Merge "add netutils_wrappers" into oc-dev
diff --git a/Android.mk b/Android.mk
index 03970b7..1281695 100644
--- a/Android.mk
+++ b/Android.mk
@@ -322,7 +322,7 @@
# sailfish-eng).
grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
# Confirm that the resulting policy compiles
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -452,7 +452,7 @@
# sailfish-eng).
grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
# Confirm that the resulting policy compiles combined with platform and mapping policies
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_nonplat_cil := $(LOCAL_BUILT_MODULE)
@@ -515,7 +515,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
- $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $< -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
diff --git a/private/app.te b/private/app.te
index c3f44dd..d6dc48c 100644
--- a/private/app.te
+++ b/private/app.te
@@ -177,6 +177,9 @@
# TODO(b/34454312): only allow getting and talking to mediacodec service
hwbinder_use(appdomain)
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
diff --git a/private/system_server.te b/private/system_server.te
index 2711a8c..e200bef 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -199,6 +199,9 @@
hal_client_domain(system_server, hal_wifi_supplicant)
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 46083f5..2a243cc 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -14,6 +14,9 @@
allow cameraserver ion_device:chr_file rw_file_perms;
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
add_service(cameraserver, cameraserver_service)
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;