Merge "Sepolicy: Pixelstats: Pixel common sepolicy init" am: 947a5e4dbf am: 6e7eab5198 am: f814be3f6e
Original change: https://android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/2367651
Change-Id: I8982b0d895984de3315d6ba8d2a88abc7205b555
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/citadel/file_contexts b/citadel/file_contexts
index 5376def..a253a3d 100644
--- a/citadel/file_contexts
+++ b/citadel/file_contexts
@@ -4,7 +4,10 @@
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.authsecret-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.oemlock-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0
/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
diff --git a/citadel/hal_authsecret_citadel.te b/citadel/hal_authsecret_citadel.te
new file mode 100644
index 0000000..029d957
--- /dev/null
+++ b/citadel/hal_authsecret_citadel.te
@@ -0,0 +1,9 @@
+type hal_authsecret_citadel, domain;
+type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_authsecret_citadel)
+binder_call(hal_authsecret_citadel, citadeld)
+allow hal_authsecret_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_authsecret_citadel, hal_authsecret)
+init_daemon_domain(hal_authsecret_citadel)
diff --git a/citadel/hal_oemlock_citadel.te b/citadel/hal_oemlock_citadel.te
new file mode 100644
index 0000000..d3ff719
--- /dev/null
+++ b/citadel/hal_oemlock_citadel.te
@@ -0,0 +1,9 @@
+type hal_oemlock_citadel, domain;
+type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_oemlock_citadel)
+binder_call(hal_oemlock_citadel, citadeld)
+allow hal_oemlock_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_oemlock_citadel, hal_oemlock)
+init_daemon_domain(hal_oemlock_citadel)
diff --git a/citadel/vndservice.te b/citadel/vndservice.te
index a756bce..880c09c 100644
--- a/citadel/vndservice.te
+++ b/citadel/vndservice.te
@@ -1,2 +1 @@
type citadeld_service, vndservice_manager_type;
-type hal_power_stats_vendor_service, vndservice_manager_type;
diff --git a/common/vendor/te_macros b/common/vendor/te_macros
new file mode 100644
index 0000000..c9a9c04
--- /dev/null
+++ b/common/vendor/te_macros
@@ -0,0 +1,17 @@
+#####################################
+# pixel_bugreport(domain_name)
+# Defines a new domain for executables under /vendor/bin/dump
+# Grants permissions to interact with dumpstate and write to bugreport.
+# See go/pixel-defrag for more details.
+define(`pixel_bugreport', `
+type $1, domain;
+type $1_exec, exec_type, vendor_file_type, file_type;
+typeattribute $1 hal_dumpstate;
+domain_auto_trans(hal_dumpstate_default, $1_exec, $1)
+
+allow $1 dumpstate:fd use;
+allow $1 dumpstate:fifo_file { write getattr };
+allow $1 hal_dumpstate_default:fd use;
+allow $1 shell_data_file:file { write getattr };
+')
+
diff --git a/input/genfs_contexts b/input/genfs_contexts
deleted file mode 100644
index 19f57be..0000000
--- a/input/genfs_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# Touch
-genfscon sysfs /devices/virtual/goog_touch_interface u:object_r:sysfs_touch:s0
diff --git a/pixelstats/pixelstats_vendor.te b/pixelstats/pixelstats_vendor.te
index 34da9df..f7b77e7 100644
--- a/pixelstats/pixelstats_vendor.te
+++ b/pixelstats/pixelstats_vendor.te
@@ -12,7 +12,7 @@
allow pixelstats_vendor self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow pixelstats_vendor sysfs_scsi_devices_0000:dir search;
-allow pixelstats_vendor sysfs_scsi_devices_0000:file r_file_perms;
+allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
allow pixelstats_vendor sysfs_fs_f2fs:dir search;
allow pixelstats_vendor sysfs_fs_f2fs:file rw_file_perms;
get_prop(pixelstats_vendor, boottime_public_prop)
diff --git a/powerstats/vndservice.te b/powerstats/vndservice.te
new file mode 100644
index 0000000..b4386f8
--- /dev/null
+++ b/powerstats/vndservice.te
@@ -0,0 +1 @@
+type hal_power_stats_vendor_service, vndservice_manager_type;
diff --git a/ramdump/file_contexts b/ramdump/file_contexts
index 590e61b..2f51f74 100644
--- a/ramdump/file_contexts
+++ b/ramdump/file_contexts
@@ -1 +1,2 @@
/vendor/bin/ramdump u:object_r:ramdump_exec:s0
+/vendor/bin/ramdump32 u:object_r:ramdump_exec:s0