Merge "Add selinux policy to register remote access HAL."
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 64e14e2..5555469 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -81,6 +81,7 @@
"android.hardware.security.sharedsecret.ISharedSecret/default": []string{},
"android.hardware.sensors.ISensors/default": []string{},
"android.hardware.soundtrigger3.ISoundTriggerHw/default": []string{},
+ "android.hardware.thermal.IThermal/default": []string{},
"android.hardware.tv.input.ITvInput/default": []string{},
"android.hardware.tv.tuner.ITuner/default": []string{},
"android.hardware.usb.IUsb/default": []string{},
diff --git a/build/soong/validate_bindings.go b/build/soong/validate_bindings.go
index 3132453..7ba6453 100644
--- a/build/soong/validate_bindings.go
+++ b/build/soong/validate_bindings.go
@@ -34,7 +34,7 @@
if _, ok := ctx.Module().(*fuzzerBindingsTestModule); ok {
for _, fuzzers := range ServiceFuzzerBindings {
for _, fuzzer := range fuzzers {
- if !ctx.OtherModuleExists(fuzzer) {
+ if !ctx.OtherModuleExists(fuzzer) && !ctx.Config().AllowMissingDependencies() {
panic(fmt.Errorf("Fuzzer doesn't exist : %s", fuzzer))
}
}
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
index b117d0c..8ec131c 100644
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@@ -6,11 +6,10 @@
# Block crash dumps to ensure the secrets are not leaked.
typeattribute compos_key_helper no_crash_dump_domain;
-# Allow using DICE binder service
+# Allow use of vm_payload_binder_service
binder_use(compos_key_helper);
-allow compos_key_helper dice_node_service:service_manager find;
-binder_call(compos_key_helper, dice_service);
-allow compos_key_helper dice_service:diced { get_attestation_chain derive };
+allow compos_key_helper vm_payload_binder_service:service_manager find;
+binder_call(compos_key_helper, microdroid_manager);
# Communicate with compos via stdin/stdout pipes
allow compos_key_helper compos:fd use;
diff --git a/microdroid/system/private/dice_service.te b/microdroid/system/private/dice_service.te
deleted file mode 100644
index 341108c..0000000
--- a/microdroid/system/private/dice_service.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type dice_service, domain, coredomain;
-type dice_service_exec, system_file_type, exec_type, file_type;
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute dice_service no_crash_dump_domain;
-
-# dice_service can be started by init.
-init_daemon_domain(dice_service)
-
-# dice_service hosts AIDL services.
-binder_use(dice_service)
-binder_service(dice_service)
-add_service(dice_service, dice_node_service)
-add_service(dice_service, dice_maintenance_service)
-
-# dice_service can check SELinux permissions.
-selinux_check_access(dice_service)
-
-# dice_service is using bootstrap bionic.
-use_bootstrap_libs(dice_service)
-
-# Read config from the device tree and open-dice driver.
-allow dice_service sysfs_dt_avf:file r_file_perms;
-allow dice_service open_dice_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7b8b037..c3156fb 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -217,9 +217,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-allow domain self:global_capability_class_set audit_control;
-allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-
# globally readable properties
get_prop(domain, arm64_memtag_prop)
get_prop(domain, bootloader_prop)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index a81bdc1..8406e55 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -105,7 +105,6 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/dice-service.microdroid u:object_r:dice_service_exec:s0
/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 708d537..19b7256 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,5 @@
allow init fuse:dir { search getattr };
set_prop(init, property_type)
+
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d9d533a..d26154a 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -8,10 +8,3 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-
-# Talk to binder services (for dice_service)
-binder_use(microdroid_app);
-
-allow microdroid_app dice_node_service:service_manager find;
-binder_call(microdroid_app, dice_service);
-allow microdroid_app dice_service:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 06fb979..ac92f38 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -20,6 +20,12 @@
# microdroid_manager can query AVF flags in the device tree
allow microdroid_manager sysfs_dt_avf:file r_file_perms;
+# Read config from the open-dice driver.
+allow microdroid_manager open_dice_device:chr_file rw_file_perms;
+
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute microdroid_manager no_crash_dump_domain;
+
# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
# requires sys_admin cap as well.
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
@@ -45,11 +51,11 @@
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
-# microdroid_manager can talk to dice_service over binder
+# microdroid_manager hosts binder services.
binder_use(microdroid_manager)
-binder_call(microdroid_manager, dice_service)
-allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
-allow microdroid_manager dice_service:diced { derive demote_self };
+
+# microdroid_manager can add virtual_machine_payload_service
+add_service(microdroid_manager, vm_payload_binder_service)
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
@@ -70,6 +76,9 @@
# Allow microdroid_manager to wait for linkerconfig to be ready
get_prop(microdroid_manager, apex_config_prop)
+# Allow microdroid_manager to wait for zipfuse to be ready
+get_prop(microdroid_manager, microdroid_manager_zipfuse_prop)
+
# Allow microdroid_manager to pass the roothash to apkdmverity
set_prop(microdroid_manager, microdroid_manager_roothash_prop)
@@ -84,6 +93,18 @@
# or not; if set, it executes kexec to load the crashkernel into memory.
allow microdroid_manager proc_cmdline:file r_file_perms;
+# microdroid_manager needs to read /proc/stat and /proc_meminfo to collect CPU & memory usage
+# for creating atoms used in AVF telemetry metrics
+allow microdroid_manager proc_meminfo:file r_file_perms;
+allow microdroid_manager proc_stat:file r_file_perms;
+
+# Allow microdroid_manager to set up zram-backed swap:
+# - Read & Write zram properties in sysfs to set/get zram disksize
+# - Read & Write to zram block device needed for mkswap and swapon
+allow microdroid_manager sysfs_zram:dir { search };
+allow microdroid_manager sysfs_zram:file rw_file_perms;
+allow microdroid_manager ram_device:blk_file rw_file_perms;
+
# Allow microdroid_manager to read/write failure serial device
allow microdroid_manager serial_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 4ea187b..851a85a 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -47,3 +47,7 @@
# Read and write files authfs-proxied files.
allow microdroid_payload authfs_fuse:dir rw_dir_perms;
allow microdroid_payload authfs_fuse:file create_file_perms;
+
+# Allow use of virtual_machine_payload_service.
+allow microdroid_payload vm_payload_binder_service:service_manager find;
+binder_call(microdroid_payload, microdroid_manager)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index cade2aa..ff15f5d 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -121,6 +121,7 @@
apex_config.done u:object_r:apex_config_prop:s0 exact bool
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 76bae22..2abd7e3 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,6 +1,5 @@
adb u:object_r:adb_service:s0
-android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
-android.security.dice.IDiceNode u:object_r:dice_node_service:s0
+virtual_machine_payload_service u:object_r:vm_payload_binder_service:s0
apexservice u:object_r:apex_service:s0
authfs_service u:object_r:authfs_binder_service:s0
manager u:object_r:service_manager_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 91a8ad2..a9d025c 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -28,3 +28,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 6652e27..6e0472d 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -43,6 +43,9 @@
# zipfuse is forked from microdroid_manager
allow zipfuse microdroid_manager:fd use;
+# allow signalling when the mount is ready
+set_prop(zipfuse, microdroid_manager_zipfuse_prop)
+
# Only microdroid_manager can run zipfuse
neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index bab49f2..9ec022b 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -40,6 +40,7 @@
type log_prop, property_type;
type log_tag_prop, property_type;
type microdroid_manager_roothash_prop, property_type;
+type microdroid_manager_zipfuse_prop, property_type;
type property_service_version_prop, property_type;
type shell_prop, property_type;
type timezone_prop, property_type;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 60332bd..b274417 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -960,3 +960,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index b4c49c8..dbdafaf 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -3,9 +3,7 @@
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
type default_android_service, service_manager_type;
-type dice_maintenance_service, service_manager_type;
-type dice_node_service, service_manager_type;
-type hal_dice_service, service_manager_type;
+type vm_payload_binder_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/prebuilts/api/33.0/private/kernel.te b/prebuilts/api/33.0/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/prebuilts/api/33.0/private/kernel.te
+++ b/prebuilts/api/33.0/private/kernel.te
@@ -32,6 +32,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
# Some contexts are changed before the device is flipped into enforcing mode
# during the setup of Apex sepolicy. These denials can be suppressed since
# the permissions should not be allowed after the device is flipped into
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 7275954..fa9dd7d 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -22,3 +22,5 @@
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
+# binderservicedomain is using apex_info via libvintf
+use_apex_info(binderservicedomain)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 121daeb..39a4bdc 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -13,6 +13,7 @@
devicelock_service
hal_bootctl_service
hal_remoteaccess_service
+ hal_thermal_service
hal_tv_input_service
healthconnect_service
keystore_config_prop
diff --git a/private/crosvm.te b/private/crosvm.te
index 034107f..c750b50 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -42,7 +42,7 @@
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr };
+allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 5982ecf..ecc8a40 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -10,3 +10,6 @@
# hwservicemanager is using bootstrap bionic
use_bootstrap_libs(hwservicemanager)
+
+# hwservicemanager is using apex_info via libvintf
+use_apex_info(hwservicemanager)
diff --git a/private/kernel.te b/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -32,6 +32,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
# Some contexts are changed before the device is flipped into enforcing mode
# during the setup of Apex sepolicy. These denials can be suppressed since
# the permissions should not be allowed after the device is flipped into
diff --git a/private/keystore.te b/private/keystore.te
index b69477c..cd2ef76 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -40,3 +40,6 @@
# system property, an exception is added for init as well.
set_prop(keystore, keystore_crash_prop)
neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+
+# keystore is using apex_info via libvintf
+use_apex_info(keystore)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d851ab7..12310d2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,6 +10,131 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
+# TODO(b/252967582): remove this rule if it generates too much logs traffic.
+auditallow sdk_sandbox {
+ property_type
+ # remove expected properties to reduce noise.
+ -servicemanager_prop
+ -hwservicemanager_prop
+ -use_memfd_prop
+ -binder_cache_system_server_prop
+ -graphics_config_prop
+ -persist_wm_debug_prop
+ -aaudio_config_prop
+ -adbd_config_prop
+ -apex_ready_prop
+ -apexd_select_prop
+ -arm64_memtag_prop
+ -audio_prop
+ -binder_cache_bluetooth_server_prop
+ -binder_cache_telephony_server_prop
+ -bluetooth_config_prop
+ -boot_status_prop
+ -bootloader_prop
+ -bq_config_prop
+ -build_odm_prop
+ -build_prop
+ -build_vendor_prop
+ -camera2_extensions_prop
+ -camera_calibration_prop
+ -camera_config_prop
+ -camerax_extensions_prop
+ -codec2_config_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_config_prop
+ -dalvik_prop
+ -dalvik_runtime_prop
+ -dck_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_config_memory_safety_native_prop
+ -device_config_nnapi_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -exported3_system_prop
+ -exported_config_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_pm_prop
+ -exported_system_prop
+ -ffs_config_prop
+ -fingerprint_prop
+ -framework_status_prop
+ -gwp_asan_prop
+ -hal_instrumentation_prop
+ -hdmi_config_prop
+ -heapprofd_prop
+ -hw_timeout_multiplier_prop
+ -init_service_status_private_prop
+ -init_service_status_prop
+ -libc_debug_prop
+ -lmkd_config_prop
+ -locale_prop
+ -localization_prop
+ -log_file_logger_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -media_config_prop
+ -media_variant_prop
+ -mediadrm_config_prop
+ -module_sdkextensions_prop
+ -net_radio_prop
+ -nfc_prop
+ -nnapi_ext_deny_product_prop
+ -ota_prop
+ -packagemanager_config_prop
+ -pan_result_prop
+ -permissive_mte_prop
+ -persist_debug_prop
+ -pm_prop
+ -powerctl_prop
+ -property_service_version_prop
+ -radio_control_prop
+ -radio_prop
+ -restorecon_prop
+ -rollback_test_prop
+ -sendbug_config_prop
+ -setupwizard_prop
+ -shell_prop
+ -soc_prop
+ -socket_hook_prop
+ -sqlite_log_prop
+ -storagemanager_config_prop
+ -surfaceflinger_color_prop
+ -surfaceflinger_prop
+ -system_prop
+ -system_user_mode_emulation_prop
+ -systemsound_config_prop
+ -telephony_config_prop
+ -telephony_status_prop
+ -test_harness_prop
+ -timezone_prop
+ -usb_config_prop
+ -usb_control_prop
+ -usb_prop
+ -userdebug_or_eng_prop
+ -userspace_reboot_config_prop
+ -userspace_reboot_exported_prop
+ -userspace_reboot_log_prop
+ -userspace_reboot_test_prop
+ -vendor_socket_hook_prop
+ -vndk_prop
+ -vold_config_prop
+ -vold_prop
+ -vold_status_prop
+ -vts_config_prop
+ -vts_status_prop
+ -wifi_log_prop
+ -zygote_config_prop
+ -zygote_wrap_prop
+ -init_service_status_prop
+}:file { getattr open read map };
+
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
diff --git a/private/service_contexts b/private/service_contexts
index fe4e021..7d980f2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
+android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 95a9496..5a69a43 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -9,3 +9,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index 2115da1..13fed00 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -3,3 +3,8 @@
binder_call(hal_thermal_server, hal_thermal_client)
hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
+hal_attribute_service(hal_thermal, hal_thermal_service)
+
+add_service(hal_thermal_server, hal_thermal_service)
+binder_call(hal_thermal_server, servicemanager)
+binder_call(hal_thermal_client, servicemanager)
diff --git a/public/service.te b/public/service.te
index 25b0731..70ddf94 100644
--- a/public/service.te
+++ b/public/service.te
@@ -305,6 +305,7 @@
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
+type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 551f4f3..8a8b473 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1036,3 +1036,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ceb1492..c214f4e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -92,6 +92,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0