Merge "Restrict HAL network access to HALS that manage network hardware"
diff --git a/Android.mk b/Android.mk
index 38da65b..3b40be0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -840,8 +840,12 @@
LOCAL_MODULE := plat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
+
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -871,8 +875,12 @@
LOCAL_MODULE := nonplat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
+
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
include $(BUILD_SYSTEM)/base_rules.mk
diff --git a/public/hal_audio.te b/public/hal_audio.te
index f620562..a195c93 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -38,3 +38,6 @@
# Should never need network access.
# Disallow network sockets.
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index df445fa..6ed06b7 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -28,3 +28,7 @@
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera and video hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
+neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;