[automerger skipped] DO NOT MERGE - Merge Android R QPR1 am: 07c5983d69 -s ours am: ab210e4281 -s ours am: ba643445fb -s ours
am skip reason: subject contains skip directive
Original change: https://android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/1521189
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: I96b9701bdb59ece4ad6ee6b4aeaaac046133e68a
diff --git a/astd/astd.te b/astd/astd.te
new file mode 100644
index 0000000..9f29caa
--- /dev/null
+++ b/astd/astd.te
@@ -0,0 +1,17 @@
+# astd service
+type astd, domain;
+
+# /vendor/bin/astc u:object_r:vendor_shell_exec:s0
+# system/sepolicy/public/vendor_shell.te
+# type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+# /vendor/bin/astd u:object_r:vendor_toolbox_exec:s0
+# system/sepolicy/public/vendor_toolbox.te
+# type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+type astd_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+ init_daemon_domain(astd)
+')
+
diff --git a/astd/file_contexts b/astd/file_contexts
new file mode 100644
index 0000000..0df5774
--- /dev/null
+++ b/astd/file_contexts
@@ -0,0 +1,3 @@
+/vendor/bin/astc u:object_r:astd_exec:s0
+/vendor/bin/astd u:object_r:astd_exec:s0
+
diff --git a/atrace/genfs_contexts b/atrace/genfs_contexts
new file mode 100644
index 0000000..ce4e879
--- /dev/null
+++ b/atrace/genfs_contexts
@@ -0,0 +1 @@
+genfscon debugfs /tracing/events/fastrpc/fastrpc_dma_stat u:object_r:debugfs_tracing:s0
diff --git a/citadel/file_contexts b/citadel/file_contexts
index d749e46..fd80454 100644
--- a/citadel/file_contexts
+++ b/citadel/file_contexts
@@ -4,6 +4,7 @@
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
diff --git a/citadel/hal_identity_citadel.te b/citadel/hal_identity_citadel.te
new file mode 100644
index 0000000..e29310c
--- /dev/null
+++ b/citadel/hal_identity_citadel.te
@@ -0,0 +1,9 @@
+type hal_identity_citadel, domain;
+type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_identity_citadel)
+binder_call(hal_identity_citadel, citadeld)
+allow hal_identity_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_identity_citadel, hal_identity)
+init_daemon_domain(hal_identity_citadel)
diff --git a/citadel/recovery.te b/citadel/recovery.te
index c68244f..523af80 100644
--- a/citadel/recovery.te
+++ b/citadel/recovery.te
@@ -1,3 +1,4 @@
recovery_only(`
allow recovery citadel_device:chr_file rw_file_perms;
+ allow fastbootd citadel_device:chr_file rw_file_perms;
')
diff --git a/common/file.te b/common/file.te
index 3f4f23a..ac1079a 100644
--- a/common/file.te
+++ b/common/file.te
@@ -1,7 +1 @@
type persist_file, file_type, vendor_persist_type;
-type firmware_file, file_type, contextmount_type, vendor_file_type;
-
-# kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
-allow firmware_file self:filesystem associate;
diff --git a/common/file_contexts b/common/file_contexts
index e86fd9f..0adc634 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -1,9 +1,10 @@
/mnt/vendor/persist(/.*)? u:object_r:persist_file:s0
-/vendor/firmware_mnt(/.*)? u:object_r:firmware_file:s0
/persist(/.*)? u:object_r:persist_file:s0
-/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0
/vendor/bin/grep u:object_r:vendor_toolbox_exec:s0
/vendor/bin/awk u:object_r:vendor_toolbox_exec:s0
/vendor/bin/cp u:object_r:vendor_toolbox_exec:s0
/vendor/bin/toolbox_vendor u:object_r:vendor_toolbox_exec:s0
+
+/vendor/bin/hw/android\.hardware\.atrace@1\.0-service.pixel u:object_r:hal_atrace_default_exec:s0
+
diff --git a/common/init-insmod-sh.te b/common/init-insmod-sh.te
deleted file mode 100644
index 16bc87c..0000000
--- a/common/init-insmod-sh.te
+++ /dev/null
@@ -1,19 +0,0 @@
-type init-insmod-sh, domain;
-type init-insmod-sh_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(init-insmod-sh)
-
-allow init-insmod-sh vendor_toolbox_exec:file rx_file_perms;
-allow init-insmod-sh self:capability sys_module;
-allow init-insmod-sh vendor_kernel_modules:system module_load;
-allow init-insmod-sh kernel:key search;
-
-# modprobe needs sys_nice and setsched for driver threads
-allow init-insmod-sh self:capability sys_nice;
-allow init-insmod-sh kernel:process setsched;
-
-# modprobe need proc_modules
-allow init-insmod-sh proc_modules:file r_file_perms;
-
-# Set the vendor.all.modules.ready property
-set_prop(init-insmod-sh, vendor_device_prop)
diff --git a/common/init.te b/common/init.te
deleted file mode 100644
index 1ff76db..0000000
--- a/common/init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow init firmware_file:dir mounton;
-allow init firmware_file:filesystem { getattr mount relabelfrom };
diff --git a/common/property.te b/common/property.te
deleted file mode 100644
index 50f7b34..0000000
--- a/common/property.te
+++ /dev/null
@@ -1 +0,0 @@
-vendor_internal_prop(vendor_device_prop)
diff --git a/common/property_contexts b/common/property_contexts
deleted file mode 100644
index 8343ea5..0000000
--- a/common/property_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-vendor.all.modules.ready u:object_r:vendor_device_prop:s0
-vendor.all.devices.ready u:object_r:vendor_device_prop:s0
diff --git a/flipendo/flipendo.te b/flipendo/flipendo.te
index cdcffb2..fbd7092 100644
--- a/flipendo/flipendo.te
+++ b/flipendo/flipendo.te
@@ -15,3 +15,5 @@
# Access to PowerHal service
hal_client_domain(flipendo, hal_power);
+
+dontaudit flipendo vendor_hwservice_type:hwservice_manager find;
diff --git a/power-libperfmgr/vendor_init.te b/power-libperfmgr/vendor_init.te
new file mode 100644
index 0000000..18cc402
--- /dev/null
+++ b/power-libperfmgr/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_power_prop)
diff --git a/ramdump/bug_map b/ramdump/bug_map
new file mode 100644
index 0000000..21a026b
--- /dev/null
+++ b/ramdump/bug_map
@@ -0,0 +1,2 @@
+ramdump vendor_hw_plat_prop file b/161103878
+ramdump public_vendor_default_prop file b/161103878
diff --git a/ramdump/common/file.te b/ramdump/common/file.te
new file mode 100644
index 0000000..e1382df
--- /dev/null
+++ b/ramdump/common/file.te
@@ -0,0 +1,2 @@
+type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject;
diff --git a/ramdump/common/file_contexts b/ramdump/common/file_contexts
new file mode 100644
index 0000000..c0c087f
--- /dev/null
+++ b/ramdump/common/file_contexts
@@ -0,0 +1,2 @@
+/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0
+/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0
diff --git a/ramdump/common/property.te b/ramdump/common/property.te
new file mode 100644
index 0000000..1409a3d
--- /dev/null
+++ b/ramdump/common/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_ramdump_prop)
diff --git a/ramdump/common/property_contexts b/ramdump/common/property_contexts
new file mode 100644
index 0000000..25749fa
--- /dev/null
+++ b/ramdump/common/property_contexts
@@ -0,0 +1,2 @@
+ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0
+vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0
diff --git a/ramdump/file.te b/ramdump/file.te
new file mode 100644
index 0000000..3fa2b2f
--- /dev/null
+++ b/ramdump/file.te
@@ -0,0 +1 @@
+allow ramdump_vendor_mnt_file self:filesystem associate;
diff --git a/ramdump/file_contexts b/ramdump/file_contexts
new file mode 100644
index 0000000..590e61b
--- /dev/null
+++ b/ramdump/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/ramdump u:object_r:ramdump_exec:s0
diff --git a/ramdump/ramdump.te b/ramdump/ramdump.te
new file mode 100644
index 0000000..d8f0335
--- /dev/null
+++ b/ramdump/ramdump.te
@@ -0,0 +1,39 @@
+type ramdump_exec, exec_type, vendor_file_type, file_type;
+type ramdump, domain;
+
+userdebug_or_eng(`
+ init_daemon_domain(ramdump)
+
+ set_prop(ramdump, vendor_ramdump_prop)
+
+ # f2fs set pin file requires sys_admin
+ allow ramdump self:capability { sys_admin sys_rawio };
+
+ allow ramdump ramdump_vendor_data_file:dir create_dir_perms;
+ allow ramdump ramdump_vendor_data_file:file create_file_perms;
+ allow ramdump proc_cmdline:file r_file_perms;
+
+ allow ramdump block_device:dir search;
+ allow ramdump misc_block_device:blk_file rw_file_perms;
+ allow ramdump userdata_block_device:blk_file rw_file_perms;
+
+ dontaudit ramdump metadata_file:dir search;
+
+ # read /fstab.${ro.hardware}
+ allow ramdump rootfs:file r_file_perms;
+
+ r_dir_file(ramdump, sysfs_type)
+
+ # To access statsd.
+ hwbinder_use(ramdump)
+ get_prop(ramdump, hwservicemanager_prop)
+ allow ramdump fwk_stats_hwservice:hwservice_manager find;
+ binder_call(ramdump, stats_service_server)
+
+ # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump.
+ allow ramdump fuse:filesystem relabelfrom;
+ allow ramdump fuse_device:chr_file rw_file_perms;
+ allow ramdump mnt_vendor_file:dir r_dir_perms;
+ allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton };
+ allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto };
+')
diff --git a/thermal/file.te b/thermal/file.te
new file mode 100644
index 0000000..5676e77
--- /dev/null
+++ b/thermal/file.te
@@ -0,0 +1 @@
+type thermal_link_device, dev_type;
diff --git a/thermal/file_contexts b/thermal/file_contexts
index e88d6f5..40e00a9 100644
--- a/thermal/file_contexts
+++ b/thermal/file_contexts
@@ -1,2 +1,4 @@
/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0
+/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0
+/dev/thermal(/.*)? u:object_r:thermal_link_device:s0
diff --git a/thermal/init-thermal-symlinks.sh.te b/thermal/init-thermal-symlinks.sh.te
new file mode 100644
index 0000000..b46605c
--- /dev/null
+++ b/thermal/init-thermal-symlinks.sh.te
@@ -0,0 +1,11 @@
+type init-thermal-symlinks-sh, domain;
+type init-thermal-symlinks-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-thermal-symlinks-sh)
+
+allow init-thermal-symlinks-sh vendor_toolbox_exec:file rx_file_perms;
+allow init-thermal-symlinks-sh thermal_link_device:dir rw_dir_perms;
+allow init-thermal-symlinks-sh thermal_link_device:lnk_file create_file_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:dir r_dir_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:file r_file_perms;
+set_prop(init-thermal-symlinks-sh, vendor_thermal_prop)
diff --git a/thermal/vendor_init.te b/thermal/vendor_init.te
new file mode 100644
index 0000000..3133b1e
--- /dev/null
+++ b/thermal/vendor_init.te
@@ -0,0 +1,2 @@
+allow vendor_init thermal_link_device:dir r_dir_perms;
+allow vendor_init thermal_link_device:lnk_file r_file_perms;
diff --git a/vibrator/common/file_contexts b/vibrator/common/file_contexts
index 8bdbb99..d1b1060 100644
--- a/vibrator/common/file_contexts
+++ b/vibrator/common/file_contexts
@@ -1 +1,2 @@
-/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
diff --git a/vibrator/common/property.te b/vibrator/common/property.te
new file mode 100644
index 0000000..45556ef
--- /dev/null
+++ b/vibrator/common/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_vibrator_prop)
diff --git a/vibrator/cs40l25/hal_vibrator_default.te b/vibrator/cs40l25/hal_vibrator_default.te
index 3c94625..e015251 100644
--- a/vibrator/cs40l25/hal_vibrator_default.te
+++ b/vibrator/cs40l25/hal_vibrator_default.te
@@ -3,3 +3,5 @@
allow hal_vibrator_default mnt_vendor_file:dir search;
allow hal_vibrator_default persist_file:dir search;
r_dir_file(hal_vibrator_default, persist_haptics_file)
+
+get_prop(hal_vibrator_default, vendor_vibrator_prop);
diff --git a/vibrator/cs40l25/property_contexts b/vibrator/cs40l25/property_contexts
new file mode 100644
index 0000000..64a2600
--- /dev/null
+++ b/vibrator/cs40l25/property_contexts
@@ -0,0 +1 @@
+ro.vendor.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/cs40l25/vendor_init.te b/vibrator/cs40l25/vendor_init.te
new file mode 100644
index 0000000..417a40c
--- /dev/null
+++ b/vibrator/cs40l25/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_vibrator_prop)
diff --git a/vibrator/drv2624/hal_vibrator_default.te b/vibrator/drv2624/hal_vibrator_default.te
new file mode 100644
index 0000000..e015251
--- /dev/null
+++ b/vibrator/drv2624/hal_vibrator_default.te
@@ -0,0 +1,7 @@
+allow hal_vibrator_default sysfs_leds:dir search;
+
+allow hal_vibrator_default mnt_vendor_file:dir search;
+allow hal_vibrator_default persist_file:dir search;
+r_dir_file(hal_vibrator_default, persist_haptics_file)
+
+get_prop(hal_vibrator_default, vendor_vibrator_prop);
diff --git a/vibrator/drv2624/property_contexts b/vibrator/drv2624/property_contexts
new file mode 100644
index 0000000..f008230
--- /dev/null
+++ b/vibrator/drv2624/property_contexts
@@ -0,0 +1 @@
+ro.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/drv2624/vendor_init.te b/vibrator/drv2624/vendor_init.te
new file mode 100644
index 0000000..417a40c
--- /dev/null
+++ b/vibrator/drv2624/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_vibrator_prop)
diff --git a/wifi_ext/file_contexts b/wifi_ext/file_contexts
new file mode 100644
index 0000000..acbd266
--- /dev/null
+++ b/wifi_ext/file_contexts
@@ -0,0 +1,3 @@
+# Wifi
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0
diff --git a/wifi_ext/hal_wifi_ext.te b/wifi_ext/hal_wifi_ext.te
new file mode 100644
index 0000000..091f211
--- /dev/null
+++ b/wifi_ext/hal_wifi_ext.te
@@ -0,0 +1,8 @@
+type hal_wifi_ext, domain;
+hal_server_domain(hal_wifi_ext, hal_wifi)
+
+type hal_wifi_ext_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_ext)
+
+# Allow to start the IWifi:wifi_ext service
+add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice);
diff --git a/wifi_ext/hwservice.te b/wifi_ext/hwservice.te
new file mode 100644
index 0000000..1fe9148
--- /dev/null
+++ b/wifi_ext/hwservice.te
@@ -0,0 +1,2 @@
+# wifi_ext service
+type hal_wifi_ext_hwservice, hwservice_manager_type;
diff --git a/wifi_ext/hwservice_contexts b/wifi_ext/hwservice_contexts
new file mode 100644
index 0000000..e8de4ce
--- /dev/null
+++ b/wifi_ext/hwservice_contexts
@@ -0,0 +1,2 @@
+# Wifi
+vendor.google.wifi_ext::IWifiExt u:object_r:hal_wifi_ext_hwservice:s0