Merge "Switch DRM HAL policy to _client/_server"
diff --git a/private/file_contexts b/private/file_contexts
index 31e813e..1754ffe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -247,7 +247,7 @@
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
-/system/bin/hw/android\.hidl\.memory@1\.0-service u:object_r:hal_allocator_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_exec:s0
#############################
# Vendor files
diff --git a/public/bootanim.te b/public/bootanim.te
index 71f9280..9c5702d 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -6,6 +6,8 @@
binder_call(bootanim, surfaceflinger)
binder_call(bootanim, audioserver)
+hwbinder_use(bootanim)
+
allow bootanim gpu_device:chr_file rw_file_perms;
# /oem access
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2ba0e58..ac81ccc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -195,6 +195,10 @@
### neverallow rules
###
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
# only system_server, dumpstate and shell can find the dumpstate service
neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;