Merge "Allow incidentd to attach perfetto traces on user." into rvc-dev
diff --git a/private/app.te b/private/app.te
index 5590ca5..a03bcb0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -19,6 +19,8 @@
# Attempting to do so will be blocked by both selinux and unix
# permissions.
dontaudit appdomain system_data_file:dir write;
+# Apps should not be reading vendor-defined properties.
+dontaudit appdomain vendor_default_prop:file read;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 69dd7e6..51310d1 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -4,5 +4,3 @@
init_daemon_domain(blank_screen)
hal_client_domain(blank_screen, hal_light)
-
-allow blank_screen hal_light_service:service_manager find;
diff --git a/private/bootanim.te b/private/bootanim.te
index 20ff193..4740560 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -4,3 +4,6 @@
# b/68864350
dontaudit bootanim unlabeled:dir search;
+
+# Bootanim should not be reading default vendor-defined properties.
+dontaudit bootanim vendor_default_prop:file read;
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 1a8fa0b..1192ba6 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -25,3 +25,7 @@
# Allow running the cp command using cppreopts permissions. Needed so we can
# write into dalvik-cache
allow cppreopts toolbox_exec:file rx_file_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but cppreopts.sh still runs.
+dontaudit cppreopts postinstall_mnt_dir:dir search;
diff --git a/private/preloads_copy.te b/private/preloads_copy.te
index 7177839..ba54b70 100644
--- a/private/preloads_copy.te
+++ b/private/preloads_copy.te
@@ -12,3 +12,7 @@
# Allow to copy from /postinstall
allow preloads_copy system_file:dir r_dir_perms;
+
+# Silence the denial when /postinstall cannot be mounted, e.g., system_other
+# is wiped, but preloads_copy.sh still runs.
+dontaudit preloads_copy postinstall_mnt_dir:dir search;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 97203ba..cf709df 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -126,6 +126,9 @@
unix_socket_send(surfaceflinger, statsdw, statsd)
')
+# Surfaceflinger should not be reading default vendor-defined properties.
+dontaudit surfaceflinger vendor_default_prop:file read;
+
###
### Neverallow rules
###
diff --git a/public/hal_light.te b/public/hal_light.te
index 1e70b74..7054d7b 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,11 +4,14 @@
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+# client finds and uses server via service_manager
+allow hal_light_client hal_light_service:service_manager find;
+binder_use(hal_light_client)
+
+# server adds itself via service_manager
add_service(hal_light_server, hal_light_service)
binder_call(hal_light_server, servicemanager)
-allow hal_light_client hal_light_service:service_manager find;
-
allow hal_light_server dumpstate:fifo_file write;
allow hal_light sysfs_leds:lnk_file read;