Merge "ppp: Allow specific ioctls on mtp:socket."
diff --git a/Android.mk b/Android.mk
index 4b3e000..254acd0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -129,6 +129,8 @@
my_target_arch := mips
endif
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
diff --git a/private/app.te b/private/app.te
index 2eaa8e4..1b1f4ca 100644
--- a/private/app.te
+++ b/private/app.te
@@ -243,7 +243,8 @@
# TODO is write really necessary ?
auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
-allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
+# Allow app to access the graphic allocator HAL
+binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b2369c1..9c7182e 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -58,6 +58,7 @@
hal_client_domain(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
+hal_client_domain(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5f7549d..0aff9f5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -10,8 +10,11 @@
# Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
binder_call(surfaceflinger, hal_graphics_allocator)
+hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
+hal_client_domain(surfaceflinger, hal_graphics_composer)
binder_call(surfaceflinger, hal_configstore)
+hal_client_domain(surfaceflinger, hal_configstore)
# Perform Binder IPC.
binder_use(surfaceflinger)
diff --git a/private/system_server.te b/private/system_server.te
index 516ace4..58a25e2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -176,18 +176,28 @@
hwallocator_use(system_server)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
binder_call(system_server, hal_gnss)
+hal_client_domain(system_server, hal_gnss)
binder_call(system_server, hal_graphics_allocator)
binder_call(system_server, hal_ir)
+hal_client_domain(system_server, hal_ir)
binder_call(system_server, hal_light)
+hal_client_domain(system_server, hal_light)
binder_call(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_memtrack)
binder_call(system_server, hal_power)
+hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
binder_call(system_server, hal_thermal)
+hal_client_domain(system_server, hal_thermal)
binder_call(system_server, hal_usb)
+hal_client_domain(system_server, hal_usb)
binder_call(system_server, hal_vibrator)
+hal_client_domain(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
+hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_supplicant)
diff --git a/public/attributes b/public/attributes
index d26f7ee..a0c1f93 100644
--- a/public/attributes
+++ b/public/attributes
@@ -136,7 +136,11 @@
attribute hal_camera_client;
attribute hal_camera_server;
attribute hal_configstore;
+attribute hal_configstore_client;
+attribute hal_configstore_server;
attribute hal_contexthub;
+attribute hal_contexthub_client;
+attribute hal_contexthub_server;
attribute hal_drm;
attribute hal_drm_client;
attribute hal_drm_server;
@@ -147,26 +151,56 @@
attribute hal_fingerprint_client;
attribute hal_fingerprint_server;
attribute hal_gatekeeper;
+attribute hal_gatekeeper_client;
+attribute hal_gatekeeper_server;
attribute hal_gnss;
+attribute hal_gnss_client;
+attribute hal_gnss_server;
attribute hal_graphics_allocator;
+attribute hal_graphics_allocator_client;
+attribute hal_graphics_allocator_server;
attribute hal_graphics_composer;
+attribute hal_graphics_composer_client;
+attribute hal_graphics_composer_server;
attribute hal_health;
+attribute hal_health_client;
+attribute hal_health_server;
attribute hal_ir;
+attribute hal_ir_client;
+attribute hal_ir_server;
attribute hal_keymaster;
attribute hal_keymaster_client;
attribute hal_keymaster_server;
attribute hal_light;
+attribute hal_light_client;
+attribute hal_light_server;
attribute hal_memtrack;
+attribute hal_memtrack_client;
+attribute hal_memtrack_server;
attribute hal_nfc;
+attribute hal_nfc_client;
+attribute hal_nfc_server;
attribute hal_power;
+attribute hal_power_client;
+attribute hal_power_server;
attribute hal_sensors;
attribute hal_sensors_client;
attribute hal_sensors_server;
attribute hal_telephony;
+attribute hal_telephony_client;
+attribute hal_telephony_server;
attribute hal_thermal;
+attribute hal_thermal_client;
+attribute hal_thermal_server;
attribute hal_usb;
+attribute hal_usb_client;
+attribute hal_usb_server;
attribute hal_vibrator;
+attribute hal_vibrator_client;
+attribute hal_vibrator_server;
attribute hal_vr;
+attribute hal_vr_client;
+attribute hal_vr_server;
attribute hal_wifi;
attribute hal_wifi_client;
attribute hal_wifi_server;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index e547296..6421d93 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -24,7 +24,7 @@
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
-allow dex2oat app_data_file:file { getattr read write };
+allow dex2oat app_data_file:file { getattr read write lock };
##################
# A/B OTA Dexopt #
@@ -34,6 +34,7 @@
allow dex2oat postinstall_dexopt:fd use;
allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 80161de..8e645b9 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -91,6 +91,7 @@
# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate)
binder_call(dumpstate, hal_vibrator)
+hal_client_domain(dumpstate, hal_vibrator)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 94fb2b9..abecbda 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -16,6 +16,7 @@
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
hwbinder_use(gatekeeperd)
+hal_client_domain(gatekeeperd, hal_gatekeeper)
###
# need to find KeyStore and add self
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index a17dbcd..c428eba 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,4 +1,6 @@
# call into gatekeeperd process (callbacks)
+# TODO: This rules is unlikely to be needed because Gatekeeper HIDL
+# says there are no callbacks
binder_call(hal_gatekeeper, gatekeeperd)
# TEE access.
diff --git a/public/healthd.te b/public/healthd.te
index 2f26b9e..8737dbe 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -26,6 +26,7 @@
binder_call(healthd, system_server)
binder_call(healthd, hwservicemanager)
binder_call(healthd, hal_health)
+hal_client_domain(healthd, hal_health)
# Write to state file.
# TODO: Split into a separate type?
diff --git a/public/nfc.te b/public/nfc.te
index 866180b..cb6a781 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -38,3 +38,4 @@
# allow NFC process to call into the NFC HAL
binder_call(nfc, hal_nfc)
+hal_client_domain(nfc, hal_nfc)
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
index 5745ba7..5f037c5 100644
--- a/public/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -10,7 +10,7 @@
# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
# the directory afterwards. For logging of aggregate size, we need getattr.
allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:file { getattr };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
# Delete old content of the dalvik-cache.
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 5fdc510..76001f7 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -8,6 +8,7 @@
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
diff --git a/public/profman.te b/public/profman.te
index ff81540..a5c18b5 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -14,6 +14,11 @@
allow profman installd:fd use;
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman app_data_file:file { getattr read write lock };
+
###
### neverallow rules
###
diff --git a/public/radio.te b/public/radio.te
index 953b59c..a896659 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -37,4 +37,4 @@
# Perform HwBinder IPC.
hwbinder_use(radio)
binder_call(radio, hal_telephony)
-
+hal_client_domain(radio, hal_telephony)
diff --git a/public/rild.te b/public/rild.te
index fd1ecca..e4b0186 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,6 +1,6 @@
# rild - radio interface layer daemon
type rild, domain, domain_deprecated;
-hal_impl_domain(rild, hal_telephony)
+hal_server_domain(rild, hal_telephony)
net_domain(rild)
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
diff --git a/vendor/hal_configstore_default.te b/vendor/hal_configstore_default.te
index b3ca6c2..e8930ca 100644
--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
@@ -1,5 +1,5 @@
type hal_configstore_default, domain;
-hal_impl_domain(hal_configstore_default, hal_configstore)
+hal_server_domain(hal_configstore_default, hal_configstore)
type hal_configstore_default_exec, exec_type, file_type;
init_daemon_domain(hal_configstore_default)
diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
index abf5b0e..67dd530 100644
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@@ -1,5 +1,5 @@
type hal_contexthub_default, domain;
-hal_impl_domain(hal_contexthub_default, hal_contexthub)
+hal_server_domain(hal_contexthub_default, hal_contexthub)
type hal_contexthub_default_exec, exec_type, file_type;
init_daemon_domain(hal_contexthub_default)
diff --git a/vendor/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
index 3c84b13..d48af16 100644
--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
@@ -1,5 +1,5 @@
type hal_gatekeeper_default, domain;
-hal_impl_domain(hal_gatekeeper_default, hal_gatekeeper)
+hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
type hal_gatekeeper_default_exec, exec_type, file_type;
init_daemon_domain(hal_gatekeeper_default);
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 78f85bc..18da090 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -1,5 +1,5 @@
type hal_gnss_default, domain;
-hal_impl_domain(hal_gnss_default, hal_gnss)
+hal_server_domain(hal_gnss_default, hal_gnss)
type hal_gnss_default_exec, exec_type, file_type;
init_daemon_domain(hal_gnss_default)
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index 6b3672c..f47a604 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,5 +1,5 @@
type hal_graphics_allocator_default, domain;
-hal_impl_domain(hal_graphics_allocator_default, hal_graphics_allocator)
+hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
type hal_graphics_allocator_default_exec, exec_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 99bf690..b65b8fe 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -1,5 +1,5 @@
type hal_graphics_composer_default, domain;
-hal_impl_domain(hal_graphics_composer_default, hal_graphics_composer)
+hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
type hal_graphics_composer_default_exec, exec_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index 0496cdf..3add20b 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -1,6 +1,6 @@
# health info abstraction
type hal_health_default, domain;
-hal_impl_domain(hal_health_default, hal_health)
+hal_server_domain(hal_health_default, hal_health)
type hal_health_default_exec, exec_type, file_type;
init_daemon_domain(hal_health_default)
diff --git a/vendor/hal_ir_default.te b/vendor/hal_ir_default.te
index 2de1b92..e43bf07 100644
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
@@ -1,5 +1,5 @@
type hal_ir_default, domain;
-hal_impl_domain(hal_ir_default, hal_ir)
+hal_server_domain(hal_ir_default, hal_ir)
type hal_ir_default_exec, exec_type, file_type;
init_daemon_domain(hal_ir_default)
diff --git a/vendor/hal_light_default.te b/vendor/hal_light_default.te
index bee7c8a..8c1bfb6 100644
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
@@ -1,5 +1,5 @@
type hal_light_default, domain;
-hal_impl_domain(hal_light_default, hal_light)
+hal_server_domain(hal_light_default, hal_light)
type hal_light_default_exec, exec_type, file_type;
init_daemon_domain(hal_light_default)
diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
index 1c5ca99..0e3ba21 100644
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
@@ -1,5 +1,5 @@
type hal_memtrack_default, domain;
-hal_impl_domain(hal_memtrack_default, hal_memtrack)
+hal_server_domain(hal_memtrack_default, hal_memtrack)
type hal_memtrack_default_exec, exec_type, file_type;
init_daemon_domain(hal_memtrack_default)
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index b6abb19..b155f27 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -1,5 +1,5 @@
type hal_nfc_default, domain;
-hal_impl_domain(hal_nfc_default, hal_nfc)
+hal_server_domain(hal_nfc_default, hal_nfc)
type hal_nfc_default_exec, exec_type, file_type;
init_daemon_domain(hal_nfc_default)
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
index c8977ee..47065ea 100644
--- a/vendor/hal_power_default.te
+++ b/vendor/hal_power_default.te
@@ -1,5 +1,5 @@
type hal_power_default, domain;
-hal_impl_domain(hal_power_default, hal_power)
+hal_server_domain(hal_power_default, hal_power)
type hal_power_default_exec, exec_type, file_type;
init_daemon_domain(hal_power_default)
diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te
index baa3b97..9a777e0 100644
--- a/vendor/hal_thermal_default.te
+++ b/vendor/hal_thermal_default.te
@@ -1,5 +1,5 @@
type hal_thermal_default, domain;
-hal_impl_domain(hal_thermal_default, hal_thermal)
+hal_server_domain(hal_thermal_default, hal_thermal)
type hal_thermal_default_exec, exec_type, file_type;
init_daemon_domain(hal_thermal_default)
diff --git a/vendor/hal_usb_default.te b/vendor/hal_usb_default.te
index 24017f9..cc28a65 100644
--- a/vendor/hal_usb_default.te
+++ b/vendor/hal_usb_default.te
@@ -1,4 +1,5 @@
type hal_usb_default, domain;
-hal_impl_domain(hal_usb_default, hal_usb)
+hal_server_domain(hal_usb_default, hal_usb)
+
type hal_usb_default_exec, exec_type, file_type;
init_daemon_domain(hal_usb_default)
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
index c185e08..8bc8a72 100644
--- a/vendor/hal_vibrator_default.te
+++ b/vendor/hal_vibrator_default.te
@@ -1,5 +1,5 @@
type hal_vibrator_default, domain;
-hal_impl_domain(hal_vibrator_default, hal_vibrator)
+hal_server_domain(hal_vibrator_default, hal_vibrator)
type hal_vibrator_default_exec, exec_type, file_type;
init_daemon_domain(hal_vibrator_default)
diff --git a/vendor/hal_vr_default.te b/vendor/hal_vr_default.te
index f32c737..7475524 100644
--- a/vendor/hal_vr_default.te
+++ b/vendor/hal_vr_default.te
@@ -1,5 +1,5 @@
type hal_vr_default, domain;
-hal_impl_domain(hal_vr_default, hal_vr)
+hal_server_domain(hal_vr_default, hal_vr)
type hal_vr_default_exec, exec_type, file_type;
init_daemon_domain(hal_vr_default)