Add policies for new services.
Bug: 30989383
Bug: 34731101
Test: manual
Change-Id: Icf9d48568b505c6b788f2f5f456f2d709969fbeb
diff --git a/private/app.te b/private/app.te
index e87f8df..e0fb6f1 100644
--- a/private/app.te
+++ b/private/app.te
@@ -255,6 +255,12 @@
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write };
+use_pdx({ appdomain -isolated_app -ephemeral_app }, surfaceflinger)
+use_pdx({ appdomain -isolated_app -ephemeral_app }, sensord)
+use_pdx({ appdomain -isolated_app -ephemeral_app }, performanced)
+# TODO: apps do not directly open the IPC socket for bufferhubd.
+use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
+
###
### CTS-specific rules
###
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
new file mode 100644
index 0000000..4fa77a5
--- /dev/null
+++ b/private/bufferhubd.te
@@ -0,0 +1 @@
+init_daemon_domain(bufferhubd)
diff --git a/private/file_contexts b/private/file_contexts
index 8584758..3378456 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -124,6 +124,7 @@
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
+/dev/socket/pdx(/.*)? u:object_r:pdx_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
@@ -176,6 +177,9 @@
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
+/system/bin/performanced u:object_r:performanced_exec:s0
+/system/bin/sensord u:object_r:sensord_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
@@ -241,6 +245,7 @@
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
diff --git a/private/performanced.te b/private/performanced.te
new file mode 100644
index 0000000..9544f66
--- /dev/null
+++ b/private/performanced.te
@@ -0,0 +1 @@
+init_daemon_domain(performanced)
diff --git a/private/sensord.te b/private/sensord.te
new file mode 100644
index 0000000..ef03b09
--- /dev/null
+++ b/private/sensord.te
@@ -0,0 +1 @@
+init_daemon_domain(sensord)
diff --git a/private/service_contexts b/private/service_contexts
index 607d12b..3b01c0b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -152,6 +152,7 @@
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
vibrator u:object_r:vibrator_service:s0
+virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3cf6be3..a400913 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -83,6 +83,13 @@
allow surfaceflinger system_server:fd use;
allow surfaceflinger ion_device:chr_file r_file_perms;
+# pdx IPC
+pdx_server(surfaceflinger)
+
+use_pdx(surfaceflinger, bufferhubd)
+use_pdx(surfaceflinger, performanced)
+use_pdx(surfaceflinger, sensord)
+
###
### Neverallow rules
###
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
new file mode 100644
index 0000000..ced556e
--- /dev/null
+++ b/private/virtual_touchpad.te
@@ -0,0 +1 @@
+init_daemon_domain(virtual_touchpad)