Merge "Add sepolicy for the Thread Network property" into main
diff --git a/Android.mk b/Android.mk
index 63b74aa..2e327c2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -445,15 +445,13 @@
# The file_contexts.bin is built in the following way:
# 1. Collect all file_contexts files in THIS repository and process them with
# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
-# modules with m4 with a tmp file called file_contexts.modules.tmp.
-# 3. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all device specific file_contexts files and process them with m4
# into a tmp file called file_contexts.device.tmp.
-# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
-# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 4. Concatenate file_contexts.local.tmp and file_contexts.device.sorted.tmp
+# into file_contexts.concat.tmp.
+# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
# Note: That a newline file is placed between each file_context file found to
@@ -489,10 +487,6 @@
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
-# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
-# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
-file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-
device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -516,8 +510,7 @@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
- $(file_contexts.concat.tmp))
+ $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp),$(file_contexts.concat.tmp))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -531,7 +524,6 @@
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
file_contexts.local.tmp :=
-file_contexts.modules.tmp :=
##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9e84fd0..d32cc2c 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -263,6 +263,7 @@
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
"euicc_card_controller": EXCEPTION_NO_FUZZER,
"external_vibrator_service": EXCEPTION_NO_FUZZER,
@@ -418,7 +419,7 @@
"slice": EXCEPTION_NO_FUZZER,
"smartspace": EXCEPTION_NO_FUZZER,
"speech_recognition": EXCEPTION_NO_FUZZER,
- "stats": EXCEPTION_NO_FUZZER,
+ "stats": []string{"statsd_service_fuzzer"},
"statsbootstrap": EXCEPTION_NO_FUZZER,
"statscompanion": EXCEPTION_NO_FUZZER,
"statsmanager": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 64b2f2d..20df3b1 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -200,6 +200,9 @@
/dev/socket/mdns mdns_socket
/dev/socket/mdnsd mdnsd_socket
/dev/socket/mtpd mtpd_socket
+/dev/socket/ot-daemon/ ot_daemon_socket
+/dev/socket/ot-daemon/thread-wpan ot_daemon_socket
+/dev/socket/ot-daemon/100 ot_daemon_socket
/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
/dev/socket/pdx/system/performance pdx_performance_dir
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0ad2c6b..be6f77c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -41,7 +41,7 @@
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
-neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
+neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
@@ -68,7 +68,7 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1d953eb..c1cd3ee 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -10,6 +10,7 @@
ota_build_prop
snapuserd_log_data_file
fwk_vibrator_control_service
+ ecm_enhanced_confirmation_service
hal_authgraph_service
hal_secretkeeper_service
hal_codec2_service
@@ -20,6 +21,7 @@
hidraw_device
virtual_camera_service
ot_daemon_service
+ ot_daemon_socket
pm_archiving_enabled_prop
remote_auth_service
security_state_service
diff --git a/private/file.te b/private/file.te
index d289f43..b652ccb 100644
--- a/private/file.te
+++ b/private/file.te
@@ -8,7 +8,7 @@
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
-type fs_bpf_uprobe_private, fs_type, bpffs_type;
+type fs_bpf_uprobestats, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 7fbc580..e58b433 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -167,6 +167,7 @@
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/ot-daemon(/.*)? u:object_r:ot_daemon_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 41c60df..b5f07ec 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -419,4 +419,4 @@
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
-genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
+genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/keys.conf b/private/keys.conf
index 18c1a8c..fc50ef3 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -23,6 +23,9 @@
[@NETWORK_STACK]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+[@NFC]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/nfc.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index c9a9aca..fa8ffcf 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -69,4 +69,9 @@
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
+
+ <!-- NFC key in AOSP -->
+ <signer signature="@NFC" >
+ <seinfo value="nfc" />
+ </signer>
</policy>
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 92ec40d..5fc13a8 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -29,3 +29,7 @@
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
binder_call(mediaserver, statsd)
+
+# Allow mediaserver to communicate with Surface provided
+# by virtual camera.
+binder_call(mediaserver, virtual_camera)
diff --git a/private/netd.te b/private/netd.te
index 8be8212..6d1c10c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,9 +6,9 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
-allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f1915..a26181f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,9 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 495947f..341fa9c 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -19,7 +19,6 @@
# /data/misc/apexdata/com\.android\.tethering
allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
allow ot_daemon apex_tethering_data_file:file create_file_perms;
-allow ot_daemon apex_tethering_data_file:sock_file {create unlink};
# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};
diff --git a/private/property.te b/private/property.te
index 87b0446..a098d05 100644
--- a/private/property.te
+++ b/private/property.te
@@ -61,6 +61,7 @@
system_internal_prop(hypervisor_virtualizationmanager_prop)
system_internal_prop(game_manager_config_prop)
system_internal_prop(hidl_memory_prop)
+system_internal_prop(suspend_debug_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -342,8 +343,26 @@
} {
suspend_prop
}:property_service set;
+
+ neverallow {
+ domain
+ -init
+ } {
+ suspend_debug_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-system_suspend')
+ } {
+ suspend_debug_prop
+ }:file no_rw_file_perms;
')
+dontaudit system_suspend suspend_debug_prop:file r_file_perms;
+
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 9031b28..be72223 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -119,6 +119,9 @@
suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
suspend.disable_sync_on_suspend u:object_r:suspend_prop:s0 exact bool
+# Suspend service debug properties
+suspend.debug.wakestats_log.enabled u:object_r:suspend_debug_prop:s0 exact bool
+
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -538,6 +541,7 @@
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.leaudio_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
persist.bluetooth.btsnoopdefaultmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
@@ -1557,7 +1561,6 @@
persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
@@ -1565,8 +1568,9 @@
vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
-vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
-vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.operation_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact string
vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
# properties for the virtual Fingerprint HAL
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 957d005..2219631 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -184,7 +184,9 @@
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=nfc seinfo=nfc domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 5d3aaa7..66215bc 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -242,6 +242,7 @@
dumpstate u:object_r:dumpstate_service:s0
dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
+ecm_enhanced_confirmation u:object_r:ecm_enhanced_confirmation_service:s0
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index e08941d..338d852 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,6 +83,12 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps (Settings) to call into update_engine
+# in order to apply update to switch from 4k kernel to 16K and vice-versa
+binder_use(system_app)
+allow system_app update_engine_stable_service:service_manager find;
+binder_call(system_app, update_engine)
+
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 683d913..a525866 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -22,6 +22,11 @@
# Access to suspend_hal system properties
get_prop(system_suspend, suspend_prop)
+# Access to system_suspend debug system properties
+userdebug_or_eng(`
+ get_prop(system_suspend, suspend_debug_prop)
+')
+
# To call BTAA registered callbacks
allow system_suspend bluetooth:binder call;
diff --git a/private/update_engine.te b/private/update_engine.te
index c9511f7..862a62a 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -22,6 +22,10 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+# Allow update_engine to call the callback function by settings app
+# for the kernel update triggered using 16k developer option
+binder_call(update_engine, system_app)
+
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index 78595f6..f6dd906 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -7,8 +7,8 @@
# Allow init to start uprobestats.
init_daemon_domain(uprobestats)
-allow uprobestats fs_bpf_uprobe_private:file { read write };
-allow uprobestats fs_bpf_uprobe_private:dir search;
+allow uprobestats fs_bpf_uprobestats:file { read write };
+allow uprobestats fs_bpf_uprobestats:dir search;
allow uprobestats bpfloader:bpf { map_read map_write prog_run };
allow uprobestats self:capability2 perfmon;
allow uprobestats self:perf_event { cpu open write };
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 4c4ac7a..dde98c0 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -12,6 +12,15 @@
binder_call(virtual_camera, cameraserver)
binder_call(virtual_camera, system_server)
+# Allow virtual_camera to communicate with
+# mediaserver (required for using Surface originating
+# from virtual camera in mediaserver).
+binder_call(virtual_camera, mediaserver)
+
+# Required for the codecs to be able to decode
+# video into surface provided by virtual camera.
+hal_client_domain(virtual_camera, hal_codec2)
+hal_client_domain(virtual_camera, hal_omx)
# Allow virtualCamera to call apps via binder.
binder_call(virtual_camera, appdomain)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4d8ac6b..972f376 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -29,6 +29,10 @@
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
+binder_call(virtualizationservice, remote_provisioning_service)
+allow virtualizationservice remote_provisioning_service:service_manager find;
+
# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
diff --git a/public/file.te b/public/file.te
index 01143f7..2a84dd0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -539,6 +539,7 @@
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
+type ot_daemon_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 60cda48..0bdcc23 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -29,4 +29,4 @@
# codec2 aidl graphic buffer allocation waitable object
allow hal_codec2_server su:fifo_file read;
allow hal_codec2_server mediaserver:fifo_file read;
-allow hal_codec2_server untrusted_app_all:fifo_file read;
+allow hal_codec2_server { appdomain -isolated_app_all }:fifo_file read;
diff --git a/public/service.te b/public/service.te
index 1c7605e..5c63e9e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -118,6 +118,7 @@
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type ecm_enhanced_confirmation_service, app_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;