[automerger skipped] Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709) am: 81566f806f -s ours am: 23a6df9fa0 -s ours am: be3c079073 -s ours am: 38002c3cee -s ours
am skip reason: Change-Id I6447f0dc7fc7cba37bacc75bcb21d75aa5033ef1 with SHA-1 86d719e44c is in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/12470243
Change-Id: I13ebcb192dff2a98c3bd320a3a8d15cd86ed8a63
diff --git a/citadel/citadeld.te b/citadel/citadeld.te
index a1b7a6d..266dee2 100644
--- a/citadel/citadeld.te
+++ b/citadel/citadeld.te
@@ -9,6 +9,7 @@
init_daemon_domain(citadeld)
binder_call(citadeld, hal_power_stats_default)
+allow citadeld hal_power_stats_vendor_service:service_manager find;
# Let citadeld find and use statsd.
hwbinder_use(citadeld)
diff --git a/citadel/file_contexts b/citadel/file_contexts
index d749e46..fd80454 100644
--- a/citadel/file_contexts
+++ b/citadel/file_contexts
@@ -4,6 +4,7 @@
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0
/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0
/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0
diff --git a/citadel/hal_identity_citadel.te b/citadel/hal_identity_citadel.te
new file mode 100644
index 0000000..e29310c
--- /dev/null
+++ b/citadel/hal_identity_citadel.te
@@ -0,0 +1,9 @@
+type hal_identity_citadel, domain;
+type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type;
+
+vndbinder_use(hal_identity_citadel)
+binder_call(hal_identity_citadel, citadeld)
+allow hal_identity_citadel citadeld_service:service_manager find;
+
+hal_server_domain(hal_identity_citadel, hal_identity)
+init_daemon_domain(hal_identity_citadel)
diff --git a/citadel/vndservice.te b/citadel/vndservice.te
index 880c09c..a756bce 100644
--- a/citadel/vndservice.te
+++ b/citadel/vndservice.te
@@ -1 +1,2 @@
type citadeld_service, vndservice_manager_type;
+type hal_power_stats_vendor_service, vndservice_manager_type;
diff --git a/citadel/vndservice_contexts b/citadel/vndservice_contexts
index b4df996..2e1be43 100644
--- a/citadel/vndservice_contexts
+++ b/citadel/vndservice_contexts
@@ -1 +1,2 @@
android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0
+power.stats-vendor u:object_r:hal_power_stats_vendor_service:s0
diff --git a/common/file_contexts b/common/file_contexts
index e86fd9f..53c8dca 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -7,3 +7,5 @@
/vendor/bin/awk u:object_r:vendor_toolbox_exec:s0
/vendor/bin/cp u:object_r:vendor_toolbox_exec:s0
/vendor/bin/toolbox_vendor u:object_r:vendor_toolbox_exec:s0
+
+/(vendor|system/vendor)/bin/hw/android\.hardware\.powerstats-service\.pixel u:object_r:hal_power_stats_default_exec:s0
diff --git a/powerstats/hal_power_stats_default.te b/powerstats/hal_power_stats_default.te
new file mode 100644
index 0000000..7e00470
--- /dev/null
+++ b/powerstats/hal_power_stats_default.te
@@ -0,0 +1,5 @@
+add_service(hal_power_stats_default, hal_power_stats_vendor_service)
+
+vndbinder_use(hal_power_stats)
+add_service(hal_power_stats_server, hal_power_stats_service)
+
diff --git a/ramdump/bug_map b/ramdump/bug_map
new file mode 100644
index 0000000..27412d8
--- /dev/null
+++ b/ramdump/bug_map
@@ -0,0 +1,2 @@
+ramdump vendor_hw_plat_prop file 161103878
+ramdump public_vendor_default_prop file 161103878
diff --git a/ramdump/common/file.te b/ramdump/common/file.te
new file mode 100644
index 0000000..e1382df
--- /dev/null
+++ b/ramdump/common/file.te
@@ -0,0 +1,2 @@
+type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject;
diff --git a/ramdump/common/file_contexts b/ramdump/common/file_contexts
new file mode 100644
index 0000000..c0c087f
--- /dev/null
+++ b/ramdump/common/file_contexts
@@ -0,0 +1,2 @@
+/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0
+/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0
diff --git a/ramdump/common/property.te b/ramdump/common/property.te
new file mode 100644
index 0000000..1409a3d
--- /dev/null
+++ b/ramdump/common/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_ramdump_prop)
diff --git a/ramdump/common/property_contexts b/ramdump/common/property_contexts
new file mode 100644
index 0000000..25749fa
--- /dev/null
+++ b/ramdump/common/property_contexts
@@ -0,0 +1,2 @@
+ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0
+vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0
diff --git a/ramdump/file.te b/ramdump/file.te
new file mode 100644
index 0000000..3fa2b2f
--- /dev/null
+++ b/ramdump/file.te
@@ -0,0 +1 @@
+allow ramdump_vendor_mnt_file self:filesystem associate;
diff --git a/ramdump/file_contexts b/ramdump/file_contexts
new file mode 100644
index 0000000..590e61b
--- /dev/null
+++ b/ramdump/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/ramdump u:object_r:ramdump_exec:s0
diff --git a/ramdump/ramdump.te b/ramdump/ramdump.te
new file mode 100644
index 0000000..d8f0335
--- /dev/null
+++ b/ramdump/ramdump.te
@@ -0,0 +1,39 @@
+type ramdump_exec, exec_type, vendor_file_type, file_type;
+type ramdump, domain;
+
+userdebug_or_eng(`
+ init_daemon_domain(ramdump)
+
+ set_prop(ramdump, vendor_ramdump_prop)
+
+ # f2fs set pin file requires sys_admin
+ allow ramdump self:capability { sys_admin sys_rawio };
+
+ allow ramdump ramdump_vendor_data_file:dir create_dir_perms;
+ allow ramdump ramdump_vendor_data_file:file create_file_perms;
+ allow ramdump proc_cmdline:file r_file_perms;
+
+ allow ramdump block_device:dir search;
+ allow ramdump misc_block_device:blk_file rw_file_perms;
+ allow ramdump userdata_block_device:blk_file rw_file_perms;
+
+ dontaudit ramdump metadata_file:dir search;
+
+ # read /fstab.${ro.hardware}
+ allow ramdump rootfs:file r_file_perms;
+
+ r_dir_file(ramdump, sysfs_type)
+
+ # To access statsd.
+ hwbinder_use(ramdump)
+ get_prop(ramdump, hwservicemanager_prop)
+ allow ramdump fwk_stats_hwservice:hwservice_manager find;
+ binder_call(ramdump, stats_service_server)
+
+ # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump.
+ allow ramdump fuse:filesystem relabelfrom;
+ allow ramdump fuse_device:chr_file rw_file_perms;
+ allow ramdump mnt_vendor_file:dir r_dir_perms;
+ allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton };
+ allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto };
+')
diff --git a/vibrator/common/file_contexts b/vibrator/common/file_contexts
index 8bdbb99..d1b1060 100644
--- a/vibrator/common/file_contexts
+++ b/vibrator/common/file_contexts
@@ -1 +1,2 @@
-/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
+/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0
diff --git a/vibrator/common/property.te b/vibrator/common/property.te
new file mode 100644
index 0000000..45556ef
--- /dev/null
+++ b/vibrator/common/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_vibrator_prop)
diff --git a/vibrator/drv2624/hal_vibrator_default.te b/vibrator/drv2624/hal_vibrator_default.te
new file mode 100644
index 0000000..e015251
--- /dev/null
+++ b/vibrator/drv2624/hal_vibrator_default.te
@@ -0,0 +1,7 @@
+allow hal_vibrator_default sysfs_leds:dir search;
+
+allow hal_vibrator_default mnt_vendor_file:dir search;
+allow hal_vibrator_default persist_file:dir search;
+r_dir_file(hal_vibrator_default, persist_haptics_file)
+
+get_prop(hal_vibrator_default, vendor_vibrator_prop);
diff --git a/vibrator/drv2624/property_contexts b/vibrator/drv2624/property_contexts
new file mode 100644
index 0000000..f008230
--- /dev/null
+++ b/vibrator/drv2624/property_contexts
@@ -0,0 +1 @@
+ro.vibrator.hal. u:object_r:vendor_vibrator_prop:s0
diff --git a/vibrator/drv2624/vendor_init.te b/vibrator/drv2624/vendor_init.te
new file mode 100644
index 0000000..417a40c
--- /dev/null
+++ b/vibrator/drv2624/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_vibrator_prop)
diff --git a/wifi_ext/file_contexts b/wifi_ext/file_contexts
new file mode 100644
index 0000000..acbd266
--- /dev/null
+++ b/wifi_ext/file_contexts
@@ -0,0 +1,3 @@
+# Wifi
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0
+/vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0
diff --git a/wifi_ext/hal_wifi_ext.te b/wifi_ext/hal_wifi_ext.te
new file mode 100644
index 0000000..091f211
--- /dev/null
+++ b/wifi_ext/hal_wifi_ext.te
@@ -0,0 +1,8 @@
+type hal_wifi_ext, domain;
+hal_server_domain(hal_wifi_ext, hal_wifi)
+
+type hal_wifi_ext_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_ext)
+
+# Allow to start the IWifi:wifi_ext service
+add_hwservice(hal_wifi_ext, hal_wifi_ext_hwservice);
diff --git a/wifi_ext/hwservice.te b/wifi_ext/hwservice.te
new file mode 100644
index 0000000..1fe9148
--- /dev/null
+++ b/wifi_ext/hwservice.te
@@ -0,0 +1,2 @@
+# wifi_ext service
+type hal_wifi_ext_hwservice, hwservice_manager_type;
diff --git a/wifi_ext/hwservice_contexts b/wifi_ext/hwservice_contexts
new file mode 100644
index 0000000..e8de4ce
--- /dev/null
+++ b/wifi_ext/hwservice_contexts
@@ -0,0 +1,2 @@
+# Wifi
+vendor.google.wifi_ext::IWifiExt u:object_r:hal_wifi_ext_hwservice:s0