Merge "Allow network_stack to use common app api services"
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/private/app.te b/private/app.te
index ffe6598..876406f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -23,3 +23,6 @@
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 91724c0..351ed54 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -102,6 +102,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
kmsg_debug_device
last_boot_reason_prop
llkd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ff1c857..da1eaa9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -93,6 +93,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
last_boot_reason_prop
llkd
llkd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 58e936c..b6b57df 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,6 +47,7 @@
heapprofd_prop
heapprofd_socket
idmap_service
+ ipmemorystore_service
iris_service
iris_vendor_data_file
llkd
diff --git a/private/coredomain.te b/private/coredomain.te
index 7413515..1fc3b8a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -178,7 +178,10 @@
neverallow coredomain {
iio_device
radio_device
- # TODO(b/120243891): HAL permission to tee_device is included into coredomain
- # on non-Treble devices.
- full_treble_only(`tee_device')
}:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+ neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
diff --git a/private/service_contexts b/private/service_contexts
index 51980ad..fe25191 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -82,6 +82,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipmemorystore u:object_r:ipmemorystore_service:s0
ipsec u:object_r:ipsec_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index ed19b82..39af1e6 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@
-dumpstate_service
-installd_service
-iorapd_service
+ -ipmemorystore_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/service.te b/public/service.te
index cc1bc9f..9ddc7a4 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index aea13ef..0bce885 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@
-gatekeeper_service
-incident_service
-installd_service
+ -ipmemorystore_service
-iorapd_service
-netd_service
-virtual_touchpad_service