Merge "hal_light: add permission to sys/class/leds."
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 26d884e..3e58ccf 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,6 +22,9 @@
allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
# services
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
@@ -54,3 +57,7 @@
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
diff --git a/public/app.te b/public/app.te
index 23c5ab8..f16a23e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -197,8 +197,8 @@
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 3d8a78d..db0fc6d 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -18,4 +18,7 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
+# Allow fingerprint to find and call keystore binder interfaces
+binder_use(hal_fingerprint);
+
r_dir_file(hal_fingerprint, cgroup)
diff --git a/public/service.te b/public/service.te
index 1b65b5a..858f0b0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -133,7 +133,7 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wificond_service, system_server_service, service_manager_type;
+type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type wpa_supplicant_service, system_server_service, service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index 2cf511f..6c59e55 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -155,6 +155,7 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
+binder_call(system_server, hal_fingerprint)
binder_call(system_server, gatekeeperd)
binder_call(system_server, installd)
binder_call(system_server, netd)