Merge "Revert "Allow all domains access to /dev/qemu_trace.""
diff --git a/target/board/generic/BoardConfig.mk b/target/board/generic/BoardConfig.mk
index 62303d6..6d58b1c 100644
--- a/target/board/generic/BoardConfig.mk
+++ b/target/board/generic/BoardConfig.mk
@@ -77,13 +77,17 @@
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
BOARD_SEPOLICY_UNION += \
+ adbd.te \
+ app.te \
bootanim.te \
device.te \
domain.te \
file.te \
file_contexts \
+ mediaserver.te \
qemud.te \
rild.te \
shell.te \
surfaceflinger.te \
- system_server.te
+ system_server.te \
+ zygote.te
diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te
new file mode 100644
index 0000000..f65cfb3
--- /dev/null
+++ b/target/board/generic/sepolicy/adbd.te
@@ -0,0 +1 @@
+allow adbd qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/app.te b/target/board/generic/sepolicy/app.te
new file mode 100644
index 0000000..fd33453
--- /dev/null
+++ b/target/board/generic/sepolicy/app.te
@@ -0,0 +1 @@
+allow appdomain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/bootanim.te b/target/board/generic/sepolicy/bootanim.te
index d6506e1..a5a84f9 100644
--- a/target/board/generic/sepolicy/bootanim.te
+++ b/target/board/generic/sepolicy/bootanim.te
@@ -1,2 +1,3 @@
allow bootanim self:process execmem;
allow bootanim ashmem_device:chr_file execute;
+allow bootanim qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te
index c28ca74..f026100 100644
--- a/target/board/generic/sepolicy/domain.te
+++ b/target/board/generic/sepolicy/domain.te
@@ -1,3 +1,2 @@
# For /sys/qemu_trace files in the emulator.
allow domain sysfs_writable:file rw_file_perms;
-allow domain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/mediaserver.te b/target/board/generic/sepolicy/mediaserver.te
new file mode 100644
index 0000000..90b8cf8
--- /dev/null
+++ b/target/board/generic/sepolicy/mediaserver.te
@@ -0,0 +1 @@
+allow mediaserver qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te
index e148b6c..5de171a 100644
--- a/target/board/generic/sepolicy/rild.te
+++ b/target/board/generic/sepolicy/rild.te
@@ -1 +1,2 @@
+allow rild qemu_device:chr_file rw_file_perms;
unix_socket_connect(rild, qemud, qemud)
diff --git a/target/board/generic/sepolicy/surfaceflinger.te b/target/board/generic/sepolicy/surfaceflinger.te
index 4c35469..6712789 100644
--- a/target/board/generic/sepolicy/surfaceflinger.te
+++ b/target/board/generic/sepolicy/surfaceflinger.te
@@ -1,2 +1,3 @@
allow surfaceflinger self:process execmem;
allow surfaceflinger ashmem_device:chr_file execute;
+allow surfaceflinger qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te
index d0fb79d..ef4ce4a 100644
--- a/target/board/generic/sepolicy/system_server.te
+++ b/target/board/generic/sepolicy/system_server.te
@@ -1 +1,2 @@
unix_socket_connect(system_server, qemud, qemud)
+allow system_server qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/zygote.te b/target/board/generic/sepolicy/zygote.te
new file mode 100644
index 0000000..a5da574
--- /dev/null
+++ b/target/board/generic/sepolicy/zygote.te
@@ -0,0 +1 @@
+allow zygote qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_mips/BoardConfig.mk b/target/board/generic_mips/BoardConfig.mk
index a319ad7..17e241d 100644
--- a/target/board/generic_mips/BoardConfig.mk
+++ b/target/board/generic_mips/BoardConfig.mk
@@ -59,11 +59,13 @@
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
BOARD_SEPOLICY_UNION += \
+ adbd.te \
bootanim.te \
device.te \
domain.te \
file.te \
file_contexts \
+ mediaserver.te \
qemud.te \
rild.te \
shell.te \
diff --git a/target/board/generic_x86/BoardConfig.mk b/target/board/generic_x86/BoardConfig.mk
index 30c0f2e..5277cdc 100644
--- a/target/board/generic_x86/BoardConfig.mk
+++ b/target/board/generic_x86/BoardConfig.mk
@@ -44,6 +44,8 @@
BOARD_SEPOLICY_DIRS += build/target/board/generic_x86/sepolicy
BOARD_SEPOLICY_UNION += \
+ app.te \
+ adbd.te \
bootanim.te \
device.te \
domain.te \
@@ -51,8 +53,10 @@
file_contexts \
healthd.te \
installd.te \
+ mediaserver.te \
qemud.te \
rild.te \
shell.te \
surfaceflinger.te \
- system_server.te
+ system_server.te \
+ zygote.te
diff --git a/target/board/generic_x86/sepolicy/adbd.te b/target/board/generic_x86/sepolicy/adbd.te
new file mode 100644
index 0000000..f65cfb3
--- /dev/null
+++ b/target/board/generic_x86/sepolicy/adbd.te
@@ -0,0 +1 @@
+allow adbd qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/app.te b/target/board/generic_x86/sepolicy/app.te
new file mode 100644
index 0000000..fd33453
--- /dev/null
+++ b/target/board/generic_x86/sepolicy/app.te
@@ -0,0 +1 @@
+allow appdomain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/bootanim.te b/target/board/generic_x86/sepolicy/bootanim.te
new file mode 100644
index 0000000..762a573
--- /dev/null
+++ b/target/board/generic_x86/sepolicy/bootanim.te
@@ -0,0 +1 @@
+allow bootanim qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/domain.te b/target/board/generic_x86/sepolicy/domain.te
index c3161b3..c17950d 100644
--- a/target/board/generic_x86/sepolicy/domain.te
+++ b/target/board/generic_x86/sepolicy/domain.te
@@ -1,4 +1,3 @@
# For /sys/qemu_trace files in the emulator.
allow domain sysfs_writable:file rw_file_perms;
allow domain cpuctl_device:dir search;
-allow domain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/mediaserver.te b/target/board/generic_x86/sepolicy/mediaserver.te
new file mode 100644
index 0000000..90b8cf8
--- /dev/null
+++ b/target/board/generic_x86/sepolicy/mediaserver.te
@@ -0,0 +1 @@
+allow mediaserver qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/rild.te b/target/board/generic_x86/sepolicy/rild.te
index e148b6c..5de171a 100644
--- a/target/board/generic_x86/sepolicy/rild.te
+++ b/target/board/generic_x86/sepolicy/rild.te
@@ -1 +1,2 @@
+allow rild qemu_device:chr_file rw_file_perms;
unix_socket_connect(rild, qemud, qemud)
diff --git a/target/board/generic_x86/sepolicy/surfaceflinger.te b/target/board/generic_x86/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..865405c
--- /dev/null
+++ b/target/board/generic_x86/sepolicy/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/system_server.te b/target/board/generic_x86/sepolicy/system_server.te
index 0ede971..9bfe5fe 100644
--- a/target/board/generic_x86/sepolicy/system_server.te
+++ b/target/board/generic_x86/sepolicy/system_server.te
@@ -1,2 +1,3 @@
allow system_server self:process execmem;
unix_socket_connect(system_server, qemud, qemud)
+allow system_server qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/zygote.te b/target/board/generic_x86/sepolicy/zygote.te
index 93993a4..d34c4a1 100644
--- a/target/board/generic_x86/sepolicy/zygote.te
+++ b/target/board/generic_x86/sepolicy/zygote.te
@@ -1,2 +1,3 @@
allow zygote self:process execmem;
allow zygote self:capability sys_nice;
+allow zygote qemu_device:chr_file rw_file_perms;