Merge "Dist userdebug_plat_sepolicy.cil to facilitate VTS testing"
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index bf67e4c..5ec418c 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -16,8 +16,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -56,6 +57,9 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/private/app.te b/private/app.te
index 2b3554f..8477133 100644
--- a/private/app.te
+++ b/private/app.te
@@ -103,3 +103,7 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
+
+# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
+neverallow { appdomain -gmscore_app } checkin_data_file:file *;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 692d739..22f6cd8 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -12,6 +12,7 @@
extra_free_kbytes
extra_free_kbytes_exec
hal_contexthub_service
+ hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
hal_uwb_service
diff --git a/private/file.te b/private/file.te
index 7e0bdd2..f2d3f56 100644
--- a/private/file.te
+++ b/private/file.te
@@ -30,6 +30,9 @@
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_ce/checkin for checkin apps.
+type checkin_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index bc75fd3..55b9e41 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -658,6 +658,9 @@
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+# checkin data files
+/data/misc_ce/[0-9]+/checkin(/.*)? u:object_r:checkin_data_file:s0
+
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 571d155..799d7ff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -121,6 +121,10 @@
allow gmscore_app ota_package_file:dir rw_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
+# Write the checkin metadata to /data/misc_ce/<userid>/checkin
+allow gmscore_app checkin_data_file:dir rw_dir_perms;
+allow gmscore_app checkin_data_file:file create_file_perms;
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 5f14ba4..f370025 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -24,6 +24,9 @@
# Talk to the AudioServer service
allow mediaprovider_app audioserver_service:service_manager find;
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index 805c6b3..1b28ca9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -16,6 +16,7 @@
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index ad7e6bb..c6d482a 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -20,6 +20,7 @@
apex_module_data_file
apex_rollback_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
@@ -34,6 +35,7 @@
apex_module_data_file
apex_rollback_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 06e76f1..f25a2ea 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_sensors self:global_capability_class_set sys_nice;
+
+add_service(hal_sensors_server, hal_sensors_service)
+binder_call(hal_sensors_server, servicemanager)
+
+allow hal_sensors_client hal_sensors_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index 9fcf4d3..d333175 100644
--- a/public/service.te
+++ b/public/service.te
@@ -270,6 +270,7 @@
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_sensors_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7c57618..5f8d0cd 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -70,6 +70,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0