Merge "Add bluetooth finder service sepolicy" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9118cba..49481bd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -120,6 +120,7 @@
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
diff --git a/private/app.te b/private/app.te
index 19cb2e0..09f222b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -149,6 +149,9 @@
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox_all)
+# Allow apps to communicate via binder with virtual camera service.
+binder_call(appdomain, virtual_camera)
+
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 2209c6a..091ab99 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -125,6 +125,7 @@
android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/default u:object_r:hal_secretkeeper_service:s0
android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index d8c5df7..4c4ac7a 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -12,6 +12,10 @@
binder_call(virtual_camera, cameraserver)
binder_call(virtual_camera, system_server)
+
+# Allow virtualCamera to call apps via binder.
+binder_call(virtual_camera, appdomain)
+
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
@@ -28,3 +32,6 @@
# For collecting bugreports.
allow virtual_camera dumpstate:fd use;
allow virtual_camera dumpstate:fifo_file write;
+
+# Needed for permission checks.
+allow virtual_camera permission_service:service_manager find;
diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te
index 809ed77..359159f 100644
--- a/public/hal_secretkeeper.te
+++ b/public/hal_secretkeeper.te
@@ -6,3 +6,7 @@
binder_use(hal_secretkeeper_server)
binder_use(hal_secretkeeper_client)
+
+# The Secretkeeper HAL service needs to communicate with a trusted application running
+# in the TEE, which is represented by the tee_device permission.
+allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;