Merge "Create surfaceflinger_prop and migrate props"
diff --git a/private/app.te b/private/app.te
index 5590ca5..a03bcb0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -19,6 +19,8 @@
# Attempting to do so will be blocked by both selinux and unix
# permissions.
dontaudit appdomain system_data_file:dir write;
+# Apps should not be reading vendor-defined properties.
+dontaudit appdomain vendor_default_prop:file read;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 69dd7e6..20d50cc 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -3,6 +3,5 @@
init_daemon_domain(blank_screen)
+# hal_light_client has access to hal_light_server
hal_client_domain(blank_screen, hal_light)
-
-allow blank_screen hal_light_service:service_manager find;
diff --git a/private/bootanim.te b/private/bootanim.te
index fd95e41..41c9179 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -5,5 +5,8 @@
# b/68864350
dontaudit bootanim unlabeled:dir search;
+# Bootanim should not be reading default vendor-defined properties.
+dontaudit bootanim vendor_default_prop:file read;
+
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
diff --git a/private/bug_map b/private/bug_map
index 60c2f15..43a77aa 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -23,6 +23,7 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 7e6eaed..373889c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -130,6 +130,9 @@
unix_socket_send(surfaceflinger, statsdw, statsd)
')
+# Surfaceflinger should not be reading default vendor-defined properties.
+dontaudit surfaceflinger vendor_default_prop:file read;
+
###
### Neverallow rules
###
diff --git a/public/hal_light.te b/public/hal_light.te
index 1e70b74..4aa824a 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,10 +4,13 @@
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+# server adds itself via service_manager
add_service(hal_light_server, hal_light_service)
binder_call(hal_light_server, servicemanager)
+# client finds and uses server via service_manager
allow hal_light_client hal_light_service:service_manager find;
+binder_use(hal_light_client)
allow hal_light_server dumpstate:fifo_file write;