Merge "Add sepolicy for default Context Hub HAL access to stats service"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 5555469..9e81f1d 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -43,7 +43,7 @@
"android.hardware.graphics.allocator.IAllocator/default": []string{},
"android.hardware.graphics.composer3.IComposer/default": []string{},
"android.hardware.health.storage.IStorage/default": []string{},
- "android.hardware.health.IHealth/default": []string{},
+ "android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
"android.hardware.identity.IIdentityCredentialStore/default": []string{},
"android.hardware.input.processor.IInputProcessor/default": []string{},
"android.hardware.ir.IConsumerIr/default": []string{},
@@ -58,6 +58,10 @@
"android.hardware.radio.data.IRadioData/slot1": []string{},
"android.hardware.radio.data.IRadioData/slot2": []string{},
"android.hardware.radio.data.IRadioData/slot3": []string{},
+ "android.hardware.radio.ims.IRadioIms/slot1": []string{},
+ "android.hardware.radio.ims.IRadioIms/slot2": []string{},
+ "android.hardware.radio.ims.IRadioIms/slot3": []string{},
+ "android.hardware.radio.ims.media.IImsMedia/default": []string{},
"android.hardware.radio.messaging.IRadioMessaging/slot1": []string{},
"android.hardware.radio.messaging.IRadioMessaging/slot2": []string{},
"android.hardware.radio.messaging.IRadioMessaging/slot3": []string{},
@@ -82,12 +86,14 @@
"android.hardware.sensors.ISensors/default": []string{},
"android.hardware.soundtrigger3.ISoundTriggerHw/default": []string{},
"android.hardware.thermal.IThermal/default": []string{},
+ "android.hardware.tv.cec.IHdmiCec/default": []string{},
+ "android.hardware.tv.hdmi.IHdmi/default": []string{},
"android.hardware.tv.input.ITvInput/default": []string{},
"android.hardware.tv.tuner.ITuner/default": []string{},
"android.hardware.usb.IUsb/default": []string{},
"android.hardware.uwb.IUwb/default": []string{},
"android.hardware.vibrator.IVibrator/default": []string{},
- "android.hardware.vibrator.IVibratorManager/default": []string{},
+ "android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
"android.hardware.weaver.IWeaver/default": []string{},
"android.hardware.wifi.hostapd.IHostapd/default": []string{},
"android.hardware.wifi.supplicant.ISupplicant/default": []string{},
@@ -337,7 +343,7 @@
"sensor_privacy": []string{},
"serial": []string{},
"servicediscovery": []string{},
- "manager": []string{},
+ "manager": []string{"servicemanager_fuzzer"},
"settings": []string{},
"shortcut": []string{},
"simphonebook_msim": []string{},
diff --git a/build/soong/validate_bindings.go b/build/soong/validate_bindings.go
index 3132453..7ba6453 100644
--- a/build/soong/validate_bindings.go
+++ b/build/soong/validate_bindings.go
@@ -34,7 +34,7 @@
if _, ok := ctx.Module().(*fuzzerBindingsTestModule); ok {
for _, fuzzers := range ServiceFuzzerBindings {
for _, fuzzer := range fuzzers {
- if !ctx.OtherModuleExists(fuzzer) {
+ if !ctx.OtherModuleExists(fuzzer) && !ctx.Config().AllowMissingDependencies() {
panic(fmt.Errorf("Fuzzer doesn't exist : %s", fuzzer))
}
}
diff --git a/compat/Android.bp b/compat/Android.bp
index 895b5e7..61acd40 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -188,7 +188,6 @@
name: "plat_33.0.cil",
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.plat_private}"],
- // top_half: "plat_34.0.cil",
}
se_cil_compat_map {
@@ -235,7 +234,6 @@
name: "system_ext_33.0.cil",
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
- // top_half: "system_ext_34.0.cil",
system_ext_specific: true,
}
@@ -283,7 +281,6 @@
name: "product_33.0.cil",
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.product_private}"],
- // top_half: "product_34.0.cil",
product_specific: true,
}
@@ -320,7 +317,6 @@
se_cil_compat_map {
name: "33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.plat_private}"],
- // top_half: "34.0.ignore.cil",
}
se_cil_compat_map {
@@ -347,7 +343,6 @@
se_cil_compat_map {
name: "system_ext_33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
- // top_half: "system_ext_34.0.ignore.cil",
system_ext_specific: true,
}
@@ -375,7 +370,6 @@
se_cil_compat_map {
name: "product_33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.product_private}"],
- // top_half: "product_34.0.ignore.cil",
product_specific: true,
}
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 91a8ad2..a9d025c 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -28,3 +28,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 60332bd..b274417 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -960,3 +960,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 7275954..fa9dd7d 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -22,3 +22,5 @@
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
+# binderservicedomain is using apex_info via libvintf
+use_apex_info(binderservicedomain)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 39a4bdc..97a1c91 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -15,6 +15,8 @@
hal_remoteaccess_service
hal_thermal_service
hal_tv_input_service
+ hal_tv_hdmi_service
+ hal_tv_hdmi_cec_service
healthconnect_service
keystore_config_prop
permissive_mte_prop
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 5982ecf..ecc8a40 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -10,3 +10,6 @@
# hwservicemanager is using bootstrap bionic
use_bootstrap_libs(hwservicemanager)
+
+# hwservicemanager is using apex_info via libvintf
+use_apex_info(hwservicemanager)
diff --git a/private/keystore.te b/private/keystore.te
index b69477c..cd2ef76 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -40,3 +40,6 @@
# system property, an exception is added for init as well.
set_prop(keystore, keystore_crash_prop)
neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+
+# keystore is using apex_info via libvintf
+use_apex_info(keystore)
diff --git a/private/service_contexts b/private/service_contexts
index 7d980f2..beeabbd 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -42,6 +42,10 @@
android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.media.IImsMedia/default u:object_r:hal_radio_service:s0
android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
@@ -67,6 +71,8 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
+android.hardware.tv.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
+android.hardware.tv.hdmi.IHdmi/default u:object_r:hal_tv_hdmi_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 95a9496..5a69a43 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -9,3 +9,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/private/system_server.te b/private/system_server.te
index 375158f..aedebaf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -330,6 +330,8 @@
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_hdmi)
+hal_client_domain(system_server, hal_tv_hdmi_cec)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
hal_client_domain(system_server, hal_usb_gadget)
diff --git a/public/attributes b/public/attributes
index f431725..121adc0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -369,6 +369,8 @@
hal_attribute(tetheroffload);
hal_attribute(thermal);
hal_attribute(tv_cec);
+hal_attribute(tv_hdmi);
+hal_attribute(tv_hdmi_cec);
hal_attribute(tv_input);
hal_attribute(tv_tuner);
hal_attribute(usb);
diff --git a/public/hal_tv_hdmi.te b/public/hal_tv_hdmi.te
new file mode 100644
index 0000000..8e91aa2
--- /dev/null
+++ b/public/hal_tv_hdmi.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_client, hal_tv_hdmi_server)
+binder_call(hal_tv_hdmi_server, hal_tv_hdmi_client)
+binder_call(hal_tv_hdmi_client, servicemanager)
+binder_call(hal_tv_hdmi_server, servicemanager)
+
+hal_attribute_service(hal_tv_hdmi, hal_tv_hdmi_service)
diff --git a/public/hal_tv_hdmi_cec.te b/public/hal_tv_hdmi_cec.te
new file mode 100644
index 0000000..1b75676
--- /dev/null
+++ b/public/hal_tv_hdmi_cec.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_cec_client, hal_tv_hdmi_cec_server)
+binder_call(hal_tv_hdmi_cec_server, hal_tv_hdmi_cec_client)
+binder_call(hal_tv_hdmi_cec_client, servicemanager)
+binder_call(hal_tv_hdmi_cec_server, servicemanager)
+
+hal_attribute_service(hal_tv_hdmi_cec, hal_tv_hdmi_cec_service)
diff --git a/public/service.te b/public/service.te
index 70ddf94..7e40b27 100644
--- a/public/service.te
+++ b/public/service.te
@@ -306,6 +306,8 @@
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index a812338..58153f7 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -31,10 +31,9 @@
# Check SELinux permissions.
selinux_check_access(servicemanager)
-recovery_only(`
- # In recovery, log to kmsg.
- allow servicemanager kmsg_device:chr_file rw_file_perms;
+allow servicemanager kmsg_device:chr_file rw_file_perms;
+recovery_only(`
# Read VINTF files.
r_dir_file(servicemanager, rootfs)
')
diff --git a/public/su.te b/public/su.te
index 8328140..730c1e0 100644
--- a/public/su.te
+++ b/public/su.te
@@ -97,6 +97,8 @@
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
typeattribute su hal_tv_cec_client;
+ typeattribute su hal_tv_hdmi_client;
+ typeattribute su hal_tv_hdmi_cec_client;
typeattribute su hal_tv_input_client;
typeattribute su hal_tv_tuner_client;
typeattribute su hal_usb_client;
diff --git a/public/te_macros b/public/te_macros
index 551f4f3..8a8b473 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1036,3 +1036,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index 17a4d75..ca5ae91 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -14,8 +14,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+from pathlib import Path
import argparse
-import distutils.ccompiler
import glob
import logging
import mini_parser
@@ -41,6 +41,7 @@
))
"""
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
def check_run(cmd, cwd=None):
if cwd:
@@ -105,7 +106,7 @@
path = os.path.join(destination, '%s.cil' % ver)
with open(path, 'wb') as f:
logging.debug('Extracting %s.cil to %s' % (ver, destination))
- f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0'))
+ f.write(check_output(cmd).stdout.replace(b'10000_0', ver.replace('.', '_').encode()))
return path
@@ -190,6 +191,122 @@
return versioned_type.removesuffix(old_suffix) + new_suffix
+def create_target_compat_modules(bp_path, target_ver):
+ """ Creates compat modules to Android.bp.
+
+ Args:
+ bp_path: string, path to Android.bp
+ target_ver: string, api version to generate
+ """
+
+ module_template = """
+se_build_files {{
+ name: "{ver}.board.compat.map",
+ srcs: ["compat/{ver}/{ver}.cil"],
+}}
+
+se_build_files {{
+ name: "{ver}.board.compat.cil",
+ srcs: ["compat/{ver}/{ver}.compat.cil"],
+}}
+
+se_build_files {{
+ name: "{ver}.board.ignore.map",
+ srcs: ["compat/{ver}/{ver}.ignore.cil"],
+}}
+
+se_cil_compat_map {{
+ name: "plat_{ver}.cil",
+ stem: "{ver}.cil",
+ bottom_half: [":{ver}.board.compat.map{{.plat_private}}"],
+}}
+
+se_cil_compat_map {{
+ name: "system_ext_{ver}.cil",
+ stem: "{ver}.cil",
+ bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"],
+ system_ext_specific: true,
+}}
+
+se_cil_compat_map {{
+ name: "product_{ver}.cil",
+ stem: "{ver}.cil",
+ bottom_half: [":{ver}.board.compat.map{{.product_private}}"],
+ product_specific: true,
+}}
+
+se_cil_compat_map {{
+ name: "{ver}.ignore.cil",
+ bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"],
+}}
+
+se_cil_compat_map {{
+ name: "system_ext_{ver}.ignore.cil",
+ stem: "{ver}.ignore.cil",
+ bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"],
+ system_ext_specific: true,
+}}
+
+se_cil_compat_map {{
+ name: "product_{ver}.ignore.cil",
+ stem: "{ver}.ignore.cil",
+ bottom_half: [":{ver}.board.ignore.map{{.product_private}}"],
+ product_specific: true,
+}}
+
+se_compat_cil {{
+ name: "{ver}.compat.cil",
+ srcs: [":{ver}.board.compat.cil{{.plat_private}}"],
+}}
+
+se_compat_cil {{
+ name: "system_ext_{ver}.compat.cil",
+ stem: "{ver}.compat.cil",
+ srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"],
+ system_ext_specific: true,
+}}
+"""
+
+ with open(bp_path, 'a') as f:
+ f.write(module_template.format(ver=target_ver))
+
+
+def patch_top_half_of_latest_compat_modules(bp_path, latest_ver, target_ver):
+ """ Adds top_half property to latest compat modules in Android.bp.
+
+ Args:
+ bp_path: string, path to Android.bp
+ latest_ver: string, previous api version
+ target_ver: string, api version to generate
+ """
+
+ modules_to_patch = [
+ "plat_{ver}.cil",
+ "system_ext_{ver}.cil",
+ "product_{ver}.cil",
+ "{ver}.ignore.cil",
+ "system_ext_{ver}.ignore.cil",
+ "product_{ver}.ignore.cil",
+ ]
+
+ for module in modules_to_patch:
+ # set latest_ver module's top_half property to target_ver
+ # e.g.
+ #
+ # se_cil_compat_map {
+ # name: "plat_33.0.cil",
+ # top_half: "plat_34.0.cil", <== this
+ # ...
+ # }
+ check_run([
+ "bpmodify",
+ "-m", module.format(ver=latest_ver),
+ "-property", "top_half",
+ "-str", module.format(ver=target_ver),
+ "-w",
+ bp_path
+ ])
+
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument(
@@ -227,8 +344,7 @@
try:
libpath = os.path.join(
- os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
- distutils.ccompiler.new_compiler().shared_lib_extension)
+ os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' + SHARED_LIB_EXTENSION)
if not os.path.exists(libpath):
sys.exit(
'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
@@ -237,6 +353,26 @@
build_top = get_android_build_top()
sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
+ # Step 0. Create a placeholder files and compat modules
+ # These are needed to build base policy files below.
+ compat_bp_path = os.path.join(sepolicy_path, 'compat', 'Android.bp')
+ create_target_compat_modules(compat_bp_path, args.target_version)
+ patch_top_half_of_latest_compat_modules(compat_bp_path, args.latest_version,
+ args.target_version)
+
+ target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.target_version)
+ target_mapping_file = os.path.join(target_compat_path,
+ args.target_version + '.cil')
+ target_compat_file = os.path.join(target_compat_path,
+ args.target_version + '.compat.cil')
+ target_ignore_file = os.path.join(target_compat_path,
+ args.target_version + '.ignore.cil')
+ Path(target_compat_path).mkdir(parents=True, exist_ok=True)
+ Path(target_mapping_file).touch()
+ Path(target_compat_file).touch()
+ Path(target_ignore_file).touch()
+
# Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
mapping_file = download_mapping_file(
args.branch, args.build, args.target_version, destination=temp_dir)
@@ -342,15 +478,6 @@
sys.exit(error_msg)
# Step 5. Write to system/sepolicy/private/compat
- target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
- args.target_version)
- target_mapping_file = os.path.join(target_compat_path,
- args.target_version + '.cil')
- target_compat_file = os.path.join(target_compat_path,
- args.target_version + '.compat.cil')
- target_ignore_file = os.path.join(target_compat_path,
- args.target_version + '.ignore.cil')
-
with open(target_mapping_file, 'w') as f:
logging.info('writing %s' % target_mapping_file)
if removed_types:
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c214f4e..d6dc9bc 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -94,6 +94,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi-service u:object_r:hal_tv_hdmi_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
diff --git a/vendor/hal_remoteaccess_default.te b/vendor/hal_remoteaccess_default.te
index 571b827..475c2e8 100644
--- a/vendor/hal_remoteaccess_default.te
+++ b/vendor/hal_remoteaccess_default.te
@@ -1,6 +1,9 @@
type hal_remoteaccess_default, domain;
hal_server_domain(hal_remoteaccess_default, hal_remoteaccess)
-# may be started by init
+# May be started by init
type hal_remoteaccess_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_remoteaccess_default)
+
+# Allow registering with service manager.
+binder_call(hal_remoteaccess_default, servicemanager)
diff --git a/vendor/hal_tv_hdmi_cec_default.te b/vendor/hal_tv_hdmi_cec_default.te
new file mode 100644
index 0000000..2f06c34
--- /dev/null
+++ b/vendor/hal_tv_hdmi_cec_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_cec_default, domain;
+hal_server_domain(hal_tv_hdmi_cec_default, hal_tv_hdmi_cec)
+
+type hal_tv_hdmi_cec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_cec_default)
diff --git a/vendor/hal_tv_hdmi_default.te b/vendor/hal_tv_hdmi_default.te
new file mode 100644
index 0000000..e974fd8
--- /dev/null
+++ b/vendor/hal_tv_hdmi_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_default, domain;
+hal_server_domain(hal_tv_hdmi_default, hal_tv_hdmi)
+
+type hal_tv_hdmi_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_default)
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index 497e027..2ad0502 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -20,3 +20,6 @@
# Check SELinux permissions.
selinux_check_access(vndservicemanager)
+
+# Log to kmesg
+allow vndservicemanager kmsg_device:chr_file rw_file_perms;