commit 0fa3fb0257b7535127a45b58a273336d132111bf
author Jeff Sharkey <jsharkey@android.com> Wed Sep 06 11:17:32 2017 -0600
committer Jeff Sharkey <jsharkey@android.com> Wed Sep 06 16:16:20 2017 -0600
tree f45e56079a44c36b7d1affc490df746c36f5cc53
parent 2075d32edf5f3a3eeb633be75b9d4959136858eb

Start paving the way for vold calls over Binder.

This change is the bare minimum needed to publish a new vold
Binder service and move the simple "reset" call over to go through
the new interface.

The new rules here are mirrored on the existing installd rules, but
with a handful of neverallow rules relaxed due to funky interactions
with hal_client_domain().

Test: builds, boots
Bug: 13758960
Change-Id: Ia9522ea7a68698cb0edce7879abfbf22b9d67c76

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9d5ce54..e2b5825 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -28,7 +28,8 @@
     thermalserviced_exec
     thermalserviced_tmpfs
     timezone_service
-    tombstoned_java_trace_socket))
+    tombstoned_java_trace_socket
+    vold_service))
 
 ;; private_objects - a collection of types that were labeled differently in
 ;;     older policy, but that should not remain accessible to vendor policy.

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index d967bd2..215174f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -160,6 +160,7 @@
 vibrator                                  u:object_r:vibrator_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
+vold                                      u:object_r:vold_service:s0
 vr_hwc                                    u:object_r:vr_hwc_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index c6fcf8e..9d2ee28 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -58,7 +58,15 @@
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow system_app {
+  service_manager_type
+  -dumpstate_service
+  -installd_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 
 allow system_app keystore:keystore_key {
     get_state

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 1bf28b6..109587e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -178,6 +178,7 @@
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
+binder_call(system_server, vold)
 binder_call(system_server, wificond)
 binder_service(system_server)
 
@@ -574,6 +575,7 @@
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
+allow system_server vold_service:service_manager find;
 allow system_server wificond_service:service_manager find;
 
 allow system_server keystore:keystore_key {