Add sepolicy for resolver service
Bug: 126141549
Test: built, flashed, booted
Change-Id: I34260e1e5cc238fbe92574f928252680c1e6b417
diff --git a/private/atrace.te b/private/atrace.te
index 9cbe71a..7979fa1 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -40,6 +40,7 @@
-incident_service
-iorapd_service
-netd_service
+ -dnsresolver_service
-stats_service
-dumpstate_service
-installd_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index e0898b2..f8efdb2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -40,6 +40,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
+ dnsresolver_service
e2fs
e2fs_exec
exfat
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5d872b9..1129259 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -38,6 +38,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
+ dnsresolver_service
exfat
exported2_config_prop
exported2_default_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index fd42fff..8e0a7ab 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -41,6 +41,7 @@
device_config_runtime_native_prop
device_config_media_native_prop
device_config_service
+ dnsresolver_service
dynamic_android_service
face_service
face_vendor_data_file
diff --git a/private/network_stack.te b/private/network_stack.te
index 4b88756..4435a7a 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -21,6 +21,7 @@
allow network_stack self:netlink_route_socket nlmsg_write;
allow network_stack app_api_service:service_manager find;
+allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index ecf9199..baead30 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -50,6 +50,7 @@
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
+dnsresolver u:object_r:dnsresolver_service:s0
color_display u:object_r:color_display_service:s0
netd_listener u:object_r:netd_listener_service:s0
network_watchlist u:object_r:network_watchlist_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 3f0d335..27e8ef1 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@
allow system_app {
service_manager_type
-apex_service
+ -dnsresolver_service
-dumpstate_service
-installd_service
-iorapd_service
@@ -85,6 +86,7 @@
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
+ dnsresolver_service
dumpstate_service
installd_service
iorapd_service
diff --git a/private/system_server.te b/private/system_server.te
index 7540d56..db51da3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -692,6 +692,7 @@
allow system_server audioserver_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
+allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;