Merge "Allow keystore to access KeyAttestationApplicationIDProviderService"
diff --git a/nfc.te b/nfc.te
index 05dabaa..a4383bb 100644
--- a/nfc.te
+++ b/nfc.te
@@ -24,10 +24,11 @@
allow nfc sysfs_usb:file write;
# SoundPool loading and playback
-allow nfc mediaserver_service:service_manager find;
allow nfc audioserver_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
+allow nfc drmserver_service:service_manager find;
allow nfc mediacodec_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 0d3bdba..d4a27ad 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -45,6 +45,7 @@
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
allow platform_app mediacodec_service:service_manager find;
+allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
diff --git a/update_verifier.te b/update_verifier.te
index 65438d3..09d5fc4 100644
--- a/update_verifier.te
+++ b/update_verifier.te
@@ -5,4 +5,13 @@
init_daemon_domain(update_verifier)
-# TODO: Add rules to allow update_verifier to read system_block_device.
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read all blocks in system partition.
+allow update_verifier system_block_device:blk_file r_file_perms;
+