Merge "[NAN-AWARE] Remove NAN service"
diff --git a/private/file_contexts b/private/file_contexts
index 241cccd..61126eb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -223,7 +223,9 @@
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_exec:s0
+/system/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_exec:s0
/system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_exec:s0
+/system/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_exec:s0
/system/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_exec:s0
/system/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_exec:s0
/system/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_exec:s0
diff --git a/private/hal_memtrack.te b/private/hal_memtrack.te
new file mode 100644
index 0000000..89c7b8e
--- /dev/null
+++ b/private/hal_memtrack.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(hal_memtrack)
diff --git a/private/hal_power.te b/private/hal_power.te
new file mode 100644
index 0000000..a564d40
--- /dev/null
+++ b/private/hal_power.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(hal_power)
diff --git a/public/domain.te b/public/domain.te
index bbf4d68..68e81ed 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -175,7 +175,7 @@
###
# All socket ioctls must be restricted to a whitelist.
-neverallowxperm domain domain:socket_class_set ioctl { 0 };
+neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
new file mode 100644
index 0000000..07c1292
--- /dev/null
+++ b/public/hal_memtrack.te
@@ -0,0 +1,6 @@
+# memtrack subsystem
+type hal_memtrack, domain;
+type hal_memtrack_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(hal_memtrack);
diff --git a/public/hal_power.te b/public/hal_power.te
new file mode 100644
index 0000000..26fec3b
--- /dev/null
+++ b/public/hal_power.te
@@ -0,0 +1,6 @@
+# power subsystem
+type hal_power, domain;
+type hal_power_exec, exec_type, file_type;
+
+# hwbinder access
+hwbinder_use(hal_power);
diff --git a/public/system_server.te b/public/system_server.te
index a728c15..924a6d3 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -81,7 +81,7 @@
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
# whitelisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
+allow system_server self:socket create_socket_perms;
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
@@ -149,6 +149,8 @@
binder_use(system_server)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_light)
+binder_call(system_server, hal_memtrack)
+binder_call(system_server, hal_power)
binder_call(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
binder_call(system_server, binderservicedomain)