Merge "Move goldfish-specific rules to their own directory."
diff --git a/file.te b/file.te
index 24420e9..51684f3 100644
--- a/file.te
+++ b/file.te
@@ -49,6 +49,7 @@
# /data/gps
type gps_data_file, file_type, data_file_type;
# /data/misc subdirectories
+type audio_firmware_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type;
type vpn_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 89a8cf7..83226ae 100644
--- a/file_contexts
+++ b/file_contexts
@@ -114,8 +114,6 @@
# System files
#
/system(/.*)? u:object_r:system_file:s0
-/system/bin/ash u:object_r:shell_exec:s0
-/system/bin/mksh u:object_r:shell_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/app_process u:object_r:zygote_exec:s0
@@ -168,6 +166,7 @@
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
# Misc data
+/data/misc/audio(/.*)? u:object_r:audio_firmware_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
diff --git a/healthd.te b/healthd.te
index 2241f23..53e6e8e 100644
--- a/healthd.te
+++ b/healthd.te
@@ -4,8 +4,15 @@
type healthd_exec, exec_type, file_type;
init_daemon_domain(healthd)
-unconfined_domain(healthd)
-allow healthd rootfs:file entrypoint;
+allow healthd rootfs:file { read entrypoint };
write_klog(healthd)
+allow healthd self:capability { net_admin mknod };
+allow healthd self:capability2 block_suspend;
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
+binder_use(healthd)
+binder_call(healthd, system_server)
+# Workaround for 0x10 / block_suspend capability2 denials.
+# Requires a kernel patch to fix properly.
+permissive healthd;
diff --git a/mediaserver.te b/mediaserver.te
index 1a065b0..6904f82 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -49,6 +49,10 @@
allow mediaserver camera_calibration_file:dir r_dir_perms;
allow mediaserver camera_calibration_file:file r_file_perms;
+# Grant access to audio firmware files to mediaserver
+allow mediaserver audio_firmware_file:dir ra_dir_perms;
+allow mediaserver audio_firmware_file:file create_file_perms;
+
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
diff --git a/system_server.te b/system_server.te
index 53b98ee..1ffa34d 100644
--- a/system_server.te
+++ b/system_server.te
@@ -89,6 +89,7 @@
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
+binder_call(system_server, healthd)
binder_service(system_server)
# Read /proc/pid files for Binder clients.