Merge "Add sepolicy to access ion dev from Tuner service" into rvc-dev
diff --git a/private/system_server.te b/private/system_server.te
index 5533d42..344055e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -301,9 +301,11 @@
hal_codec2_server
hal_face_server
hal_fingerprint_server
+ hal_gnss_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_neuralnetworks_server
hal_omx_server
hal_power_stats_server
hal_sensors_server
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9823f4a..55705a9 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -231,7 +231,6 @@
-apex_service
-dumpstate_service
-gatekeeper_service
- -iorapd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@@ -242,7 +241,6 @@
apex_service
dumpstate_service
gatekeeper_service
- iorapd_service
virtual_touchpad_service
vold_service
vr_hwc_service
@@ -289,6 +287,9 @@
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
+# Allow dumpstate to talk to iorapd over binder.
+binder_call(dumpstate, iorapd)
+
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
diff --git a/public/iorapd.te b/public/iorapd.te
index 4c08c72..426ecca 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -23,6 +23,9 @@
allow iorapd user_service:service_manager find;
# IPackageManagerNative
allow iorapd package_native_service:service_manager find;
+# Allow dumpstate (bugreport) to call into iorapd.
+allow iorapd dumpstate:fd use;
+allow iorapd dumpstate:fifo_file write;
# talk to batteryservice
binder_call(iorapd, healthd)
@@ -68,8 +71,8 @@
-iorapd
} { iorapd_data_file }:notdevfile_class_set *;
-# Only system_server can interact with iorapd over binder
-neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
+# Only system_server and shell (for dumpsys) can interact with iorapd over binder
+neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
domain
-healthd
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 06df70d..1b2bc23 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,6 +4,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
@@ -44,6 +45,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0