Merge "touch: Set permissions for interactive_calibration" into udc-qpr-dev am: 7b9d0c41c3
Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs-common/+/24796555
Change-Id: I561ea5439a9002c9c0e7496ba48cfda7ac0bbb33
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/battery_mitigation/bcl.mk b/battery_mitigation/bcl.mk
index 9fd81f8..13e5788 100644
--- a/battery_mitigation/bcl.mk
+++ b/battery_mitigation/bcl.mk
@@ -7,5 +7,7 @@
endif
endif
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/vendor
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/private
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/public
PRODUCT_SOONG_NAMESPACES += device/google/gs-common/battery_mitigation
diff --git a/battery_mitigation/sepolicy/brownout_detection_app.te b/battery_mitigation/sepolicy/system_ext/private/brownout_detection_app.te
similarity index 67%
rename from battery_mitigation/sepolicy/brownout_detection_app.te
rename to battery_mitigation/sepolicy/system_ext/private/brownout_detection_app.te
index 6146a74..c342cbf 100644
--- a/battery_mitigation/sepolicy/brownout_detection_app.te
+++ b/battery_mitigation/sepolicy/system_ext/private/brownout_detection_app.te
@@ -1,9 +1,8 @@
-type brownout_detection_app, domain, coredomain;
+typeattribute brownout_detection_app coredomain;
userdebug_or_eng(`
app_domain(brownout_detection_app)
net_domain(brownout_detection_app)
allow brownout_detection_app app_api_service:service_manager find;
allow brownout_detection_app system_api_service:service_manager find;
- get_prop(brownout_detection_app, vendor_brownout_reason_prop)
')
diff --git a/battery_mitigation/sepolicy/seapp_contexts b/battery_mitigation/sepolicy/system_ext/private/seapp_contexts
similarity index 100%
rename from battery_mitigation/sepolicy/seapp_contexts
rename to battery_mitigation/sepolicy/system_ext/private/seapp_contexts
diff --git a/battery_mitigation/sepolicy/system_ext/public/brownout_detection_app.te b/battery_mitigation/sepolicy/system_ext/public/brownout_detection_app.te
new file mode 100644
index 0000000..7eec57a
--- /dev/null
+++ b/battery_mitigation/sepolicy/system_ext/public/brownout_detection_app.te
@@ -0,0 +1 @@
+type brownout_detection_app, domain;
diff --git a/battery_mitigation/sepolicy/battery_mitigation.te b/battery_mitigation/sepolicy/vendor/battery_mitigation.te
similarity index 100%
rename from battery_mitigation/sepolicy/battery_mitigation.te
rename to battery_mitigation/sepolicy/vendor/battery_mitigation.te
diff --git a/battery_mitigation/sepolicy/vendor/brownout_detection_app.te b/battery_mitigation/sepolicy/vendor/brownout_detection_app.te
new file mode 100644
index 0000000..e2c602f
--- /dev/null
+++ b/battery_mitigation/sepolicy/vendor/brownout_detection_app.te
@@ -0,0 +1,3 @@
+userdebug_or_eng(`
+ get_prop(brownout_detection_app, vendor_brownout_reason_prop)
+')
diff --git a/battery_mitigation/sepolicy/file.te b/battery_mitigation/sepolicy/vendor/file.te
similarity index 100%
rename from battery_mitigation/sepolicy/file.te
rename to battery_mitigation/sepolicy/vendor/file.te
diff --git a/battery_mitigation/sepolicy/file_contexts b/battery_mitigation/sepolicy/vendor/file_contexts
similarity index 100%
rename from battery_mitigation/sepolicy/file_contexts
rename to battery_mitigation/sepolicy/vendor/file_contexts
diff --git a/battery_mitigation/sepolicy/genfs_contexts b/battery_mitigation/sepolicy/vendor/genfs_contexts
similarity index 100%
rename from battery_mitigation/sepolicy/genfs_contexts
rename to battery_mitigation/sepolicy/vendor/genfs_contexts
diff --git a/battery_mitigation/sepolicy/property.te b/battery_mitigation/sepolicy/vendor/property.te
similarity index 100%
rename from battery_mitigation/sepolicy/property.te
rename to battery_mitigation/sepolicy/vendor/property.te
diff --git a/battery_mitigation/sepolicy/property_contexts b/battery_mitigation/sepolicy/vendor/property_contexts
similarity index 100%
rename from battery_mitigation/sepolicy/property_contexts
rename to battery_mitigation/sepolicy/vendor/property_contexts
diff --git a/battery_mitigation/sepolicy/vendor_init.te b/battery_mitigation/sepolicy/vendor/vendor_init.te
similarity index 100%
rename from battery_mitigation/sepolicy/vendor_init.te
rename to battery_mitigation/sepolicy/vendor/vendor_init.te
diff --git a/camera/dump.mk b/camera/dump.mk
index a3a5c7a..8569610 100644
--- a/camera/dump.mk
+++ b/camera/dump.mk
@@ -1,4 +1,6 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/private
PRODUCT_PACKAGES_DEBUG += dump_camera
diff --git a/camera/sepolicy/seapp_contexts b/camera/sepolicy/product/private/seapp_contexts
similarity index 100%
rename from camera/sepolicy/seapp_contexts
rename to camera/sepolicy/product/private/seapp_contexts
diff --git a/camera/sepolicy/product/private/vendor_pbcs_app.te b/camera/sepolicy/product/private/vendor_pbcs_app.te
new file mode 100644
index 0000000..d77162e
--- /dev/null
+++ b/camera/sepolicy/product/private/vendor_pbcs_app.te
@@ -0,0 +1,9 @@
+typeattribute vendor_pbcs_app coredomain;
+
+app_domain(vendor_pbcs_app);
+
+dontaudit vendor_pbcs_app system_app_data_file:dir *;
+
+allow vendor_pbcs_app app_api_service:service_manager find;
+# Allow PBCS to find Camera Service.
+allow vendor_pbcs_app cameraserver_service:service_manager find;
diff --git a/camera/sepolicy/product/private/vendor_pcs_app.te b/camera/sepolicy/product/private/vendor_pcs_app.te
new file mode 100644
index 0000000..6bf0451
--- /dev/null
+++ b/camera/sepolicy/product/private/vendor_pcs_app.te
@@ -0,0 +1,12 @@
+typeattribute vendor_pcs_app coredomain;
+
+app_domain(vendor_pcs_app);
+
+allow vendor_pcs_app {
+ app_api_service
+ audioserver_service
+ cameraserver_service
+ mediametrics_service
+ mediaserver_service
+ radio_service
+}:service_manager find;
diff --git a/camera/sepolicy/product/public/vendor_pbcs_app.te b/camera/sepolicy/product/public/vendor_pbcs_app.te
new file mode 100644
index 0000000..7180719
--- /dev/null
+++ b/camera/sepolicy/product/public/vendor_pbcs_app.te
@@ -0,0 +1 @@
+type vendor_pbcs_app, domain;
diff --git a/camera/sepolicy/product/public/vendor_pcs_app.te b/camera/sepolicy/product/public/vendor_pcs_app.te
new file mode 100644
index 0000000..fb8b0a1
--- /dev/null
+++ b/camera/sepolicy/product/public/vendor_pcs_app.te
@@ -0,0 +1 @@
+type vendor_pcs_app, domain;
diff --git a/camera/sepolicy/dump_camera.te b/camera/sepolicy/vendor/dump_camera.te
similarity index 100%
rename from camera/sepolicy/dump_camera.te
rename to camera/sepolicy/vendor/dump_camera.te
diff --git a/camera/sepolicy/file.te b/camera/sepolicy/vendor/file.te
similarity index 100%
rename from camera/sepolicy/file.te
rename to camera/sepolicy/vendor/file.te
diff --git a/camera/sepolicy/file_contexts b/camera/sepolicy/vendor/file_contexts
similarity index 100%
rename from camera/sepolicy/file_contexts
rename to camera/sepolicy/vendor/file_contexts
diff --git a/camera/sepolicy/hal_camera_default.te b/camera/sepolicy/vendor/hal_camera_default.te
similarity index 100%
rename from camera/sepolicy/hal_camera_default.te
rename to camera/sepolicy/vendor/hal_camera_default.te
diff --git a/camera/sepolicy/init.camera.set-interrupts-ownership.te b/camera/sepolicy/vendor/init.camera.set-interrupts-ownership.te
similarity index 100%
rename from camera/sepolicy/init.camera.set-interrupts-ownership.te
rename to camera/sepolicy/vendor/init.camera.set-interrupts-ownership.te
diff --git a/camera/sepolicy/property.te b/camera/sepolicy/vendor/property.te
similarity index 100%
rename from camera/sepolicy/property.te
rename to camera/sepolicy/vendor/property.te
diff --git a/camera/sepolicy/property_contexts b/camera/sepolicy/vendor/property_contexts
similarity index 100%
rename from camera/sepolicy/property_contexts
rename to camera/sepolicy/vendor/property_contexts
diff --git a/camera/sepolicy/service.te b/camera/sepolicy/vendor/service.te
similarity index 100%
rename from camera/sepolicy/service.te
rename to camera/sepolicy/vendor/service.te
diff --git a/camera/sepolicy/service_contexts b/camera/sepolicy/vendor/service_contexts
similarity index 100%
rename from camera/sepolicy/service_contexts
rename to camera/sepolicy/vendor/service_contexts
diff --git a/camera/sepolicy/vendor_pbcs_app.te b/camera/sepolicy/vendor/vendor_pbcs_app.te
similarity index 68%
rename from camera/sepolicy/vendor_pbcs_app.te
rename to camera/sepolicy/vendor/vendor_pbcs_app.te
index 2a56b2d..7b9c5e2 100644
--- a/camera/sepolicy/vendor_pbcs_app.te
+++ b/camera/sepolicy/vendor/vendor_pbcs_app.te
@@ -1,13 +1,3 @@
-type vendor_pbcs_app, domain, coredomain;
-
-app_domain(vendor_pbcs_app);
-
-dontaudit vendor_pbcs_app system_app_data_file:dir *;
-
-allow vendor_pbcs_app app_api_service:service_manager find;
-# Allow PBCS to find Camera Service.
-allow vendor_pbcs_app cameraserver_service:service_manager find;
-
# Allow PBCS to add the ServiceBinder service to ServiceManager.
add_service(vendor_pbcs_app, vendor_camera_binder_service);
# Allow PBCS to add the LyricConfigProvider service to ServiceManager.
@@ -15,8 +5,8 @@
# Allow PBCS to add the CameraIdRemapper service to ServiceManager.
add_service(vendor_pbcs_app, vendor_camera_cameraidremapper_service);
-binder_call(vendor_pbcs_app, hal_camera_default);
-
# Allow PBCS to read debug system properties of the form vendor.camera.pbcs.debug.*
# and persist.vendor.camera.pbcs.debug.*
get_prop(vendor_pbcs_app, vendor_camera_pbcs_debug_prop);
+
+binder_call(vendor_pbcs_app, hal_camera_default);
diff --git a/camera/sepolicy/vendor_pcs_app.te b/camera/sepolicy/vendor/vendor_pcs_app.te
similarity index 80%
rename from camera/sepolicy/vendor_pcs_app.te
rename to camera/sepolicy/vendor/vendor_pcs_app.te
index d6a52bd..e269a2f 100644
--- a/camera/sepolicy/vendor_pcs_app.te
+++ b/camera/sepolicy/vendor/vendor_pcs_app.te
@@ -1,16 +1,3 @@
-type vendor_pcs_app, domain, coredomain;
-
-app_domain(vendor_pcs_app);
-
-allow vendor_pcs_app {
- app_api_service
- audioserver_service
- cameraserver_service
- mediametrics_service
- mediaserver_service
- radio_service
-}:service_manager find;
-
# Allow PCS to find the LyricConfigProvider service through ServiceManager.
allow vendor_pcs_app vendor_camera_lyricconfigprovider_service:service_manager find;
# Allow PCS to find the CameraIdRemapper service through ServiceManager.
@@ -18,10 +5,10 @@
allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add;
-binder_call(vendor_pcs_app, hal_camera_default);
-
binder_call(vendor_pcs_app, hal_pixel_remote_camera_service);
+binder_call(vendor_pcs_app, hal_camera_default);
+
# Allow PCS to open socket connections for HTTP streaming support.
allow vendor_pcs_app vendor_pcs_app:unpriv_socket_class_set create_socket_perms_no_ioctl;
allow vendor_pcs_app fwmarkd_socket:sock_file write;
diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS
new file mode 100644
index 0000000..aab78ab
--- /dev/null
+++ b/sepolicy/OWNERS
@@ -0,0 +1,5 @@
+include platform/system/sepolicy:/OWNERS
+
+wilsonsung@google.com
+rurumihong@google.com
+
diff --git a/sepolicy/README.txt b/sepolicy/README.txt
new file mode 100644
index 0000000..d1ad3e6
--- /dev/null
+++ b/sepolicy/README.txt
@@ -0,0 +1,2 @@
+This folder holds content for pixel sepolicy operations. Device sepolicy like
+file.te, file_contexts will not live in here.