Merge "system_dlkm: sepolicy: add system_dlkm_file_type"
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4becbc1..390c439 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -200,7 +200,7 @@
}
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
- conf := android.PathForModuleOut(ctx, "conf").OutputPath
+ conf := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs)
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 2e8766c..0600207 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -280,3 +280,11 @@
relative_install_path: "selinux",
installable: false,
}
+
+// For CTS
+se_policy_conf {
+ name: "microdroid_general_sepolicy.conf",
+ srcs: system_policy_files,
+ exclude_build_test: true,
+ installable: false,
+}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 1212840..116c74d 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -48,6 +48,11 @@
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/prebuilts/api/32.0/private/apexd.te b/prebuilts/api/32.0/private/apexd.te
index 09799bd..d43ed33 100644
--- a/prebuilts/api/32.0/private/apexd.te
+++ b/prebuilts/api/32.0/private/apexd.te
@@ -86,6 +86,7 @@
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
+allow apexd apex_info_file:file mounton;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
diff --git a/private/apexd.te b/private/apexd.te
index 791a4ff..69645a1 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,6 +13,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
+allow apexd sepolicy_metadata_file:dir create_dir_perms;
+allow apexd sepolicy_metadata_file:file create_file_perms;
+
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index c909986..db20696 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -39,3 +39,6 @@
# Allow to add a service to the servicemanager
add_service(automotive_display_service, fwk_automotive_display_service);
+
+# Allow to communicate with EVS services
+binder_call(automotive_display_service, hal_evs)
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
new file mode 100644
index 0000000..f0888a7
--- /dev/null
+++ b/private/bpfdomain.te
@@ -0,0 +1,13 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+ bpfdomain
+ -bpfloader
+ -netd
+ -netutils_wrapper
+ -network_stack
+ -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 3fbc8dc..7644cac 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,5 +1,7 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
+typeattribute bpfloader bpfdomain;
+
# allow bpfloader to write to the kernel log (starts early)
allow bpfloader kmsg_device:chr_file w_file_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 8964074..ee7d51e 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -19,12 +19,15 @@
diced
diced_exec
fwk_automotive_display_service
+ evsmanagerd
+ evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
fs_bpf_vendor
gesture_prop
hal_contexthub_service
hal_camera_service
+ hal_evs_service
hal_dice_service
hal_drm_service
hal_dumpstate_service
diff --git a/private/dmesgd.te b/private/dmesgd.te
new file mode 100644
index 0000000..7a12882
--- /dev/null
+++ b/private/dmesgd.te
@@ -0,0 +1,15 @@
+type dmesgd, domain, coredomain;
+type dmesgd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(dmesgd)
+
+allow dmesgd dmesgd_data_file:dir create_dir_perms;
+allow dmesgd dmesgd_data_file:file create_file_perms;
+
+allow dmesgd kernel:system syslog_read;
+allow dmesgd shell_exec:file rx_file_perms;
+allow dmesgd toolbox_exec:file rx_file_perms;
+binder_use(dmesgd)
+binder_call(dmesgd, system_server)
+allow dmesgd dropbox_service:service_manager find;
+allow dmesgd proc_version:file r_file_perms;
diff --git a/private/evsmanagerd.te b/private/evsmanagerd.te
new file mode 100644
index 0000000..3772628
--- /dev/null
+++ b/private/evsmanagerd.te
@@ -0,0 +1,39 @@
+# evsmanager
+typeattribute evsmanagerd coredomain;
+typeattribute evsmanagerd evsmanager_service_server;
+
+type evsmanagerd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(evsmanagerd);
+
+# Declares as a binder service
+binder_service(evsmanagerd)
+
+# Allows to add a service to service_manager
+add_service(evsmanagerd, evsmanagerd_service)
+
+# Allows to use the binder IPC
+binder_use(evsmanagerd)
+
+# Allows binder IPCs to the various system services
+binder_call(evsmanagerd, system_server)
+
+# Allows to use EVS HAL implementations
+hal_client_domain(evsmanagerd, hal_evs)
+
+# Allows to write messages to the shell
+allow evsmanagerd shell:fd use;
+allow evsmanagerd shell:fifo_file write;
+
+# Allows to use the graphics allocator
+allow evsmanagerd hal_graphics_allocator:fd use;
+
+# Allows to use a bootstrap statsd
+allow evsmanagerd statsbootstrap_service:service_manager find;
+
+# Allows binder IPCs to the CarService
+binder_call(evsmanagerd, appdomain)
+
+# For HIDL evs manager implementation
+allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
+allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
diff --git a/private/file.te b/private/file.te
index 5b6170f..9dd0615 100644
--- a/private/file.te
+++ b/private/file.te
@@ -54,9 +54,19 @@
# /data/misc/apexdata/com.android.compos
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
+# for backward compatibility b/217581286
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dmesgd
+type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/odrefresh
type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index da9215f..d8c6fbf 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -291,6 +291,7 @@
/system/bin/remount u:object_r:remount_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
+/system/bin/dmesgd u:object_r:dmesgd_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
@@ -377,6 +378,8 @@
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
+/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
+/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
#############################
# Vendor files
@@ -603,6 +606,7 @@
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dmesgd(/.*)? u:object_r:dmesgd_data_file:s0
/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index f20d932..35167d5 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,7 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
diff --git a/private/lmkd.te b/private/lmkd.te
index aee1b7f..13828a4 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,4 +1,5 @@
typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
init_daemon_domain(lmkd)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 82dcdb2..bcbbfcc 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -1,7 +1,7 @@
###
### A domain for further sandboxing the MediaProvider mainline module.
###
-type mediaprovider_app, domain, coredomain;
+type mediaprovider_app, domain, coredomain, bpfdomain;
app_domain(mediaprovider_app)
diff --git a/private/netd.te b/private/netd.te
index a0c8f8f..10ba20e 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
typeattribute netd coredomain;
+typeattribute netd bpfdomain;
init_daemon_domain(netd)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index cdc342d..06aadc2 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -1,4 +1,5 @@
typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
r_dir_file(netutils_wrapper, system_file);
diff --git a/private/network_stack.te b/private/network_stack.te
index 2546888..b105938 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,7 @@
# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
app_domain(network_stack);
net_domain(network_stack);
diff --git a/private/property.te b/private/property.te
index c9c811a..3f02c83 100644
--- a/private/property.te
+++ b/private/property.te
@@ -12,6 +12,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index b8709e8..dcaa432 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -651,6 +651,8 @@
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
@@ -708,6 +710,7 @@
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
+persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d47134b..5cf0711 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -137,7 +137,7 @@
isSystemServer=true domain=system_server_startup
-user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 7075f4d..4fb4b29 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,6 @@
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
@@ -75,6 +77,7 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 1c7f657..bc7543b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -125,6 +125,9 @@
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow to use files supplied by hal_evs
+allow surfaceflinger hal_evs:fd use;
+
# Allow pushing jank event atoms to statsd
userdebug_or_eng(`
unix_socket_send(surfaceflinger, statsdw, statsd)
diff --git a/private/system_server.te b/private/system_server.te
index 79817ef..fa66ff1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -8,6 +8,7 @@
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -698,6 +699,7 @@
set_prop(system_server, surfaceflinger_color_prop)
set_prop(system_server, provisioned_prop)
set_prop(system_server, retaildemo_prop)
+set_prop(system_server, dmesgd_start_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -1330,6 +1332,19 @@
# These are modules where the code runs in system_server, so we need full access.
allow system_server apex_system_server_data_file:dir create_dir_perms;
allow system_server apex_system_server_data_file:file create_file_perms;
+# Legacy labels that we still need to support (b/217581286)
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_wifi_data_file
+}:dir create_dir_perms;
+allow system_server {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_wifi_data_file
+}:file create_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index c6d482a..e4004e4 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -48,6 +48,15 @@
allow vold_prepare_subdirs mnt_expand_file:dir search;
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+
+# Migrate legacy labels to apex_system_server_data_file (b/217581286)
+allow vold_prepare_subdirs {
+ apex_appsearch_data_file
+ apex_permission_data_file
+ apex_scheduling_data_file
+ apex_wifi_data_file
+}:dir relabelfrom;
+
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
diff --git a/public/attributes b/public/attributes
index 1e6bd6b..e257bba 100644
--- a/public/attributes
+++ b/public/attributes
@@ -222,6 +222,10 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+# All domains which have BPF access.
+attribute bpfdomain;
+expandattribute bpfdomain false;
+
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
@@ -397,6 +401,7 @@
attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
+attribute evsmanager_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/domain.te b/public/domain.te
index 72b601b..2be67f5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -100,6 +100,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
get_prop(domain, arm64_memtag_prop)
get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
diff --git a/public/evsmanagerd.te b/public/evsmanagerd.te
new file mode 100644
index 0000000..cde0380
--- /dev/null
+++ b/public/evsmanagerd.te
@@ -0,0 +1,2 @@
+# evsmanager daemon
+type evsmanagerd, domain;
diff --git a/public/hal_evs.te b/public/hal_evs.te
index 789333a..09a40d8 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -1,5 +1,15 @@
hwbinder_use(hal_evs_client)
hwbinder_use(hal_evs_server)
+
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+
+# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+# except it allows evsmanagerd to add hal_evs_hwservice.
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
+allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
+neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
+
+# Allows to add a service
+hal_attribute_service(hal_evs, hal_evs_service)
diff --git a/public/service.te b/public/service.te
index 46eaff1..8c4ae56 100644
--- a/public/service.te
+++ b/public/service.te
@@ -13,6 +13,7 @@
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
+type evsmanagerd_service, service_manager_type;
type fingerprintd_service, service_manager_type;
type fwk_automotive_display_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
@@ -273,6 +274,7 @@
type hal_dice_service, vendor_service, protected_service, service_manager_type;
type hal_drm_service, vendor_service, service_manager_type;
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
+type hal_evs_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 762cf20..4faa05a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -8,7 +8,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 57a0299..d1d4559 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -6,10 +6,19 @@
type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_evs_default)
-allow hal_evs_default hal_graphics_allocator_server:fd use;
-
-# allow to use surface flinger
-allow hal_evs_default automotive_display_service_server:fd use;
+# allow to use a graphic buffer
+hal_client_domain(hal_evs_default, hal_configstore)
+hal_client_domain(hal_evs_default, hal_graphics_allocator)
+hal_client_domain(hal_evs_default, hal_graphics_composer)
# allow to use automotive display service
+binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+
+# allow to access EGL
+allow hal_evs_default gpu_device:chr_file rw_file_perms;
+allow hal_evs_default gpu_device:dir search;
+
+# allow to monitor uevents and access video devices
+allow hal_evs_default device:dir r_dir_perms;
+allow hal_evs_default video_device:chr_file rw_file_perms;