commit be3c07907380934667f76303c9a3c22737f39ebf
author Xin Li <delphij@google.com> Tue Sep 01 21:47:14 2020 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Tue Sep 01 21:47:14 2020 +0000
tree c829ed6d591e663f3d716d89e6a26c1eafd9f9ec
parent cf8883921f575dad6655e287386d7e0cee20101d
parent 23a6df9fa06f47528950016b740447da2e1416ff

[automerger skipped] Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709) am: 81566f806f -s ours am: 23a6df9fa0 -s ours

am skip reason: Change-Id I6447f0dc7fc7cba37bacc75bcb21d75aa5033ef1 with SHA-1 86d719e44c is in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/google/pixel-sepolicy/+/12470243

Change-Id: If355782c36ab501510f21df4ad9f65605f68b6e6

common/init-insmod-sh.te

diff --git a/common/init-insmod-sh.te b/common/init-insmod-sh.te
index de1d408..16bc87c 100644
--- a/common/init-insmod-sh.te
+++ b/common/init-insmod-sh.te
@@ -8,6 +8,10 @@
 allow init-insmod-sh vendor_kernel_modules:system module_load;
 allow init-insmod-sh kernel:key search;
 
+# modprobe needs sys_nice and setsched for driver threads
+allow init-insmod-sh self:capability sys_nice;
+allow init-insmod-sh kernel:process setsched;
+
 # modprobe need proc_modules
 allow init-insmod-sh proc_modules:file r_file_perms;
 

flipendo/flipendo.te

diff --git a/flipendo/flipendo.te b/flipendo/flipendo.te
new file mode 100644
index 0000000..cdcffb2
--- /dev/null
+++ b/flipendo/flipendo.te
@@ -0,0 +1,17 @@
+type flipendo, domain, coredomain;
+
+app_domain(flipendo)
+
+# Access to Westworld logging service
+allow flipendo fwk_stats_hwservice:hwservice_manager find;
+binder_call(flipendo, stats_service_server)
+
+binder_call(flipendo, gpuservice)
+
+allow flipendo app_api_service:service_manager find;
+
+# Allows Flipendo to change app saturation
+allow flipendo color_display_service:service_manager find;
+
+# Access to PowerHal service
+hal_client_domain(flipendo, hal_power);

flipendo/seapp_contexts

diff --git a/flipendo/seapp_contexts b/flipendo/seapp_contexts
new file mode 100644
index 0000000..773a179
--- /dev/null
+++ b/flipendo/seapp_contexts
@@ -0,0 +1,2 @@
+# Domain for Flipendo
+user=_app seinfo=platform name=com.google.android.flipendo domain=flipendo type=app_data_file levelFrom=all
\ No newline at end of file

thermal/hal_thermal_default.te

diff --git a/thermal/hal_thermal_default.te b/thermal/hal_thermal_default.te
index 55073a9..846f07a 100644
--- a/thermal/hal_thermal_default.te
+++ b/thermal/hal_thermal_default.te
@@ -4,5 +4,7 @@
 
 allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
+hal_client_domain(hal_thermal_default, hal_power);
+
 # read thermal_config
 get_prop(hal_thermal_default, vendor_thermal_prop)