Merge "Remove references to common_time / commontime"
diff --git a/Android.mk b/Android.mk
index e1adea4..729f3b4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -769,6 +769,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
diff --git a/definitions.mk b/definitions.mk
index 4b9e098..36b75ac 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -10,6 +10,7 @@
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
+ -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
$(PRIVATE_TGT_RECOVERY) \
-s $^ > $@
endef
diff --git a/private/storaged.te b/private/storaged.te
index ff5390a..0916adf 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,10 +5,6 @@
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, proc_net_type)
-userdebug_or_eng(`
- auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
-')
r_dir_file(storaged, domain)
# Read /proc/uid_io/stats
diff --git a/private/zygote.te b/private/zygote.te
index 2810976..ac1ef00 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -92,12 +92,6 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net_type)
-userdebug_or_eng(`
- auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
# Root fs.
r_dir_file(zygote, rootfs)
diff --git a/public/attributes b/public/attributes
index 0ec789c..90e1148 100644
--- a/public/attributes
+++ b/public/attributes
@@ -77,6 +77,11 @@
# All properties used to configure log filtering.
attribute log_property_type;
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index d979103..9ffb769 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,8 +2,7 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
-add_hwservice(hal_audio_server, hal_audio_hwservice)
-hal_attribute_hwservice_client(hal_audio, hal_audio_hwservice)
+hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
allow hal_audio ion_device:chr_file r_file_perms;
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index dc4aaa0..4a52b89 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -2,5 +2,4 @@
binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
-add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
-hal_attribute_hwservice_client(hal_audiocontrol, hal_audiocontrol_hwservice)
+hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index f58b8aa..daf8d48 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_authsecret_client, hal_authsecret_server)
-add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
-hal_attribute_hwservice_client(hal_authsecret, hal_authsecret_hwservice)
+hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index b0c68bf..09c3ce6 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -2,8 +2,7 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
-add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-hal_attribute_hwservice_client(hal_bluetooth, hal_bluetooth_hwservice)
+hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
wakelock_use(hal_bluetooth);
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index a901cf2..9c13f55 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -2,7 +2,6 @@
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
-add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-hal_attribute_hwservice_client(hal_bootctl, hal_bootctl_hwservice)
+hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
index 45adb4a..5653afa 100644
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
@@ -1,4 +1,3 @@
binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
-add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
-hal_attribute_hwservice_client(hal_broadcastradio, hal_broadcastradio_hwservice)
+hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 4e80794..77216e4 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,8 +2,7 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
-add_hwservice(hal_camera_server, hal_camera_hwservice)
-hal_attribute_hwservice_client(hal_camera, hal_camera_hwservice)
+hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 0ba39ed..7de6a13 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -2,8 +2,7 @@
binder_call(hal_cas_client, hal_cas_server)
binder_call(hal_cas_server, hal_cas_client)
-add_hwservice(hal_cas_server, hal_cas_hwservice)
-hal_attribute_hwservice_client(hal_cas, hal_cas_hwservice)
+hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index c8051e1..2931cb5 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,12 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
-allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
-add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
-# As opposed to the rules of most other HALs, the different services exposed by
-# this HAL should be restricted to different clients. Thus, the allow rules for
-# clients are defined in the .te files of the clients.
+hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
# hal_configstore runs with a strict seccomp filter. Use crash_dump's
# fallback path to collect crash data.
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
index 9a7e697..5d2e4b7 100644
--- a/public/hal_confirmationui.te
+++ b/public/hal_confirmationui.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_confirmationui_client, hal_confirmationui_server)
-add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
-hal_attribute_hwservice_client(hal_confirmationui, hal_confirmationui_hwservice)
+hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index 0f23ae5..34acb38 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -2,5 +2,4 @@
binder_call(hal_contexthub_client, hal_contexthub_server)
binder_call(hal_contexthub_server, hal_contexthub_client)
-add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-hal_attribute_hwservice_client(hal_contexthub, hal_contexthub_hwservice)
+hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 0a03a95..339af52 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -2,8 +2,7 @@
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
-add_hwservice(hal_drm_server, hal_drm_hwservice)
-hal_attribute_hwservice_client(hal_drm, hal_drm_hwservice)
+hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 75e59f3..b7676ed 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,8 +2,7 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
-add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-hal_attribute_hwservice_client(hal_dumpstate, hal_dumpstate_hwservice)
+hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 240f1dd..b673e29 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -2,8 +2,7 @@
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
-add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-hal_attribute_hwservice_client(hal_fingerprint, hal_fingerprint_hwservice)
+hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 0ff8f08..b918f88 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,6 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-hal_attribute_hwservice_client(hal_gatekeeper, hal_gatekeeper_hwservice)
+hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 7e206a8..9bfc4ec 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -2,5 +2,4 @@
binder_call(hal_gnss_client, hal_gnss_server)
binder_call(hal_gnss_server, hal_gnss_client)
-add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-hal_attribute_hwservice_client(hal_gnss, hal_gnss_hwservice)
+hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 753b816..41a3249 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-hal_attribute_hwservice_client(hal_graphics_allocator, hal_graphics_allocator_hwservice)
+hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
# GPU device access
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index e6854f6..e10daf9 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -2,8 +2,7 @@
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-hal_attribute_hwservice_client(hal_graphics_composer, hal_graphics_composer_hwservice)
+hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
# Coordinate with hal_graphics_mapper
allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
diff --git a/public/hal_health.te b/public/hal_health.te
index f6d5d3b..32afcad 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -2,8 +2,7 @@
binder_call(hal_health_client, hal_health_server)
binder_call(hal_health_server, hal_health_client)
-add_hwservice(hal_health_server, hal_health_hwservice)
-hal_attribute_hwservice_client(hal_health, hal_health_hwservice)
+hal_attribute_hwservice(hal_health, hal_health_hwservice)
# Read access to system files for HALs in
# /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index 022d5ee..29555f7 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -2,5 +2,4 @@
binder_call(hal_ir_client, hal_ir_server)
binder_call(hal_ir_server, hal_ir_client)
-add_hwservice(hal_ir_server, hal_ir_hwservice)
-hal_attribute_hwservice_client(hal_ir, hal_ir_hwservice)
+hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index 664f277..3e164ad 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
-add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-hal_attribute_hwservice_client(hal_keymaster, hal_keymaster_hwservice)
+hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice)
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 841b17a..333fcac 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -2,8 +2,7 @@
binder_call(hal_light_client, hal_light_server)
binder_call(hal_light_server, hal_light_client)
-add_hwservice(hal_light_server, hal_light_hwservice)
-hal_attribute_hwservice_client(hal_light, hal_light_hwservice)
+hal_attribute_hwservice(hal_light, hal_light_hwservice)
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_lowpan.te b/public/hal_lowpan.te
index 5bb36f9..6fb95e9 100644
--- a/public/hal_lowpan.te
+++ b/public/hal_lowpan.te
@@ -2,10 +2,9 @@
binder_call(hal_lowpan_client, hal_lowpan_server)
binder_call(hal_lowpan_server, hal_lowpan_client)
-add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
# Allow hal_lowpan_client to be able to find the hal_lowpan_server
-hal_attribute_hwservice_client(hal_lowpan, hal_lowpan_hwservice)
+hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice)
# hal_lowpan domain can write/read to/from lowpan_prop
set_prop(hal_lowpan_server, lowpan_prop)
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index 8185fd1..ed93a29 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_memtrack_client, hal_memtrack_server)
-add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
-hal_attribute_hwservice_client(hal_memtrack, hal_memtrack_hwservice)
+hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 149f768..348fdb8 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -2,7 +2,6 @@
binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
-add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
-hal_attribute_hwservice_client(hal_neuralnetworks, hal_neuralnetworks_hwservice)
+hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index caa4c82..7cef4a1 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -2,8 +2,7 @@
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
-add_hwservice(hal_nfc_server, hal_nfc_hwservice)
-hal_attribute_hwservice_client(hal_nfc, hal_nfc_hwservice)
+hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index d118f43..26b2b42 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_oemlock_client, hal_oemlock_server)
-add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
-hal_attribute_hwservice_client(hal_oemlock, hal_oemlock_hwservice)
+hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 375f386..a477875 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -1,8 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-add_hwservice(hal_omx_server, hal_codec2_hwservice)
-add_hwservice(hal_omx_server, hal_omx_hwservice)
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(hal_omx_server)
@@ -27,8 +25,8 @@
# via PDX. Thus, there is no need to use pdx_client macro.
allow hal_omx_server bufferhubd:fd use;
-hal_attribute_hwservice_client(hal_omx, hal_omx_hwservice)
-hal_attribute_hwservice_client(hal_omx, hal_codec2_hwservice)
+hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
+hal_attribute_hwservice(hal_omx, hal_codec2_hwservice)
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
diff --git a/public/hal_power.te b/public/hal_power.te
index 26fbd4c..028011a 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -2,5 +2,4 @@
binder_call(hal_power_client, hal_power_server)
binder_call(hal_power_server, hal_power_client)
-add_hwservice(hal_power_server, hal_power_hwservice)
-hal_attribute_hwservice_client(hal_power, hal_power_hwservice)
+hal_attribute_hwservice(hal_power, hal_power_hwservice)
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index 8410c77..3724d35 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -2,5 +2,4 @@
binder_call(hal_secure_element_client, hal_secure_element_server)
binder_call(hal_secure_element_server, hal_secure_element_client)
-add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
-hal_attribute_hwservice_client(hal_secure_element, hal_secure_element_hwservice)
+hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 603eead..06e76f1 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_sensors_client, hal_sensors_server)
-add_hwservice(hal_sensors_server, hal_sensors_hwservice)
-hal_attribute_hwservice_client(hal_sensors, hal_sensors_hwservice)
+hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index a20350b..a7c687d 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -2,8 +2,7 @@
binder_call(hal_telephony_client, hal_telephony_server)
binder_call(hal_telephony_server, hal_telephony_client)
-add_hwservice(hal_telephony_server, hal_telephony_hwservice)
-hal_attribute_hwservice_client(hal_telephony, hal_telephony_hwservice)
+hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index d44573a..cf51723 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -2,7 +2,7 @@
binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
-hal_attribute_hwservice_client(hal_tetheroffload, hal_tetheroffload_hwservice)
+hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
# allow the client to pass the server already open netlink sockets
allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index 105e882..2115da1 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -2,5 +2,4 @@
binder_call(hal_thermal_client, hal_thermal_server)
binder_call(hal_thermal_server, hal_thermal_client)
-add_hwservice(hal_thermal_server, hal_thermal_hwservice)
-hal_attribute_hwservice_client(hal_thermal, hal_thermal_hwservice)
+hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index 9ee2e3e..6584904 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -2,5 +2,4 @@
binder_call(hal_tv_cec_client, hal_tv_cec_server)
binder_call(hal_tv_cec_server, hal_tv_cec_client)
-add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
-hal_attribute_hwservice_client(hal_tv_cec, hal_tv_cec_hwservice)
+hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index cee55bd..5a5bdda 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -2,5 +2,4 @@
binder_call(hal_tv_input_client, hal_tv_input_server)
binder_call(hal_tv_input_server, hal_tv_input_client)
-add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
-hal_attribute_hwservice_client(hal_tv_input, hal_tv_input_hwservice)
+hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 52fdce2..b8034b8 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -2,8 +2,7 @@
binder_call(hal_usb_client, hal_usb_server)
binder_call(hal_usb_server, hal_usb_client)
-add_hwservice(hal_usb_server, hal_usb_hwservice)
-hal_attribute_hwservice_client(hal_usb, hal_usb_hwservice)
+hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index 41683b0..a474652 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -2,8 +2,7 @@
binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
-add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
-hal_attribute_hwservice_client(hal_usb_gadget, hal_usb_gadget_hwservice)
+hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
# Configuring usb gadget functions
allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
index d021da3..6855d14 100644
--- a/public/hal_vehicle.te
+++ b/public/hal_vehicle.te
@@ -2,6 +2,5 @@
binder_call(hal_vehicle_client, hal_vehicle_server)
binder_call(hal_vehicle_server, hal_vehicle_client)
-add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
-hal_attribute_hwservice_client(hal_vehicle, hal_vehicle_hwservice)
+hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index ba6830d..ab6138d 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,8 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_vibrator_client, hal_vibrator_server)
-add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
-hal_attribute_hwservice_client(hal_vibrator, hal_vibrator_hwservice)
+hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 4afe3cd..e52c77f 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -2,5 +2,4 @@
binder_call(hal_vr_client, hal_vr_server)
binder_call(hal_vr_server, hal_vr_client)
-add_hwservice(hal_vr_server, hal_vr_hwservice)
-hal_attribute_hwservice_client(hal_vr, hal_vr_hwservice)
+hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 405321d..36d1306 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -1,5 +1,4 @@
# HwBinder IPC from client to server
binder_call(hal_weaver_client, hal_weaver_server)
-add_hwservice(hal_weaver_server, hal_weaver_hwservice)
-hal_attribute_hwservice_client(hal_weaver, hal_weaver_hwservice)
+hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 45738e2..f735be5 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
-add_hwservice(hal_wifi_server, hal_wifi_hwservice)
-hal_attribute_hwservice_client(hal_wifi, hal_wifi_hwservice)
+hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index ea84a36..12d72b6 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
-add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
-hal_attribute_hwservice_client(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
+hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index 1b75711..765e72a 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
-add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
-hal_attribute_hwservice_client(hal_wifi_offload, hal_wifi_offload_hwservice)
+hal_attribute_hwservice(hal_wifi_offload, hal_wifi_offload_hwservice)
r_dir_file(hal_wifi_offload, proc_net_type)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 87a061f..6004c33 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -2,8 +2,7 @@
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
-hal_attribute_hwservice_client(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/logd.te b/public/logd.te
index 23318b0..2ef257f 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,10 +6,6 @@
r_dir_file(logd, cgroup)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net_type)
-userdebug_or_eng(`
- auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
diff --git a/public/property.te b/public/property.te
index c9bcb86..8113b82 100644
--- a/public/property.te
+++ b/public/property.te
@@ -160,6 +160,7 @@
-vendor_init
} {
core_property_type
+ extended_core_property_type
exported_config_prop
exported_dalvik_prop
exported_default_prop
@@ -256,6 +257,7 @@
-vendor_init
} {
core_property_type
+ extended_core_property_type
exported_dalvik_prop
exported_ffs_prop
exported_system_radio_prop
@@ -369,6 +371,7 @@
-exported_system_radio_prop
-exported_vold_prop
-exported_wifi_prop
+ -extended_core_property_type
-ffs_prop
-fingerprint_prop
-firstboot_prop
diff --git a/public/te_macros b/public/te_macros
index ffb8428..cdfdc89 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,10 +213,15 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
-neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
+')
#####################################
# hal_server_domain(domain, hal_type)
@@ -498,6 +503,12 @@
#
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
@@ -605,13 +616,17 @@
')
###########################################
-# hal_attribute_hwservice_client(attribute, service)
+# hal_attribute_hwservice(attribute, service)
# Ability for domain to get a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_hwservice
-define(`hal_attribute_hwservice_client', `
+define(`hal_attribute_hwservice', `
allow $1_client $2:hwservice_manager find;
- neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+ add_hwservice($1_server, $2)
+
+ build_test_only(`
+ neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+ ')
')