Merge "Remove bug_map entry for system_server"
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 3547ebb..ceb54b1 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -25,6 +25,7 @@
extra_free_kbytes
extra_free_kbytes_exec
fs_bpf_vendor
+ game_mode_intervention_list_file
gesture_prop
hal_contexthub_service
hal_camera_service
diff --git a/private/file_contexts b/private/file_contexts
index e2ffbc0..b075839 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -527,6 +527,7 @@
/data/(.*)? u:object_r:system_data_file:s0
/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
+/data/system/game_mode_intervention\.list u:object_r:game_mode_intervention_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index d2bc3ae..7ca6019 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -472,6 +472,7 @@
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server packages_list_file:file create_file_perms;
+allow system_server game_mode_intervention_list_file:file create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
diff --git a/public/file.te b/public/file.te
index 3c8fcc7..55f65b6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -301,6 +301,7 @@
# TODO(b/129332765): Narrow down permissions to this.
# Find out users of system_data_file that should be granted only this.
type packages_list_file, file_type, data_file_type, core_data_file_type;
+type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data/vendor{_ce,_de}.
type vendor_data_file, file_type, data_file_type;
# Unencrypted data
diff --git a/public/te_macros b/public/te_macros
index e70c5d3..58d04b4 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
# Allow domain to create/use userfaultfd anon_inode.
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Suppress errors generate during bugreport
+dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
# This domain may not use userfaultfd anon_inodes created by other domains.
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 176d611..59d6c39 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -14,6 +14,10 @@
# allow to use automotive display service
binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+allow hal_evs_default fwk_automotive_display_service:service_manager find;
+
+# allow to use hidl token service to retrieve HGBP object
+allow hal_evs_default hidl_token_hwservice:hwservice_manager find;
# allow to access data from surfaceflinger
allow hal_evs_default surfaceflinger:fd use;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index b6b9e09..7c08468 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -30,3 +30,6 @@
# policy. This is dontaudited here to avoid conditional
# device-specific behavior in wpa_supplicant.
dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
+
+# Allow wpa supplicant to access Netlink Interceptor
+hal_client_domain(hal_wifi_supplicant_default, hal_nlinterceptor)