Merge "Label /vendor/priv-app as vendor_app_file"
diff --git a/public/domain.te b/public/domain.te
index f544cd1..0d50c38 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -467,8 +467,8 @@
domain
-adbd
-dumpstate
- -hal_drm
- -hal_cas
+ -hal_drm_server
+ -hal_cas_server
-init
-mediadrmserver
-recovery
@@ -508,7 +508,7 @@
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
- -hal_bootctl
+ -hal_bootctl_server
-init
-uncrypt
-update_engine
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 0665e26..dd7b140 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,11 +23,11 @@
###
# Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
# Should never need network access.
# Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index d0824c3..4265b8a 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -23,10 +23,10 @@
# hal_camera should never execute any executable without a
# domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index b4801c5..7f65358 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -7,7 +7,7 @@
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
-get_prop(hal_cas, serialno_prop)
+get_prop(hal_cas_server, serialno_prop)
# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };
@@ -29,7 +29,7 @@
# hal_cas should never execute any executable without a
# domain transition
-neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index fbd90eb..a46dd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -47,7 +47,7 @@
# hal_drm should never execute any executable without a
# domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/te_macros b/public/te_macros
index aad2949..18e5e61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,6 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
-neverallow { hal_$1_client -halclientdomain } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
')
diff --git a/public/vold.te b/public/vold.te
index b446915..9dbf8dd 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -210,7 +210,7 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
- -hal_keymaster
+ -hal_keymaster_server
-healthd
-hwservicemanager
-servicemanager