Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 20daed135d8b11ca6c38fd17a02fcbb12c29d8cc^2..20daed135d8b11ca6c38fd17a02fcbb12c29d8cc / .
commit20daed135d8b11ca6c38fd17a02fcbb12c29d8cc[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Tue Nov 05 01:56:39 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Nov 05 01:56:39 2019 +0000
tree24d1aa2baaadbff151f2b9f835bee85ded96a879
parent73554435ed2eddd778ef13cfef91ad7b870b3c83 [diff]
parentc557ca61dd94f52e8bdd85a699d73f1fe792b912 [diff]
Merge "Update permissioncontroller_app domain rules"
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ffeccdb..06380de 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -16,6 +16,7 @@
     hal_can_bus_hwservice
     hal_can_controller_hwservice
     hal_tv_tuner_hwservice
+    hal_vibrator_service
     init_svc_debug_prop
     iorap_prefetcherd
     iorap_prefetcherd_data_file

diff --git a/private/dumpstate.te b/private/dumpstate.te
index cfa05fc..72e508e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -58,3 +58,5 @@
 allow dumpstate gsid_exec:file rx_file_perms;
 set_prop(dumpstate, ctl_gsid_prop)
 binder_call(dumpstate, gsid)
+
+r_dir_file(dumpstate, ota_metadata_file)

diff --git a/private/mediaserver.te b/private/mediaserver.te
index 635cf4e..bf8be28 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te

@@ -5,6 +5,7 @@
 
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)
+hal_client_domain(mediaserver, hal_configstore)
 hal_client_domain(mediaserver, hal_omx)
 hal_client_domain(mediaserver, hal_codec2)
 

diff --git a/private/perfetto.te b/private/perfetto.te
index 8c7c8af..2183b6d 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te

@@ -34,9 +34,12 @@
 allow perfetto adbd:fd use;
 allow perfetto adbd:unix_stream_socket { read write };
 
-# Allow adbd to reap perfetto
+# Allow adbd to reap perfetto.
 allow perfetto adbd:process { sigchld };
 
+# Allow perfetto to write to statsd.
+unix_socket_send(perfetto, statsdw, statsd)
+
 # Allow to access /dev/pts when launched in an adb shell.
 allow perfetto devpts:chr_file rw_file_perms;
 

diff --git a/private/service_contexts b/private/service_contexts
index defdfa4..4041a60 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -1,3 +1,5 @@
+android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+
 accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0

diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 78bf6fd..d07af3b 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te

@@ -12,10 +12,10 @@
 allow snapshotctl gsi_service:service_manager find;
 binder_call(snapshotctl, gsid)
 
-# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
 allow snapshotctl metadata_file:dir search;
 allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+allow snapshotctl ota_metadata_file:file create_file_perms;
 
 # Allow to get A/B slot suffix from device tree or kernel cmdline.
 r_dir_file(snapshotctl, sysfs_dt_firmware_android);

diff --git a/public/charger.te b/public/charger.te
index 48d6ad8..4b341ea 100644
--- a/public/charger.te
+++ b/public/charger.te

@@ -44,3 +44,5 @@
 set_prop(charger, exported3_system_prop)
 
 get_prop(charger, charger_prop)
+
+hal_client_domain(charger, hal_health)

diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index d4da8df..40d9c6b 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te

@@ -4,6 +4,11 @@
 
 hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
 
+add_service(hal_vibrator_server, hal_vibrator_service)
+binder_call(hal_vibrator_server, servicemanager)
+
+allow hal_vibrator_client hal_vibrator_service:service_manager find;
+
 # vibrator sysfs rw access
 allow hal_vibrator sysfs_vibrator:file rw_file_perms;
 allow hal_vibrator sysfs_vibrator:dir search;

diff --git a/public/service.te b/public/service.te
index 624d949..9d4aaeb 100644
--- a/public/service.te
+++ b/public/service.te

@@ -190,6 +190,12 @@
 type wpantund_service, system_api_service, service_manager_type;
 
 ###
+### HAL Services
+###
+
+type hal_vibrator_service, vendor_service, service_manager_type;
+
+###
 ### Neverallow rules
 ###
 

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2d68011..07aaf5b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -61,6 +61,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service        u:object_r:hal_tv_tuner_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example    u:object_r:hal_vibrator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service  u:object_r:hal_wifi_offload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0