Merge "Fix selinux denials during bugreport" into oc-mr1-dev
diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
index 874f710..6c2da16 100644
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ b/prebuilts/api/26.0/26.0.ignore.cil
@@ -7,6 +7,7 @@
e2fs
e2fs_exec
hal_cas_hwservice
+ hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
kmsg_debug_device
netd_stable_secret_prop
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 702795d..3f3454f 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -26,6 +26,7 @@
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
diff --git a/private/system_server.te b/private/system_server.te
index fddfe2d..e61b303 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -194,6 +194,7 @@
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
allow system_server hal_omx_hwservice:hwservice_manager find;
allow system_server hidl_token_hwservice:hwservice_manager find;
diff --git a/public/attributes b/public/attributes
index cd4b820..7ee7daf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -289,6 +289,12 @@
expandattribute hal_memtrack_client true;
attribute hal_memtrack_server;
expandattribute hal_memtrack_server false;
+attribute hal_neuralnetworks;
+expandattribute hal_neuralnetworks true;
+attribute hal_neuralnetworks_client;
+expandattribute hal_neuralnetworks_client true;
+attribute hal_neuralnetworks_server;
+expandattribute hal_neuralnetworks_server false;
attribute hal_nfc;
expandattribute hal_nfc true;
attribute hal_nfc_client;
diff --git a/public/bootanim.te b/public/bootanim.te
index e2584c3..1a265f9 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -2,6 +2,7 @@
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
+hal_client_domain(bootanim, hal_configstore)
hal_client_domain(bootanim, hal_graphics_allocator)
hal_client_domain(bootanim, hal_graphics_composer)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
new file mode 100644
index 0000000..c697ac2
--- /dev/null
+++ b/public/hal_neuralnetworks.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
+binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
+
+add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
+allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/public/hwservice.te b/public/hwservice.te
index 815221d..ce27f21 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -22,6 +22,7 @@
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_neuralnetworks_hwservice, hwservice_manager_type;
type hal_nfc_hwservice, hwservice_manager_type;
type hal_oemlock_hwservice, hwservice_manager_type;
type hal_omx_hwservice, hwservice_manager_type;
diff --git a/public/netd.te b/public/netd.te
index 6cd4f94..11e0e5c 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -108,10 +108,12 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-# only system_server, dumpstate and netd may interact with netd over binder
+# only system_server and dumpstate may find netd service
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } netd:binder call;
-neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+# apps may not interact with netd over binder.
+neverallow appdomain netd:binder call;
+neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/te_macros b/public/te_macros
index 48eb366..c7802d5 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -474,8 +474,9 @@
')
allow $1 anr_data_file:file append;
allow $1 dumpstate:fd use;
-# TODO: Figure out why write is needed and remove.
+# TODO: Figure out why write is needed.
allow $1 dumpstate:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;