Merge "Allow the microdroid app to use diced"
diff --git a/Android.mk b/Android.mk
index 361c7c4..2e74b25 100644
--- a/Android.mk
+++ b/Android.mk
@@ -482,6 +482,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 119e477..98dd3cf 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -152,10 +152,11 @@
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", binaryPolicy).
Input(checkpolicyConfPath)
+ rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
// Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
// file from Step 1
-
+ rule = android.NewRuleBuilder(pctx, ctx)
msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
`of an expanded attribute in a neverallow assertion. Please fix\n` +
`the policy.`
@@ -170,9 +171,8 @@
Text(`"` + msg + `"`).
Text("; exit 1)")
- rule.Temporary(binaryPolicy)
rule.Command().Text("touch").Output(n.testTimestamp)
- rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName())
+ rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
}
func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index d757a52..c909986 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -4,7 +4,7 @@
typeattribute automotive_display_service automotive_display_service_server;
-# Allow to add a display service to the manager
+# Allow to add a display service to the hwservicemanager
add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
# Allow init to launch automotive display service
@@ -36,3 +36,6 @@
# Allow to access EGL files
allow automotive_display_service gpu_device:chr_file rw_file_perms;
allow automotive_display_service gpu_device:dir search;
+
+# Allow to add a service to the servicemanager
+add_service(automotive_display_service, fwk_automotive_display_service);
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index fdb9b0d..4d55168 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
dice_node_service
diced
diced_exec
+ fwk_automotive_display_service
extra_free_kbytes
extra_free_kbytes_exec
gesture_prop
diff --git a/private/file_contexts b/private/file_contexts
index 422d83a..ba50376 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -376,6 +376,7 @@
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
+/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
#############################
# Vendor files
diff --git a/private/service_contexts b/private/service_contexts
index 95da67d..982eae7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -74,6 +74,7 @@
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 86d7fd8..7024c5a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -97,7 +97,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 297e47a..b7d700b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -14,6 +14,7 @@
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
type fingerprintd_service, service_manager_type;
+type fwk_automotive_display_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;