Merge "Neverallow coredomain to kernel interface files."
diff --git a/private/su.te b/private/su.te
index d42bf61..6e7fc37 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,7 +13,7 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
-# su is also permissive to permit setenforce.
+ # su is also permissive to permit setenforce.
permissive su;
app_domain(su)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index a814f16..f8ef840 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -263,6 +263,8 @@
# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
###
### neverallow rules
diff --git a/public/hal_health.te b/public/hal_health.te
index c19c5f1..068f23b 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -9,3 +9,19 @@
# /{system,vendor,odm}/lib[64]/hw/ in order
# to be able to open the hal implementation .so files
r_dir_file(hal_health, system_file)
+
+# Common rules for a health service.
+
+# Allow to listen to uevents for updates
+allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Allow to read /sys/class/power_supply directory
+allow hal_health_server sysfs:dir r_dir_perms;
+
+# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
+# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
+# HAL service.
+r_dir_file(hal_health_server, sysfs_batteryinfo)
+
+# Allow to wake up to send periodic events
+wakelock_use(hal_health_server)