Merge "Track removal of tz data files from runtime module"
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 5f472a1..86ea9ab 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -17,7 +17,7 @@
all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
# Should be synced with keys.conf.
-all_plat_keys := platform media shared testkey
+all_plat_keys := platform media networkstack shared testkey
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
diff --git a/private/gsid.te b/private/gsid.te
index 1a35a4b..73b93fc 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -20,7 +20,7 @@
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
-allow gsid sysfs_dm:dir r_dir_perms;
+r_dir_file(gsid, sysfs_dm)
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bfee2d3..d86edaf 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -31,6 +31,8 @@
allow hal_drm tee_device:chr_file rw_file_perms;
+allow hal_drm_server { appdomain -isolated_app }:fd use;
+
# only allow unprivileged socket ioctl commands
allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 5bcbe9a..874e813 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -5,6 +5,5 @@
init_daemon_domain(hal_drm_default)
allow hal_drm_default hal_omx_server:fd use;
-allow hal_drm_default { appdomain -isolated_app }:fd use;
allow hal_drm_default hal_allocator_server:fd use;