update new sdk

android/system/sepolicy/prebuilts/api/26.0/private/bg_kmsg.te

@@ -0,0 +1,3 @@
+typeattribute bg_kmsg coredomain;
+
+init_daemon_domain(bg_kmsg)

android/system/sepolicy/prebuilts/api/26.0/private/file_contexts

@@ -266,6 +266,7 @@
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
+/system/bin/bg_kmsg.sh u:object_r:bg_kmsg_exec:s0
 
 #############################
 # Vendor files

android/system/sepolicy/prebuilts/api/26.0/private/init.te

@@ -17,6 +17,8 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
+  allow init misc_logd_file:dir { remove_name };
+  allow init misc_logd_file:file { read unlink };
 ')
 
 # Creating files on sysfs is impossible so this isn't a threat

android/system/sepolicy/prebuilts/api/26.0/private/logpersist.te

@@ -20,5 +20,5 @@ userdebug_or_eng(`
 
 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
 neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate -bg_kmsg') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -bg_kmsg') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };

android/system/sepolicy/prebuilts/api/26.0/public/bg_kmsg.te

@@ -0,0 +1,18 @@
+type bg_kmsg, domain;
+type bg_kmsg_exec, exec_type, file_type;
+
+
+
+userdebug_or_eng(`
+	allow bg_kmsg self:capability dac_override;
+	allow bg_kmsg shell_exec:file rx_file_perms;
+	allow bg_kmsg system_file:file rx_file_perms;
+	allow bg_kmsg toolbox_exec:file rx_file_perms;
+
+	allow bg_kmsg misc_logd_file:file create_file_perms;
+	allow bg_kmsg misc_logd_file:dir rw_dir_perms;
+
+	allow bg_kmsg self:capability2 syslog;
+	allow bg_kmsg proc:file {read open};
+	allow bg_kmsg kernel:system syslog_mod;
+')

android/system/sepolicy/private/bg_kmsg.te

@@ -0,0 +1,2 @@
+typeattribute bg_kmsg coredomain;
+init_daemon_domain(bg_kmsg)

android/system/sepolicy/private/compat/26.0/26.0.cil

@@ -285,6 +285,8 @@
 (typeattributeset installd_service_26_0 (installd_service))
 (typeattributeset install_recovery_26_0 (install_recovery))
 (typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
+(typeattributeset bg_kmsg_26_0 (bg_kmsg))
+(typeattributeset bg_kmsg_exec_26_0 (bg_kmsg_exec))
 (typeattributeset ion_device_26_0 (ion_device))
 (typeattributeset IProxyService_service_26_0 (IProxyService_service))
 (typeattributeset ipsec_service_26_0 (ipsec_service))

android/system/sepolicy/private/crash_dump.te

@@ -1 +1,12 @@
 typeattribute crash_dump coredomain;
+
+allow crash_dump {
+  domain
+  -crash_dump
+  -init
+  -kernel
+  -keystore
+  -logd
+  -ueventd
+  -vold
+}:process { ptrace signal sigchld sigstop sigkill };

android/system/sepolicy/private/ephemeral_app.te

@@ -31,6 +31,7 @@ allow ephemeral_app mediaextractor_service:service_manager find;
 allow ephemeral_app mediacodec_service:service_manager find;
 allow ephemeral_app mediametrics_service:service_manager find;
 allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app drmserver_service:service_manager find;
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;

android/system/sepolicy/private/file_contexts

@@ -273,6 +273,10 @@
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0
+/system/bin/bg_kmsg.sh u:object_r:bg_kmsg_exec:s0
+
+
+
 
 #############################
 # Vendor files

android/system/sepolicy/private/init.te

@@ -18,6 +18,8 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
+  allow init misc_logd_file:dir { remove_name };
+  allow init misc_logd_file:file { read unlink };
 ')
 
 # Creating files on sysfs is impossible so this isn't a threat

android/system/sepolicy/private/logpersist.te

@@ -20,5 +20,5 @@ userdebug_or_eng(`
 
 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
 neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate -bg_kmsg') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -bg_kmsg') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };

android/system/sepolicy/public/bg_kmsg.te

@@ -0,0 +1,17 @@
+type bg_kmsg, domain;
+type bg_kmsg_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+	allow bg_kmsg self:capability dac_override;
+	allow bg_kmsg shell_exec:file rx_file_perms;
+	allow bg_kmsg system_file:file rx_file_perms;
+	allow bg_kmsg toolbox_exec:file rx_file_perms;
+
+	allow bg_kmsg misc_logd_file:file create_file_perms;
+	allow bg_kmsg misc_logd_file:dir rw_dir_perms;
+
+	allow bg_kmsg self:capability2 syslog;
+	allow bg_kmsg proc:file {read open};
+	allow bg_kmsg kernel:system syslog_mod;
+')
+

android/system/sepolicy/public/crash_dump.te

@@ -1,14 +1,6 @@
 type crash_dump, domain;
 type crash_dump_exec, exec_type, file_type;
 
-allow crash_dump {
-  domain
-  -init
-  -crash_dump
-  -keystore
-  -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
 # crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
 # which will result in an audit log even when it's allowed to trace.
 dontaudit crash_dump self:capability { sys_ptrace };

android/system/sepolicy/public/logpersist.te

@@ -24,3 +24,5 @@ neverallow logpersist { app_data_file system_data_file }:dir_file_class_set writ
 #   -system_app # Smith.apk
 # } logpersist:process transition;
 neverallow * logpersist:process dyntransition;
+
+allow logpersist self:capability { dac_override dac_read_search };