commit c3917f0ea96657874a33ebfd0751bc340b5a1472
author Martijn Coenen <maco@google.com> Thu Apr 16 08:06:53 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Apr 16 08:06:53 2020 +0000
tree 858ba314509f88749e3254f9f0eb9028ea9935e9
parent 68598f7ff44051fa262bcc103e60cb71d2c011ad
parent 01234d371edee66ac23d25d96f5a32b013930791

Merge "Add external_storage properties."

private/ephemeral_app.te

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 56d4747..e004891 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -44,10 +44,6 @@
 allow ephemeral_app drmserver_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
-allow ephemeral_app gpu_service:service_manager find;
-
-# Allow ephemeral apps to interact with gpuservice
-binder_call(ephemeral_app, gpuservice)
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index 3beec38..ba6de5b 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -66,12 +66,8 @@
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
 allow platform_app vr_manager_service:service_manager find;
-allow platform_app gpu_service:service_manager find;
 allow platform_app stats_service:service_manager find;
 
-# Allow platform apps to interact with gpuservice
-binder_call(platform_app, gpuservice)
-
 # Allow platform apps to log via statsd.
 binder_call(platform_app, statsd)
 

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index db28bec..2325716 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -46,10 +46,6 @@
 allow priv_app recovery_service:service_manager find;
 allow priv_app stats_service:service_manager find;
 
-# Allow privileged apps to interact with gpuservice
-binder_call(priv_app, gpuservice)
-allow priv_app gpu_service:service_manager find;
-
 # Write to /cache.
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 2c1ef17..dc4d158 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -760,6 +760,7 @@
 ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
 
 wifi.active.interface     u:object_r:exported_wifi_prop:s0 exact string
+wifi.aware.interface      u:object_r:exported_wifi_prop:s0 exact string
 wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
 wifi.direct.interface     u:object_r:exported_default_prop:s0 exact string
 wifi.interface            u:object_r:exported_default_prop:s0 exact string

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 0b77bb3..73acb95 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,9 +84,6 @@
 # Allow system apps to interact with incidentd
 binder_call(system_app, incidentd)
 
-# Allow system apps to interact with gpuservice
-binder_call(system_app, gpuservice)
-
 # Allow system app to interact with Dumpstate HAL
 hal_client_domain(system_app, hal_dumpstate)
 

private/untrusted_app_all.te

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d9fd5a1..4acc0e8 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -98,10 +98,6 @@
 allow untrusted_app_all radio_service:service_manager find;
 allow untrusted_app_all app_api_service:service_manager find;
 allow untrusted_app_all vr_manager_service:service_manager find;
-allow untrusted_app_all gpu_service:service_manager find;
-
-# Allow untrusted apps to interact with gpuservice
-binder_call(untrusted_app_all, gpuservice)
 
 # gdbserver for ndk-gdb ptrace attaches to app process.
 allow untrusted_app_all self:process ptrace;

public/app.te

diff --git a/public/app.te b/public/app.te
index 5fcdec7..2c8e335 100644
--- a/public/app.te
+++ b/public/app.te
@@ -219,6 +219,8 @@
 binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
 
 # Talk with graphics composer fences
 allow appdomain hal_graphics_composer:fd use;

public/service.te

diff --git a/public/service.te b/public/service.te
index 1dcd0a7..f905698 100644
--- a/public/service.te
+++ b/public/service.te
@@ -11,7 +11,7 @@
 type fingerprintd_service,      service_manager_type;
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
-type gpu_service,               app_api_service, service_manager_type;
+type gpu_service,               app_api_service, ephemeral_app_api_service, service_manager_type;
 type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
 type incident_service,          service_manager_type;