commit ac45ef86f5ffbf39687324cb0a50afb32170c3c0
author Etienne Ruffieux <eruffieux@google.com> Wed Dec 15 19:14:41 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Dec 15 19:14:41 2021 +0000
tree 8c8100c7bcead7dcfc9b6caf965f1893c4a46c09
parent b415c7388fa5017844ee16ac7df031f064352850
parent 9203c915d19ca4f4a0a7316afd2baef67f57ba04

Merge "Adding Bluetooth module sysprop"

Android.mk

diff --git a/Android.mk b/Android.mk
index 9ebe603..d700fbf 100644
--- a/Android.mk
+++ b/Android.mk
@@ -81,16 +81,6 @@
 HAS_PRODUCT_SEPOLICY_DIR := true
 endif
 
-# TODO: move to README when doing the README update and finalizing versioning.
-# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
-# version identifier corresponding to the sepolicy on which the non-platform
-# policy is to be based. If unspecified, this will build against the current
-# public platform policy in tree
-ifndef BOARD_SEPOLICY_VERS
-# The default platform policy version.
-BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
-endif
-
 # If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
 # policy files of platform (system, system_ext, product) can't be mixed with
 # policy files of vendor (vendor, odm). If it's the case, platform policies and
@@ -188,7 +178,7 @@
 
 # Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
 # $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
 
 # Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
 build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
@@ -1230,7 +1220,7 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
 
 vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
 $(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
@@ -1296,28 +1286,16 @@
 base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
 base_product_pub_policy.cil   := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
 
-version_under_treble_tests := 28.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 29.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 31.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 32.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
+  $(eval version_under_treble_tests := $(v)) \
+  $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
+)
 endif  # PRODUCT_SEPOLICY_SPLIT
 
-version_under_treble_tests := 28.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 29.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 31.0
-include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 32.0
-include $(LOCAL_PATH)/compat.mk
+$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
+  $(eval version_under_treble_tests := $(v)) \
+  $(eval include $(LOCAL_PATH)/compat.mk) \
+)
 
 built_plat_sepolicy :=
 built_system_ext_sepolicy :=

build/soong/filegroup.go

diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 0d426af..9dd4bd9 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -137,7 +137,6 @@
 func (fg *fileGroup) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 	fg.systemPublicSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "public"))
 	fg.systemPrivateSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "private"))
-	fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
 	fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
 
 	fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
@@ -146,6 +145,11 @@
 	fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
 	fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
 
+	systemVendorDirs := ctx.DeviceConfig().BoardPlatVendorPolicy()
+	if len(systemVendorDirs) == 0 || ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
+		systemVendorDirs = []string{filepath.Join(ctx.ModuleDir(), "vendor")}
+	}
+	fg.systemVendorSrcs = fg.findSrcsInDirs(ctx, systemVendorDirs)
 	fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
 	fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
 	fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())

build/soong/selinux_contexts.go

diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index fefdd45..a40716a 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -162,9 +162,7 @@
 		if ctx.ProductSpecific() {
 			inputs = append(inputs, segroup.ProductPrivateSrcs()...)
 		} else if ctx.SocSpecific() {
-			if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() {
-				inputs = append(inputs, segroup.SystemVendorSrcs()...)
-			}
+			inputs = append(inputs, segroup.SystemVendorSrcs()...)
 			inputs = append(inputs, segroup.VendorSrcs()...)
 		} else if ctx.DeviceSpecific() {
 			inputs = append(inputs, segroup.OdmSrcs()...)

mac_permissions.mk

diff --git a/mac_permissions.mk b/mac_permissions.mk
index 7827286..7c478b4 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -119,8 +119,8 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
 
 # Build keys.conf
 vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp

microdroid/system/private/dex2oat.te

diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index 0f8b905..221de96 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -23,3 +23,8 @@
 
 # Allow dex2oat to read /apex/apex-info-list.xml
 allow dex2oat apex_info_file:file r_file_perms;
+
+# Don't audit because we don't configure the compiler through system properties
+# in the VM.
+dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
+dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };

microdroid/system/private/file.te

diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 18fa8bb..d15f9ba 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -13,3 +13,7 @@
 allow system_data_file tmpfs:filesystem associate;
 
 type authfs_fuse, fs_type, contextmount_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;

microdroid/system/private/kernel.te

diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..258c8d7 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,3 +81,19 @@
 
 #-----------------------------------------
 allow kernel apkdmverity:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+  file_contexts_file
+  hwservice_contexts_file
+  mac_perms_file
+  property_contexts_file
+  seapp_contexts_file
+  sepolicy_test_file
+  service_contexts_file
+}:file relabelto;

microdroid/system/private/property.te

diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 799ac3c..c36875c 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,7 @@
+# Declare ART properties for CompOS
+system_public_prop(dalvik_config_prop)
+system_restricted_prop(device_config_runtime_native_prop)
+
 # Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
 # in the audit log
 dontaudit domain {

microdroid/system/private/property_contexts

diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index abd14fd..20994e5 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -117,7 +117,9 @@
 ro.revision   u:object_r:bootloader_prop:s0 exact string
 
 ro.build.id                     u:object_r:build_prop:s0 exact string
+ro.build.version.codename       u:object_r:build_prop:s0 exact string
 ro.build.version.release        u:object_r:build_prop:s0 exact string
+ro.build.version.sdk            u:object_r:build_prop:s0 exact int
 ro.build.version.security_patch u:object_r:build_prop:s0 exact string
 ro.debuggable                   u:object_r:build_prop:s0 exact bool
 ro.product.cpu.abilist          u:object_r:build_prop:s0 exact string
@@ -145,8 +147,8 @@
 
 persist.adb.wifi.guid  u:object_r:adbd_prop:s0 exact string
 
-log.tag.         u:object_r:log_tag_prop:s0 prefix
-persist.log.tag. u:object_r:log_tag_prop:s0 prefix
+log.tag          u:object_r:log_tag_prop:s0 prefix
+persist.log.tag  u:object_r:log_tag_prop:s0 prefix
 
 libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
 libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
@@ -159,3 +161,7 @@
 ro.vndk.version  u:object_r:build_prop:s0 exact string
 
 heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
+
+# ART properties for CompOS
+dalvik.vm.                            u:object_r:dalvik_config_prop:s0 prefix
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix

private/clatd.te

diff --git a/private/clatd.te b/private/clatd.te
index dfcaf57..104121e 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -12,6 +12,8 @@
 # Access objects inherited from netd.
 allow clatd netd:fd use;
 allow clatd netd:fifo_file { read write };
+allow clatd netd:packet_socket { read write };
+allow clatd netd:rawip_socket { read write };
 
 allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
 

private/compat/32.0/32.0.ignore.cil

diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index dce2649..4dfb304 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -16,6 +16,7 @@
     diced_exec
     extra_free_kbytes
     extra_free_kbytes_exec
+    gesture_prop
     hal_contexthub_service
     hal_dice_service
     hal_dumpstate_service
@@ -33,6 +34,7 @@
     hal_system_suspend_service
     hal_tv_tuner_service
     hal_uwb_service
+    hal_vehicle_service
     hal_wifi_hostapd_service
     hal_wifi_supplicant_service
     locale_service

private/compos_fd_server.te

diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index 72964c3..a1a8a64 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -4,15 +4,18 @@
 # Allow access to open fds inherited from odrefresh - read inputs, generate outputs
 # TODO(b/209008712): Remove once migration is done.
 allow compos_fd_server odrefresh:fd use;
-allow compos_fd_server apex_art_data_file:file { getattr read };
 
 # Allow access to open fds inherited from composd
 allow compos_fd_server composd:fd use;
 
-# Allow creating new files and directory in the staging directory.
+# Allow creating new files and directories in the staging directory.
 allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
 allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
 
+# Allow creating new files and directories in the artifacts directory.
+allow compos_fd_server apex_art_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_data_file:file create_file_perms;
+
 # Use a pipe to signal readiness
 # TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
 allow compos_fd_server odrefresh:fifo_file write;

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 24e05b5..ba26ddf 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -305,6 +305,7 @@
 neverallow {
   domain
   # art processes
+  -compos_fd_server
   -odrefresh
   -odsign
   # others
@@ -316,9 +317,10 @@
 neverallow {
   domain
   # art-related processes
+  -compos_fd_server
   -odrefresh
   -odsign
-  -composd
+  -composd  # TODO: Remove
   # others
   -apexd
   -init

private/file.te

diff --git a/private/file.te b/private/file.te
index f3e1855..0eb2018 100644
--- a/private/file.te
+++ b/private/file.te
@@ -77,3 +77,7 @@
 
 # /metadata/sepolicy
 type sepolicy_metadata_file, file_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index ea5f66f..895b579 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -196,6 +196,15 @@
 # Linker configuration
 #
 /linkerconfig(/.*)?          u:object_r:linkerconfig_file:s0
+
+# Apex sepoolicy files.
+/dev/selinux/apex_file_contexts                 u:object_r:file_contexts_file:s0
+/dev/selinux/apex_seapp_contexts                u:object_r:seapp_contexts_file:s0
+/dev/selinux/apex_service_contexts              u:object_r:service_contexts_file:s0
+/dev/selinux/apex_property_contexts             u:object_r:property_contexts_file:s0
+/dev/selinux/apex_hwservice_contexts            u:object_r:hwservice_contexts_file:s0
+/dev/selinux/apex_mac_permissions\.xml          u:object_r:mac_perms_file:s0
+
 #############################
 # System files
 #

private/kernel.te

diff --git a/private/kernel.te b/private/kernel.te
index 5341163..6775b3b 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -31,3 +31,19 @@
 
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+  file_contexts_file
+  hwservice_contexts_file
+  mac_perms_file
+  property_contexts_file
+  seapp_contexts_file
+  sepolicy_test_file
+  service_contexts_file
+}:file relabelto;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index c7aaec4..10735a5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -70,6 +70,7 @@
 persist.profcollectd.node_id    u:object_r:profcollectd_node_id_prop:s0     exact   string
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
+persist.sys.tap_gesture u:object_r:gesture_prop:s0
 persist.sys.theme       u:object_r:theme_prop:s0
 persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index c378aec..11e0423 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,5 @@
 android.hardware.authsecret.IAuthSecret/default                      u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.vehicle.IVehicle/default                 u:object_r:hal_vehicle_service:s0
 android.hardware.automotive.audiocontrol.IAudioControl/default       u:object_r:hal_audiocontrol_service:s0
 android.hardware.biometrics.face.IFace/default                       u:object_r:hal_face_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 6cf993a..ce76b69 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -42,6 +42,7 @@
 set_prop(system_app, exported_bluetooth_prop)
 set_prop(system_app, exported_system_prop)
 set_prop(system_app, exported3_system_prop)
+set_prop(system_app, gesture_prop)
 set_prop(system_app, logd_prop)
 set_prop(system_app, net_radio_prop)
 set_prop(system_app, usb_control_prop)

public/hal_vehicle.te

diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
index 6855d14..c9eff55 100644
--- a/public/hal_vehicle.te
+++ b/public/hal_vehicle.te
@@ -4,3 +4,4 @@
 
 
 hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
+hal_attribute_service(hal_vehicle, hal_vehicle_service)

public/property.te

diff --git a/public/property.te b/public/property.te
index c33d8a6..3a8dcd5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -193,6 +193,7 @@
 system_public_prop(exported_overlay_prop)
 system_public_prop(exported_pm_prop)
 system_public_prop(ffs_control_prop)
+system_public_prop(gesture_prop)
 system_public_prop(hal_dumpstate_config_prop)
 system_public_prop(sota_prop)
 system_public_prop(hwservicemanager_prop)

public/service.te

diff --git a/public/service.te b/public/service.te
index e4cdc13..15ba226 100644
--- a/public/service.te
+++ b/public/service.te
@@ -293,6 +293,7 @@
 type hal_system_suspend_service, protected_service, service_manager_type;
 type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
 type hal_uwb_service, vendor_service, protected_service, service_manager_type;
+type hal_vehicle_service, vendor_service, protected_service, service_manager_type;
 type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
 type hal_weaver_service, vendor_service, protected_service, service_manager_type;
 type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;

seapp_contexts.mk

diff --git a/seapp_contexts.mk b/seapp_contexts.mk
index b33b820..c0c3abb 100644
--- a/seapp_contexts.mk
+++ b/seapp_contexts.mk
@@ -84,7 +84,7 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_sc_files := $(call build_policy, seapp_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
 plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
 
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)

treble_sepolicy_tests_for_release.mk

diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 1f27727..77945b7 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -113,11 +113,8 @@
 
 # vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
 # nonplat_sepolicy.cil.
-$(version)_nonplat := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
+$(version)_vendor := $($(version)_prebuilts_dir)/vendor_sepolicy.cil \
 $($(version)_prebuilts_dir)/plat_pub_versioned.cil
-ifeq (,$(wildcard $($(version)_nonplat)))
-$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
-endif
 
 cil_files := $(built_plat_cil)
 ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
@@ -128,7 +125,7 @@
 cil_files += $(built_product_cil)
 endif # (,$(PRODUCT_PREBUILT_POLICY)
 endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-cil_files += $($(version)_mapping.cil) $($(version)_nonplat)
+cil_files += $($(version)_mapping.cil) $($(version)_vendor)
 $($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
 $($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
 	$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
@@ -188,7 +185,7 @@
 $(version)_mapping.cil :=
 $(version)_mapping.combined.cil :=
 $(version)_mapping.ignore.cil :=
-$(version)_nonplat :=
+$(version)_vendor :=
 $(version)_prebuilts_dir :=
 built_$(version)_plat_sepolicy :=
 version :=

vendor/file_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 6816b97..446f19a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service  u:object_r:hal_can_socketcan_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service  u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service)  u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-default-service u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0

vendor/hal_vehicle_default.te

diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 56a47b7..52769dd 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -8,3 +8,6 @@
 
 # communication with CAN bus HAL
 hal_client_domain(hal_vehicle_default, hal_can_bus)
+
+# communicate with servicemanager
+binder_call(hal_vehicle_server, servicemanager)