Merge "sepolicy: restrict access to uid_cpupower files"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf9d0d3..bb9142d 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -183,6 +183,7 @@
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
+ hal_confirmationui_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3a906e9..ca26357 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 661e2ae..38a9af2 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/keystore.te b/private/keystore.te
index a9647c6..90c4727 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -5,6 +5,12 @@
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/public/attributes b/public/attributes
index 11ffd2e..66ce7d0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -209,6 +209,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(configstore);
+hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(drm);
hal_attribute(cas);
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
new file mode 100644
index 0000000..228e864
--- /dev/null
+++ b/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09e3068..f6ab621 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
diff --git a/public/su.te b/public/su.te
index 88065f6..edc62c3 100644
--- a/public/su.te
+++ b/public/su.te
@@ -62,6 +62,7 @@
typeattribute su hal_bootctl_client;
typeattribute su hal_camera_client;
typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
typeattribute su hal_contexthub_client;
typeattribute su hal_drm_client;
typeattribute su hal_cas_client;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b1efe1d..c56b45c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -33,127 +33,47 @@
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -system_ndebug_socket
- -unlabeled
- -vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init {
- file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
-runtime_event_log_tags_file
- -exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
+ -core_data_file_type
+ -exec_type
-system_file
-vendor_file_type
- -exec_type
- -vold_data_file
- -keystore_data_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b4961d7..e2d3ef7 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,6 +9,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
diff --git a/vendor/hal_confirmationui_default.te b/vendor/hal_confirmationui_default.te
new file mode 100644
index 0000000..832c687
--- /dev/null
+++ b/vendor/hal_confirmationui_default.te
@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)