Merge "Add label and permission for game_mode_intervention.list"
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index f0888a7..2be7f88 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -11,3 +11,4 @@
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;
+allow bpfdomain fs_bpf:dir search;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 35167d5..76a2370 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -54,7 +54,6 @@
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
-allow gpuservice fs_bpf:dir search;
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0d90756..828ffb1 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
@@ -72,7 +72,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/lmkd.te b/private/lmkd.te
index 13828a4..51d6204 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,6 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
-allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index bcbbfcc..630183e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -65,6 +65,5 @@
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
-allow mediaprovider_app fs_bpf:dir search;
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 06aadc2..af0360f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,6 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
allow netutils_wrapper fs_bpf:file { read write };
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 4a7a9bb..b18b7dd 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -21,6 +21,7 @@
auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
allow sdk_sandbox trust_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index c7f8811..cac6ea8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,5 @@
+android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 30d261d..7ca6019 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1135,7 +1135,6 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
diff --git a/public/hal_audio.te b/public/hal_audio.te
index d1970b9..52caa00 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -7,6 +7,8 @@
allow hal_audio ion_device:chr_file r_file_perms;
+binder_call(hal_audio_server, servicemanager)
+
r_dir_file(hal_audio, proc)
r_dir_file(hal_audio, proc_asound)
allow hal_audio_server audio_device:dir r_dir_perms;
diff --git a/public/hal_health.te b/public/hal_health.te
index a31da4d..5d7aff5 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -28,7 +28,6 @@
allow hal_health_server self:capability2 wake_alarm;
# Use bpf programs
-allow hal_health_server fs_bpf:dir search;
allow hal_health_server fs_bpf_vendor:dir search;
allow hal_health_server fs_bpf_vendor:file read;
allow hal_health_server bpfloader:bpf prog_run;
diff --git a/public/netd.te b/public/netd.te
index 899df88..64b4c7d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,7 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
diff --git a/public/te_macros b/public/te_macros
index e70c5d3..58d04b4 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
# Allow domain to create/use userfaultfd anon_inode.
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Suppress errors generate during bugreport
+dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
# This domain may not use userfaultfd anon_inodes created by other domains.
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 0cfb7cf..5a8d0aa 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,6 +4,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 176d611..59d6c39 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -14,6 +14,10 @@
# allow to use automotive display service
binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+allow hal_evs_default fwk_automotive_display_service:service_manager find;
+
+# allow to use hidl token service to retrieve HGBP object
+allow hal_evs_default hidl_token_hwservice:hwservice_manager find;
# allow to access data from surfaceflinger
allow hal_evs_default surfaceflinger:fd use;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index b6b9e09..7c08468 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -30,3 +30,6 @@
# policy. This is dontaudited here to avoid conditional
# device-specific behavior in wpa_supplicant.
dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
+
+# Allow wpa supplicant to access Netlink Interceptor
+hal_client_domain(hal_wifi_supplicant_default, hal_nlinterceptor)