commit bd0fa53a661a0dd1c37be9729f63912b133e9af9
author Treehugger Robot <treehugger-gerrit@google.com> Sat Dec 01 04:13:09 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sat Dec 01 04:13:09 2018 +0000
tree c72147b6fc96e8462d063027677897fe1f30007f
parent 5ea85b5f759e9edf7ecbfbf14da9bdc2a7834072
parent 55d9096652126b79e8641c52ec31fbe7747073da

Merge "SEPolicy changes to allow kcov access in userdebug."

private/compat/28.0/28.0.ignore.cil

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index cf72e37..fa7cd58 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -23,6 +23,7 @@
     device_config_reset_performed_prop
     device_config_flags_health_check_prop
     face_service
+    face_vendor_data_file
     fastbootd
     flags_health_check
     flags_health_check_exec
@@ -41,6 +42,7 @@
     idmap_service
     intelligence_service
     iris_service
+    iris_vendor_data_file
     llkd
     llkd_exec
     llkd_prop

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index 5650247..04f7a46 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -169,12 +169,12 @@
   }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
 
-# Following /dev nodes must not be directly accessed by coredomain after Treble,
-# but should instead be wrapped by HALs.
-full_treble_only(`
-  neverallow coredomain {
-    iio_device
-    radio_device
-    tee_device
-  }:chr_file { open read append write ioctl };
-')
+# Following /dev nodes must not be directly accessed by coredomain, but should
+# instead be wrapped by HALs.
+neverallow coredomain {
+  iio_device
+  radio_device
+  # TODO(b/120243891): HAL permission to tee_device is included into coredomain
+  # on non-Treble devices.
+  full_treble_only(`tee_device')
+}:chr_file { open read append write ioctl };

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index acd5df9..493d782 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -484,6 +484,12 @@
 # Fingerprint vendor data file
 /data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
 
+# Face vendor data file
+/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+
+# Iris vendor data file
+/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
+
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 

private/hwservice_contexts

diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 035d240..9733994 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -37,6 +37,7 @@
 android.hardware.lowpan::ILowpanDevice                          u:object_r:hal_lowpan_hwservice:s0
 android.hardware.media.omx::IOmx                                u:object_r:hal_omx_hwservice:s0
 android.hardware.media.omx::IOmxStore                           u:object_r:hal_omx_hwservice:s0
+android.hardware.media.c2::IComponentStore                      u:object_r:hal_codec2_hwservice:s0
 android.hardware.memtrack::IMemtrack                            u:object_r:hal_memtrack_hwservice:s0
 android.hardware.neuralnetworks::IDevice                        u:object_r:hal_neuralnetworks_hwservice:s0
 android.hardware.nfc::INfc                                      u:object_r:hal_nfc_hwservice:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 1466e6c..5098760 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,6 +186,7 @@
 binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
+binder_call(system_server, iorapd)
 binder_call(system_server, netd)
 binder_call(system_server, statsd)
 binder_call(system_server, storaged)
@@ -676,6 +677,7 @@
 allow system_server idmap_service:service_manager find;
 allow system_server incident_service:service_manager find;
 allow system_server installd_service:service_manager find;
+allow system_server iorapd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;

private/vold_prepare_subdirs.te

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 0d062e9..e93e1e5 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,12 +14,16 @@
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
+    face_vendor_data_file
     fingerprint_vendor_data_file
+    iris_vendor_data_file
     storaged_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
+    face_vendor_data_file
     fingerprint_vendor_data_file
+    iris_vendor_data_file
     storaged_data_file
     system_data_file
     vold_data_file

public/file.te

diff --git a/public/file.te b/public/file.te
index 3d09537..cb0c543 100644
--- a/public/file.te
+++ b/public/file.te
@@ -358,6 +358,10 @@
 type fingerprint_vendor_data_file, file_type, data_file_type;
 # Type for appfuse file.
 type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for face template file
+type face_vendor_data_file, file_type, data_file_type;
+# Type for iris template file
+type iris_vendor_data_file, file_type, data_file_type;
 
 # Socket types
 type adbd_socket, file_type, coredomain_socket;