commit 5064189c231d126d018161f076a0c8318e075a0f
author Ashwini Oruganti <ashfall@google.com> Thu Nov 21 12:26:08 2019 -0800
committer Ashwini Oruganti <ashfall@google.com> Thu Nov 21 12:59:33 2019 -0800
tree 39a4bfa52c70cc621f3e599dc3356ab6e519b63f
parent 82eca37afa8152fe8e511443c06ece23673a7161

Update permissioncontroller_app domain rules

This adds permissions for content_capture_service,
incidentcompanion_service, media_session_service, and telecom_service.
These were observed via sedenials on dogfood builds.

Bug: 142672293
Bug: 144677148
Test: Green builds, no more denials show up for these services.
Change-Id: Ifd93c54fb3ca3f0da781cd2038217a29e812a40f

private/permissioncontroller_app.te

diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 9b09ce3..9d88248 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -1,7 +1,7 @@
 ###
 ### A domain for further sandboxing the GooglePermissionController app.
 ###
-type permissioncontroller_app, domain;
+type permissioncontroller_app, domain, coredomain;
 
 # Allow everything.
 # TODO(b/142672293): remove when no selinux denials are triggered for this
@@ -29,7 +29,11 @@
 allow permissioncontroller_app activity_task_service:service_manager find;
 allow permissioncontroller_app audio_service:service_manager find;
 allow permissioncontroller_app autofill_service:service_manager find;
+allow permissioncontroller_app content_capture_service:service_manager find;
 allow permissioncontroller_app device_policy_service:service_manager find;
+allow permissioncontroller_app incidentcompanion_service:service_manager find;
 allow permissioncontroller_app location_service:service_manager find;
+allow permissioncontroller_app media_session_service:service_manager find;
 allow permissioncontroller_app surfaceflinger_service:service_manager find;
+allow permissioncontroller_app telecom_service:service_manager find;
 allow permissioncontroller_app trust_service:service_manager find;