ type drmserver_socket, file_type;
+@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink;
+ r_dir_file(drmserver, media_rw_data_file)
+ 
+ # Read resources from open apk files passed over Binder.
+-allow drmserver apk_data_file:file { read getattr };
+-allow drmserver asec_apk_file:file { read getattr };
+-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
+ 
+ # Read /data/data/com.android.providers.telephony files passed over Binder.
+-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
+ 
+ # /oem access
+ allow drmserver oemfs:dir search;
+diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
+index 2284689d..edb41d80 100644
+--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
+@@ -177,7 +177,7 @@ allow init {
+   -system_file
+   -vendor_file_type
+   -vold_data_file
+-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
+ 
+ allow init {
+   file_type
+diff --git a/prebuilts/api/28.0/public/te_macros b/prebuilts/api/28.0/public/te_macros
+index 9cfe47c8..dcebbefa 100644
+--- a/prebuilts/api/28.0/public/te_macros
+++ b/prebuilts/api/28.0/public/te_macros
+@@ -345,7 +345,7 @@ allow $1 hwservicemanager:binder { call transfer };
+ allow hwservicemanager $1:binder { call transfer };
+ # hwservicemanager performs getpidcon on clients.
+ allow hwservicemanager $1:dir search;
+-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
+ allow hwservicemanager $1:process getattr;
+ # rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+ # all domains in domain.te.
+@@ -361,7 +361,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms;
+ allow $1 vndservicemanager:binder { call transfer };
+ # vndservicemanager performs getpidcon on clients.
+ allow vndservicemanager $1:dir search;
+-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
+ allow vndservicemanager $1:process getattr;
+ ')
+ 
+diff --git a/public/app.te b/public/app.te
+index 439c1f80..239332c1 100644
+--- a/public/app.te
+++ b/public/app.te
+@@ -120,16 +120,16 @@ r_dir_file(appdomain, vendor_framework_file)
+ allow appdomain dex2oat_exec:file rx_file_perms;
+ 
+ # Read/write wallpaper file (opened by system).
+-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
+ 
+ # Read/write cached ringtones (opened by system).
+-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
+ 
+ # Read ShortcutManager icon files (opened by system).
+-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
+ 
+ # Read icon file (opened by system).
+-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
+ 
+ # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+ #
+@@ -236,12 +236,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
+ 
+ # Backup ability for every app. BMS opens and passes the fd
+ # to any app that has backup ability. Hence, no open permissions here.
+-allow appdomain backup_data_file:file { read write getattr };
+-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
+ allow appdomain cache_backup_file:dir getattr;
+ # Backup ability using 'adb backup'
+ allow appdomain system_data_file:lnk_file r_file_perms;
+-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
+ 
+ # Allow read/stat of /data/media files passed by Binder or local socket IPC.
+ allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+diff --git a/public/dex2oat.te b/public/dex2oat.te
+index 608ba798..52dae8ca 100644
+--- a/public/dex2oat.te
+++ b/public/dex2oat.te
+@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file)
+ r_dir_file(dex2oat, vendor_app_file)
+ # Access /vendor/framework
+ allow dex2oat vendor_framework_file:dir { getattr search };
+-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
+ 
+-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
+ 
+ r_dir_file(dex2oat, dalvikcache_data_file)
+ allow dex2oat dalvikcache_data_file:file write;
+@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock;
+ # Read already open asec_apk_file file descriptors passed by installd.
+ # Also allow reading unlabeled files, to allow for upgrading forward
+ # locked APKs.
+-allow dex2oat asec_apk_file:file read;
+-allow dex2oat unlabeled:file read;
+-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
+ allow dex2oat apk_tmp_file:dir search;
+ allow dex2oat apk_tmp_file:file r_file_perms;
+-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
+ 
+ # Allow dex2oat to compile app's secondary dex files which were reported back to
+ # the framework.
+-allow dex2oat app_data_file:file { getattr read write lock };
+allow dex2oat app_data_file:file { getattr read write lock map };
+ 
+ ##################
+ # A/B OTA Dexopt #
+diff --git a/public/drmserver.te b/public/drmserver.te
+index f752c13e..5cdd273f 100644
+--- a/public/drmserver.te
+++ b/public/drmserver.te
+@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search;
+ allow drmserver drm_data_file:dir create_dir_perms;
+ allow drmserver drm_data_file:file create_file_perms;
+ allow drmserver tee_device:chr_file rw_file_perms;
+-allow drmserver app_data_file:file { read write getattr };
+-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
+ r_dir_file(drmserver, efs_file)
+ 
+ type drmserver_socket, file_type;
+@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink;
+ r_dir_file(drmserver, media_rw_data_file)
+ 
+ # Read resources from open apk files passed over Binder.
+-allow drmserver apk_data_file:file { read getattr };
+-allow drmserver asec_apk_file:file { read getattr };
+-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
+ 
+ # Read /data/data/com.android.providers.telephony files passed over Binder.
+-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
+ 
+ # /oem access
+ allow drmserver oemfs:dir search;
+diff --git a/public/init.te b/public/init.te
+index 2284689d..edb41d80 100644
+--- a/public/init.te
+++ b/public/init.te
+@@ -177,7 +177,7 @@ allow init {
+   -system_file
+   -vendor_file_type
+   -vold_data_file
+-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
+ 
+ allow init {
+   file_type
+diff --git a/public/te_macros b/public/te_macros
+index 9cfe47c8..dcebbefa 100644
+--- a/public/te_macros
+++ b/public/te_macros
+@@ -345,7 +345,7 @@ allow $1 hwservicemanager:binder { call transfer };
+ allow hwservicemanager $1:binder { call transfer };
+ # hwservicemanager performs getpidcon on clients.
+ allow hwservicemanager $1:dir search;
+-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
+ allow hwservicemanager $1:process getattr;
+ # rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+ # all domains in domain.te.
+@@ -361,7 +361,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms;
+ allow $1 vndservicemanager:binder { call transfer };
+ # vndservicemanager performs getpidcon on clients.
+ allow vndservicemanager $1:dir search;
+-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
+ allow vndservicemanager $1:process getattr;
+ ')
+ 
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0012-access-to-proc-slabinfo.patch
+++ b/patches/platform_system_sepolicy/0012-access-to-proc-slabinfo.patch
@@ -0,0 +1,216 @@
+From 4e5380813835b8c896d5514f46f0f26d6481f8af Mon Sep 17 00:00:00 2001
+From: AndyCGYan <GeForce8800Ultra@gmail.com>
+Date: Wed, 5 Jun 2019 07:17:27 +0000
+Subject: [PATCH] [PATCH 12/26] access to /proc/slabinfo
+
+Change-Id: I856fe8038f577543467fe4e9a49c389480887c6f
+---
+ prebuilts/api/28.0/private/app_neverallows.te   |  1 +
+ prebuilts/api/28.0/private/compat/26.0/26.0.cil |  1 +
+ prebuilts/api/28.0/private/compat/27.0/27.0.cil |  2 +-
+ prebuilts/api/28.0/private/genfs_contexts       |  1 +
+ prebuilts/api/28.0/public/dumpstate.te          |  1 +
+ prebuilts/api/28.0/public/file.te               |  1 +
+ prebuilts/api/28.0/public/init.te               | 11 +++++++++++
+ prebuilts/api/28.0/public/shell.te              |  1 +
+ private/app_neverallows.te                      |  1 +
+ private/compat/26.0/26.0.cil                    |  1 +
+ private/compat/27.0/27.0.cil                    |  2 +-
+ public/dumpstate.te                             |  1 +
+ public/init.te                                  | 11 +++++++++++
+ public/shell.te                                 |  1 +
+ 14 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te
+index 8d9ccd67..804bcada 100644
+--- a/prebuilts/api/28.0/private/app_neverallows.te
+++ b/prebuilts/api/28.0/private/app_neverallows.te
+@@ -125,6 +125,7 @@ neverallow all_untrusted_apps {
+   proc_loadavg
+   proc_mounts
+   proc_pagetypeinfo
+  proc_slabinfo
+   proc_stat
+   proc_swaps
+   proc_uptime
+diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+index 0478a56b..f05ec59e 100644
+--- a/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+@@ -478,6 +478,7 @@
+     proc_pipe_conf
+     proc_random
+     proc_sched
+    proc_slabinfo
+     proc_swaps
+     proc_uid_time_in_state
+     proc_uid_concurrent_active_time
+diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+index dbe3e885..9358cb3d 100644
+--- a/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+@@ -452,7 +452,7 @@
+ (expandtypeattribute (preopt2cachename_exec_27_0) true)
+ (expandtypeattribute (print_service_27_0) true)
+ (expandtypeattribute (priv_app_27_0) true)
+-(expandtypeattribute (proc_27_0) true)
+(typeattributeset proc_27_0 (proc proc_slabinfo))
+ (expandtypeattribute (proc_bluetooth_writable_27_0) true)
+ (expandtypeattribute (proc_cpuinfo_27_0) true)
+ (expandtypeattribute (proc_drop_caches_27_0) true)
+diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
+index 526d80d9..9d7a68db 100644
+--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
+@@ -21,6 +21,7 @@ genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+ genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
+ genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+ genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
+ genfscon proc /softirqs u:object_r:proc_timer:s0
+ genfscon proc /stat u:object_r:proc_stat:s0
+ genfscon proc /swaps u:object_r:proc_swaps:s0
+diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te
+index 23af7dac..846c8d17 100644
+--- a/prebuilts/api/28.0/public/dumpstate.te
+++ b/prebuilts/api/28.0/public/dumpstate.te
+@@ -167,6 +167,7 @@ allow dumpstate {
+   proc_pipe_conf
+   proc_pagetypeinfo
+   proc_qtaguid_stat
+  proc_slabinfo
+   proc_version
+   proc_vmallocinfo
+   proc_vmstat
+diff --git a/prebuilts/api/28.0/public/file.te b/prebuilts/api/28.0/public/file.te
+index a4051b2d..357898e9 100644
+--- a/prebuilts/api/28.0/public/file.te
+++ b/prebuilts/api/28.0/public/file.te
+@@ -44,6 +44,7 @@ type proc_pid_max, fs_type, proc_type;
+ type proc_pipe_conf, fs_type, proc_type;
+ type proc_random, fs_type, proc_type;
+ type proc_sched, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
+ type proc_stat, fs_type, proc_type;
+ type proc_swaps, fs_type, proc_type;
+ type proc_sysrq, fs_type, proc_type;
+diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
+index edb41d80..9eff0b0b 100644
+--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
+@@ -311,6 +311,17 @@ allow init {
+   proc_security
+ }:file rw_file_perms;
+ 
+# init chmod/chown access to /proc files.
+allow init {
+  proc_cmdline
+  proc_kmsg
+  proc_net
+  proc_qtaguid_stat
+  proc_slabinfo
+  proc_sysrq
+  proc_vmallocinfo
+}:file setattr;
+
+ # init access to /sys files.
+ allow init {
+   sysfs_android_usb
+diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te
+index 307e1034..43ec6191 100644
+--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
+@@ -127,6 +127,7 @@ allow shell {
+   proc_meminfo
+   proc_modules
+   proc_pid_max
+  proc_slabinfo
+   proc_stat
+   proc_timer
+   proc_uptime
+diff --git a/private/app_neverallows.te b/private/app_neverallows.te
+index 8d9ccd67..804bcada 100644
+--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
+@@ -125,6 +125,7 @@ neverallow all_untrusted_apps {
+   proc_loadavg
+   proc_mounts
+   proc_pagetypeinfo
+  proc_slabinfo
+   proc_stat
+   proc_swaps
+   proc_uptime
+diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
+index 0478a56b..f05ec59e 100644
+--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
+@@ -478,6 +478,7 @@
+     proc_pipe_conf
+     proc_random
+     proc_sched
+    proc_slabinfo
+     proc_swaps
+     proc_uid_time_in_state
+     proc_uid_concurrent_active_time
+diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
+index dbe3e885..9358cb3d 100644
+--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
+@@ -452,7 +452,7 @@
+ (expandtypeattribute (preopt2cachename_exec_27_0) true)
+ (expandtypeattribute (print_service_27_0) true)
+ (expandtypeattribute (priv_app_27_0) true)
+-(expandtypeattribute (proc_27_0) true)
+(typeattributeset proc_27_0 (proc proc_slabinfo))
+ (expandtypeattribute (proc_bluetooth_writable_27_0) true)
+ (expandtypeattribute (proc_cpuinfo_27_0) true)
+ (expandtypeattribute (proc_drop_caches_27_0) true)
+diff --git a/public/dumpstate.te b/public/dumpstate.te
+index 23af7dac..846c8d17 100644
+--- a/public/dumpstate.te
+++ b/public/dumpstate.te
+@@ -167,6 +167,7 @@ allow dumpstate {
+   proc_pipe_conf
+   proc_pagetypeinfo
+   proc_qtaguid_stat
+  proc_slabinfo
+   proc_version
+   proc_vmallocinfo
+   proc_vmstat
+diff --git a/public/init.te b/public/init.te
+index 85bfab94..05a61aec 100644
+--- a/public/init.te
+++ b/public/init.te
+@@ -314,6 +314,17 @@ allow init {
+   proc_security
+ }:file rw_file_perms;
+ 
+# init chmod/chown access to /proc files.
+allow init {
+  proc_cmdline
+  proc_kmsg
+  proc_net
+  proc_qtaguid_stat
+  proc_slabinfo
+  proc_sysrq
+  proc_vmallocinfo
+}:file setattr;
+
+ # init access to /sys files.
+ allow init {
+   sysfs_android_usb
+diff --git a/public/shell.te b/public/shell.te
+index 307e1034..43ec6191 100644
+--- a/public/shell.te
+++ b/public/shell.te
+@@ -127,6 +127,7 @@ allow shell {
+   proc_meminfo
+   proc_modules
+   proc_pid_max
+  proc_slabinfo
+   proc_stat
+   proc_timer
+   proc_uptime
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0013-add-map-permission-to-rw_socket_perms.patch
+++ b/patches/platform_system_sepolicy/0013-add-map-permission-to-rw_socket_perms.patch
@@ -0,0 +1,77 @@
+From 27f3fb4f2af120658cdb1234d9d6bdf8f9f5cd13 Mon Sep 17 00:00:00 2001
+From: Nick Kralevich <nnk@google.com>
+Date: Mon, 15 Oct 2018 21:24:57 -0700
+Subject: [PATCH 13/26] add map permission to rw_socket_perms
+
+Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for
+mmap") added a map permission check on mmap so that we can
+distinguish memory mapped access (since it has different implications
+for revocation).  The purpose of a separate map permission check on
+mmap(2) is to permit policy to prohibit memory mapping of specific
+files for which we need to ensure that every access is revalidated,
+particularly useful for scenarios where we expect the file to be
+relabeled at runtime in order to reflect state changes (e.g.
+cross-domain solution, assured pipeline without data copying).
+
+system/sepolicy commit 4397f08288890ef397697b4d6dbff596bdca14c8 added
+the map permission to common file macros, to ensure that file access
+would continue working even in the presence of a newer kernel. However,
+that change did not affect socket access.
+
+Certain socket classes, such as AF_NETLINK and AF_PACKET, also support
+mmap operations. This change adds the map permission to rw_socket_perms,
+to ensure continued support for newer kernels.
+
+This technically allows mmap even in cases where the socket family
+doesn't support it (such as TCP and UDP sockets), but granting it
+is harmless in those cases.
+
+In particular, this fixes a bug in clatd, where the following error
+would occur:
+
+  10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064
+  10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
+  10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
+  10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied
+
+Test: policy compiles
+Bug: 117791876
+Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b
+---
+ prebuilts/api/28.0/public/global_macros | 4 ++--
+ public/global_macros                    | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/prebuilts/api/28.0/public/global_macros b/prebuilts/api/28.0/public/global_macros
+index 5dab5ab0..b2fe6ae8 100644
+--- a/prebuilts/api/28.0/public/global_macros
+++ b/prebuilts/api/28.0/public/global_macros
+@@ -42,8 +42,8 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+ 
+ #####################################
+ # Common socket permission sets.
+-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
+-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+ define(`create_socket_perms', `{ create rw_socket_perms }')
+ define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+ define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+diff --git a/public/global_macros b/public/global_macros
+index 5dab5ab0..b2fe6ae8 100644
+--- a/public/global_macros
+++ b/public/global_macros
+@@ -42,8 +42,8 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+ 
+ #####################################
+ # Common socket permission sets.
+-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
+-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+ define(`create_socket_perms', `{ create rw_socket_perms }')
+ define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+ define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0014-Update-socket-ioctl-restrictions.patch
+++ b/patches/platform_system_sepolicy/0014-Update-socket-ioctl-restrictions.patch
@@ -0,0 +1,140 @@
+From c91936195fbf52215dc5ca774ca081d4e931e391 Mon Sep 17 00:00:00 2001
+From: Jeff Vander Stoep <jeffv@google.com>
+Date: Thu, 21 Jun 2018 16:57:58 -0700
+Subject: [PATCH 14/26] Update socket ioctl restrictions
+
+Grant access to icmp_socket to netdomain. This was previously
+labeled as rawip_socket which apps are allowed to use. Neverallow
+all other new socket types for apps.
+
+Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
+to icmp_socket. To pass neverallow tests, we need to define
+which IOCTLs are allowed (and disallowed).
+
+Note that this does not change behavior on devices with
+kernel versions <=4.9. However, it is necessary (although not
+sufficient) to pass CTS on kernel version 4.14.
+
+Bug: 126141696
+[change_type ] feature_bugfix
+[tag_product ] specific
+Test: Grant icmp_socket in net.te and build.
+
+Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
+(Cherry picked from commit 0597ade15ccb3415b41fa86052545007396b4810)
+---
+ prebuilts/api/28.0/private/app_neverallows.te | 8 ++++++--
+ prebuilts/api/28.0/private/net.te             | 2 +-
+ prebuilts/api/28.0/public/domain.te           | 2 +-
+ private/app_neverallows.te                    | 8 ++++++--
+ private/net.te                                | 2 +-
+ public/domain.te                              | 2 +-
+ 6 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te
+index 804bcada..cc78f0b7 100644
+--- a/prebuilts/api/28.0/private/app_neverallows.te
+++ b/prebuilts/api/28.0/private/app_neverallows.te
+@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
+ 
+ # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+ # ioctl permission, or 3. disallow the socket class.
+-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+ neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+ neverallow all_untrusted_apps *:{
+   socket netlink_socket packet_socket key_socket appletalk_socket
+@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
+   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+-  netlink_rdma_socket netlink_crypto_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+ } *;
+ 
+ # Do not allow untrusted apps access to /cache
+diff --git a/prebuilts/api/28.0/private/net.te b/prebuilts/api/28.0/private/net.te
+index f16daf94..8bf8c921 100644
+--- a/prebuilts/api/28.0/private/net.te
+++ b/prebuilts/api/28.0/private/net.te
+@@ -4,7 +4,7 @@
+ 
+ # Use network sockets.
+ allow netdomain self:tcp_socket create_stream_socket_perms;
+-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+ # Connect to ports.
+ allow netdomain port_type:tcp_socket name_connect;
+ # Bind to ports.
+diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
+index 42a26cf2..9d3645eb 100644
+--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
+@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
+ # defaults for all processes. Note that granting this whitelist to domain does
+ # not grant the ioctl permission on these socket types. That must be granted
+ # separately.
+-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+ # default whitelist for unix sockets.
+ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
+diff --git a/private/app_neverallows.te b/private/app_neverallows.te
+index 804bcada..cc78f0b7 100644
+--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
+@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
+ 
+ # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+ # ioctl permission, or 3. disallow the socket class.
+-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+ neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+ neverallow all_untrusted_apps *:{
+   socket netlink_socket packet_socket key_socket appletalk_socket
+@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
+   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+-  netlink_rdma_socket netlink_crypto_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+ } *;
+ 
+ # Do not allow untrusted apps access to /cache
+diff --git a/private/net.te b/private/net.te
+index f16daf94..8bf8c921 100644
+--- a/private/net.te
+++ b/private/net.te
+@@ -4,7 +4,7 @@
+ 
+ # Use network sockets.
+ allow netdomain self:tcp_socket create_stream_socket_perms;
+-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+ # Connect to ports.
+ allow netdomain port_type:tcp_socket name_connect;
+ # Bind to ports.
+diff --git a/public/domain.te b/public/domain.te
+index 42a26cf2..9d3645eb 100644
+--- a/public/domain.te
+++ b/public/domain.te
+@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
+ # defaults for all processes. Note that granting this whitelist to domain does
+ # not grant the ioctl permission on these socket types. That must be granted
+ # separately.
+-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+ # default whitelist for unix sockets.
+ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch
+++ b/patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch
@@ -0,0 +1,91 @@
+From ea98326c1e263dabcef91bb63e3a0c43f57c3e59 Mon Sep 17 00:00:00 2001
+From: Nick Kralevich <nnk@google.com>
+Date: Wed, 31 Oct 2018 12:47:27 -0700
+Subject: [PATCH 15/26] isolated_app: add mmaps
+
+Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
+added a map permission check on mmap so that we can
+distinguish memory mapped access (since it has different implications
+for revocation). system/sepolicy commit
+4397f08288890ef397697b4d6dbff596bdca14c8 introduced the permission to
+Android and updated common macros. Since then, we've been adding more
+mmap support where it was accidentally omitted.
+
+Add the ability for isolated_apps to mmap() app data files. There's no
+reason why this should be blocked. Also fixup sdcard access which has
+similar problems.
+
+Bug: 118760652
+Bug: https://crbug.com/892014
+Test: policy compiles.
+Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
+---
+ prebuilts/api/28.0/private/isolated_app.te | 6 +++---
+ private/isolated_app.te                    | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
+index a6276b38..0348a3ee 100644
+--- a/prebuilts/api/28.0/private/isolated_app.te
+++ b/prebuilts/api/28.0/private/isolated_app.te
+@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
+ app_domain(isolated_app)
+ 
+ # Access already open app data files received over Binder or local socket IPC.
+-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app app_data_file:file { append read write getattr lock map };
+ 
+ allow isolated_app activity_service:service_manager find;
+ allow isolated_app display_service:service_manager find;
+@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
+ # neverallow rules below.
+ # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+ # is modified to change the secontext when accessing the lower filesystem.
+-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+ 
+ # For webviews, isolated_app processes can be forked from the webview_zygote
+ # in addition to the zygote. Allow access to resources inherited from the
+@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
+ neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+ neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+ neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+ 
+ # Do not allow USB access
+ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+diff --git a/private/isolated_app.te b/private/isolated_app.te
+index a6276b38..0348a3ee 100644
+--- a/private/isolated_app.te
+++ b/private/isolated_app.te
+@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
+ app_domain(isolated_app)
+ 
+ # Access already open app data files received over Binder or local socket IPC.
+-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app app_data_file:file { append read write getattr lock map };
+ 
+ allow isolated_app activity_service:service_manager find;
+ allow isolated_app display_service:service_manager find;
+@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
+ # neverallow rules below.
+ # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+ # is modified to change the secontext when accessing the lower filesystem.
+-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+ 
+ # For webviews, isolated_app processes can be forked from the webview_zygote
+ # in addition to the zygote. Allow access to resources inherited from the
+@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
+ neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+ neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+ neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+ 
+ # Do not allow USB access
+ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0018-domain.te-Add-map-permissions-to-vendor_config_files.patch
+++ b/patches/platform_system_sepolicy/0018-domain.te-Add-map-permissions-to-vendor_config_files.patch
@@ -0,0 +1,44 @@
+From f4ad3736194aeff8f6479761c6134246c95ed81f Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Wed, 6 Jun 2018 12:32:45 -0700
+Subject: [PATCH 18/26] domain.te: Add map permissions to vendor_config_files
+
+For 4.14+ kernels, we need map permissions for vendor_config_files,
+for things like kernel loaded firmware blobs, etc.
+
+Change-Id: I8144c50b0239aedf4124569003187cc50c963080
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+---
+ prebuilts/api/28.0/public/domain.te | 2 +-
+ public/domain.te                    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
+index 9d3645eb..a0a19166 100644
+--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
+@@ -181,7 +181,7 @@ allow domain vndk_sp_file:file { execute read open getattr map };
+ 
+ # All domains get access to /vendor/etc
+ allow domain vendor_configs_file:dir r_dir_perms;
+-allow domain vendor_configs_file:file { read open getattr };
+allow domain vendor_configs_file:file { read open getattr map };
+ 
+ full_treble_only(`
+     # Allow all domains to be able to follow /system/vendor and/or
+diff --git a/public/domain.te b/public/domain.te
+index 9d3645eb..a0a19166 100644
+--- a/public/domain.te
+++ b/public/domain.te
+@@ -181,7 +181,7 @@ allow domain vndk_sp_file:file { execute read open getattr map };
+ 
+ # All domains get access to /vendor/etc
+ allow domain vendor_configs_file:dir r_dir_perms;
+-allow domain vendor_configs_file:file { read open getattr };
+allow domain vendor_configs_file:file { read open getattr map };
+ 
+ full_treble_only(`
+     # Allow all domains to be able to follow /system/vendor and/or
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch
+++ b/patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch
@@ -0,0 +1,102 @@
+From 782636c9e2be240ec48543ca5171bf2ea2bc0f38 Mon Sep 17 00:00:00 2001
+From: Nick Kralevich <nnk@google.com>
+Date: Tue, 7 Aug 2018 13:44:20 -0700
+Subject: [PATCH 19/26] Relax some neverallow rules
+
+Kernels above 4.14 have a new mmap permission. However, neverallow rules
+exclude the use of mmap, even when file FDs are passable across the
+vendor/non-vendor boundary. Since we allow reading / writing of passed
+file descriptors, also allow the use of mmap for passed file
+descriptors.
+
+Bug: 112171217
+Test: policy compiles
+Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9
+---
+ prebuilts/api/28.0/public/domain.te | 8 ++++----
+ public/domain.te                    | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
+index a0a19166..26ce1a00 100644
+--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
+@@ -818,7 +818,7 @@ full_treble_only(`
+   } {
+     data_file_type
+     -core_data_file_type
+-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
+ ')
+ full_treble_only(`
+   neverallow {
+@@ -850,7 +850,7 @@ full_treble_only(`
+     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
+     # vndk-stable and thus must be allowed for all processes.
+     -zoneinfo_data_file
+-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
+   neverallow {
+     vendor_init
+     -data_between_core_and_vendor_violators
+@@ -858,7 +858,7 @@ full_treble_only(`
+     core_data_file_type
+     -unencrypted_data_file
+     -zoneinfo_data_file
+-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
+   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+   # The vendor init binary lives on the system partition so there is not a concern with stability.
+   neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
+@@ -924,7 +924,7 @@ full_treble_only(`
+     -init
+     } {
+       vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+-    }:file_class_set ~{ append getattr ioctl read write };
+    }:file_class_set ~{ append getattr ioctl read write map };
+ ')
+ 
+ # On TREBLE devices, a limited set of files in /vendor are accessible to
+diff --git a/public/domain.te b/public/domain.te
+index a0a19166..26ce1a00 100644
+--- a/public/domain.te
+++ b/public/domain.te
+@@ -818,7 +818,7 @@ full_treble_only(`
+   } {
+     data_file_type
+     -core_data_file_type
+-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
+ ')
+ full_treble_only(`
+   neverallow {
+@@ -850,7 +850,7 @@ full_treble_only(`
+     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
+     # vndk-stable and thus must be allowed for all processes.
+     -zoneinfo_data_file
+-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
+   neverallow {
+     vendor_init
+     -data_between_core_and_vendor_violators
+@@ -858,7 +858,7 @@ full_treble_only(`
+     core_data_file_type
+     -unencrypted_data_file
+     -zoneinfo_data_file
+-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
+   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+   # The vendor init binary lives on the system partition so there is not a concern with stability.
+   neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
+@@ -924,7 +924,7 @@ full_treble_only(`
+     -init
+     } {
+       vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+-    }:file_class_set ~{ append getattr ioctl read write };
+    }:file_class_set ~{ append getattr ioctl read write map };
+ ')
+ 
+ # On TREBLE devices, a limited set of files in /vendor are accessible to
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0021-health-allow-wake_alarm-capability.patch
+++ b/patches/platform_system_sepolicy/0021-health-allow-wake_alarm-capability.patch
@@ -0,0 +1,41 @@
+From cbe173447e3d1e5e059bc75779f588cfda66329d Mon Sep 17 00:00:00 2001
+From: Yifan Hong <elsk@google.com>
+Date: Wed, 6 Mar 2019 10:54:21 -0800
+Subject: [PATCH 21/26] health: allow wake_alarm capability.
+
+CAP_WAKE_ALARM was required for timerfd_create since 4.10 kernel upstream.
+Add capability to platform policy for healthd and health HAL.
+
+Fixes: 124210362
+Test: boots (sanity)
+Change-Id: I8ebb383608eedd59beddec3f476b071e81b80871
+---
+ prebuilts/api/28.0/public/hal_health.te | 3 +++
+ public/hal_health.te                    | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/prebuilts/api/28.0/public/hal_health.te b/prebuilts/api/28.0/public/hal_health.te
+index c0a0f804..1db5fcc6 100644
+--- a/prebuilts/api/28.0/public/hal_health.te
+++ b/prebuilts/api/28.0/public/hal_health.te
+@@ -28,3 +28,6 @@ wakelock_use(hal_health_server)
+ 
+ # Write to /dev/kmsg
+ allow hal_health_server kmsg_device:chr_file w_file_perms;
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
+diff --git a/public/hal_health.te b/public/hal_health.te
+index c0a0f804..1db5fcc6 100644
+--- a/public/hal_health.te
+++ b/public/hal_health.te
+@@ -28,3 +28,6 @@ wakelock_use(hal_health_server)
+ 
+ # Write to /dev/kmsg
+ allow hal_health_server kmsg_device:chr_file w_file_perms;
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
+-- 
+2.17.1
+
--- a/patches/platform_system_sepolicy/0022-sepolicy-Add-mmap-for-profman.patch
+++ b/patches/platform_system_sepolicy/0022-sepolicy-Add-mmap-for-profman.patch
@@ -0,0 +1,91 @@
+From af4188bc5971cafc7f3e1473e2da15fcf94cbe60 Mon Sep 17 00:00:00 2001
+From: Benjamin Gordon <bmgordon@google.com>
+Date: Wed, 22 Aug 2018 06:30:51 -0600
+Subject: [PATCH 22/26] sepolicy: Add mmap for profman
+
+SELinux has a separate file mmap permission in 4.14+ kernels.  Add this
+to profman in cases where it could already access files.
+
+Bug: 112990132
+Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
+Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc
+---
+ prebuilts/api/28.0/public/profman.te | 14 +++++++-------
+ public/profman.te                    | 14 +++++++-------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te
+index 4296d1b1..da639b0a 100644
+--- a/prebuilts/api/28.0/public/profman.te
+++ b/prebuilts/api/28.0/public/profman.te
+@@ -2,24 +2,24 @@
+ type profman, domain;
+ type profman_exec, exec_type, file_type;
+ 
+-allow profman user_profile_data_file:file { getattr read write lock };
+allow profman user_profile_data_file:file { getattr read write lock map };
+ 
+ # Dumping profile info opens the application APK file for pretty printing.
+-allow profman asec_apk_file:file { read };
+-allow profman apk_data_file:file { getattr read };
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
+ allow profman apk_data_file:dir { getattr read search };
+ 
+-allow profman oemfs:file { read };
+allow profman oemfs:file { read map };
+ # Reading an APK opens a ZipArchive, which unpack to tmpfs.
+-allow profman tmpfs:file { read };
+-allow profman profman_dump_data_file:file { write };
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
+ 
+ allow profman installd:fd use;
+ 
+ # Allow profman to analyze profiles for the secondary dex files. These
+ # are application dex files reported back to the framework when using
+ # BaseDexClassLoader.
+-allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:file { getattr read write lock map };
+ allow profman app_data_file:dir { getattr read search };
+ 
+ ###
+diff --git a/public/profman.te b/public/profman.te
+index 4296d1b1..da639b0a 100644
+--- a/public/profman.te
+++ b/public/profman.te
+@@ -2,24 +2,24 @@
+ type profman, domain;
+ type profman_exec, exec_type, file_type;
+ 
+-allow profman user_profile_data_file:file { getattr read write lock };
+allow profman user_profile_data_file:file { getattr read write lock map };
+ 
+ # Dumping profile info opens the application APK file for pretty printing.
+-allow profman asec_apk_file:file { read };
+-allow profman apk_data_file:file { getattr read };
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
+ allow profman apk_data_file:dir { getattr read search };
+ 
+-allow profman oemfs:file { read };
+allow profman oemfs:file { read map };
+ # Reading an APK opens a ZipArchive, which unpack to tmpfs.
+-allow profman tmpfs:file { read };
+-allow profman profman_dump_data_file:file { write };
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
+ 
+ allow profman installd:fd use;
+ 
+ # Allow profman to analyze profiles for the secondary dex files. These
+ # are application dex files reported back to the framework when using
+ # BaseDexClassLoader.
+-allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:file { getattr read write lock map };
+ allow profman app_data_file:dir { getattr read search };
+ 
+ ###
+-- 
+2.17.1
+