Merge "wificond_service: drop system_service typeattribute"
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 26d884e..3e58ccf 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,6 +22,9 @@
allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
# services
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
@@ -54,3 +57,7 @@
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
diff --git a/private/haldomain.te b/private/haldomain.te
index 511f78d..a8fa1a2 100644
--- a/private/haldomain.te
+++ b/private/haldomain.te
@@ -1,3 +1,5 @@
###
### Rules for all HAL implementations
###
+
+hwbinder_use(haldomain)
diff --git a/public/app.te b/public/app.te
index 23c5ab8..f16a23e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -197,8 +197,8 @@
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index a312e59..cab0145 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -3,6 +3,3 @@
hal_impl_domain(hal_allocator)
type hal_allocator_exec, exec_type, file_type;
-
-# hwbinder access
-hwbinder_use(hal_allocator)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 2dcbeb8..15d0e41 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -1,4 +1,3 @@
-hwbinder_use(hal_audio)
binder_use(hal_audio)
binder_call(hal_audio, audioserver)
binder_call(hal_audio, system_server)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index d061471..a3497a7 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_bluetooth)
-
r_dir_file(hal_bluetooth, system_file)
# call into the Bluetooth process (callbacks)
diff --git a/public/hal_boot.te b/public/hal_boot.te
index 6688f7f..4e7ba9e 100644
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
@@ -4,8 +4,5 @@
type hal_boot_exec, exec_type, file_type;
-# hwbinder access
-hwbinder_use(hal_boot)
-
# call into system_server process (callbacks)
binder_call(hal_boot, system_server)
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index 9d3685b..d991e9d 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_contexthub)
-
# call into system_server process (callbacks)
binder_call(hal_contexthub, system_server)
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 7884e38..55e3463 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_dumpstate)
-
# call into dumpstate process (callbacks)
binder_call(hal_dumpstate, dumpstate)
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 426b73a..db0fc6d 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -1,5 +1,3 @@
-hwbinder_use(hal_fingerprint)
-
# Scan through /system/lib64/hw looking for installed HALs
allow hal_fingerprint system_file:dir r_dir_perms;
@@ -20,4 +18,7 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
+# Allow fingerprint to find and call keystore binder interfaces
+binder_use(hal_fingerprint);
+
r_dir_file(hal_fingerprint, cgroup)
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 27912b7..a17dbcd 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_gatekeeper)
-
# call into gatekeeperd process (callbacks)
binder_call(hal_gatekeeper, gatekeeperd)
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index a883e39..753791b 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -1,4 +1 @@
-# hwbinder access
-hwbinder_use(hal_gnss)
-
binder_call(hal_gnss, system_server)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 1c357ed..45999be 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_graphics_allocator)
-
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 3753278..f875935 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,5 +1,3 @@
-# HwBinder access
-hwbinder_use(hal_graphics_composer)
# IComposerCallback
binder_call(hal_graphics_composer, surfaceflinger)
diff --git a/public/hal_health.te b/public/hal_health.te
index c6391b8..341efdd 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_health)
-
# call into healthd for callbacks
binder_call(hal_health, healthd)
diff --git a/public/hal_ir.te b/public/hal_ir.te
index 3c7b51a..adfb5ae 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_ir)
-
# call into system_server process (callbacks)
binder_call(hal_ir, system_server)
diff --git a/public/hal_light.te b/public/hal_light.te
index af238dd..4fb38b8 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_light)
-
# call into system_server process (callbacks)
binder_call(hal_light, system_server)
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
deleted file mode 100644
index 90ecc0a..0000000
--- a/public/hal_memtrack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# hwbinder access
-hwbinder_use(hal_memtrack);
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index a062a78..0c4bd9c 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_nfc)
-
# call into NFC process (callbacks)
binder_call(hal_nfc, nfc)
diff --git a/public/hal_power.te b/public/hal_power.te
deleted file mode 100644
index df4cd4d..0000000
--- a/public/hal_power.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# hwbinder access
-hwbinder_use(hal_power);
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
deleted file mode 100644
index e3e48ab..0000000
--- a/public/hal_sensors.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# hwbinder access
-hwbinder_use(hal_sensors)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 6f3a38f..704adc0 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -1,5 +1,3 @@
# Perform HwBinder IPC.
-hwbinder_use(hal_telephony)
binder_call(hal_telephony, radio)
binder_call(hal_telephony, bluetooth)
-
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index 6edf8c7..a59a978 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_thermal)
-
# call into system_server process (callbacks)
binder_call(hal_thermal, system_server)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 37d015e..0d9d308 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_vibrator)
-
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 4249fdd..08102ad 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_vr)
-
# call into system_server process
binder_call(hal_vr, system_server)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index f13d225..960f1ac 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -1,6 +1,3 @@
-## hwbinder access
-hwbinder_use(hal_wifi)
-
## call into system_server process (for invoking callbacks)
binder_call(hal_wifi, system_server)
diff --git a/public/system_server.te b/public/system_server.te
index 2cf511f..6c59e55 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -155,6 +155,7 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
+binder_call(system_server, hal_fingerprint)
binder_call(system_server, gatekeeperd)
binder_call(system_server, installd)
binder_call(system_server, netd)