Merge "Add sepolicy for graphics IAllocator AIDL based HAL"
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index a636e9c..61dfa0b 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -57,6 +57,7 @@
-init
-kernel
-logd
+ -no_crash_dump_domain
-ueventd
-vendor_init
}:process { ptrace signal sigchld sigstop sigkill };
@@ -67,3 +68,5 @@
logd
}:process { ptrace signal sigchld sigstop sigkill };
')
+
+neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/private/domain.te b/private/domain.te
index 988bd56..acf5f55 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -245,6 +245,7 @@
-installd
-iorap_inode2filename
-priv_app
+ -shell
-virtualizationservice
-crosvm
} staging_data_file:file *;
diff --git a/private/shell.te b/private/shell.te
index 63746f6..32819ac 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -130,6 +130,10 @@
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
+# Allow shell to read updated APEXes under /data/apex
+allow shell apex_data_file:dir search;
+allow shell staging_data_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 18f481b..871403a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -157,6 +157,7 @@
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
dump_hal(hal_contexthub)
+dump_hal(hal_drm)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)