Merge "Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir."
diff --git a/private/file_contexts b/private/file_contexts
index 2b700e5..0546f84 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -285,6 +285,7 @@
# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index c5185fb..c51c040 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -86,6 +86,9 @@
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
@@ -186,6 +189,7 @@
allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
diff --git a/public/attributes b/public/attributes
index b13f75c..90740d4 100644
--- a/public/attributes
+++ b/public/attributes
@@ -234,6 +234,9 @@
attribute hal_telephony;
attribute hal_telephony_client;
attribute hal_telephony_server;
+attribute hal_tetheroffload;
+attribute hal_tetheroffload_client;
+attribute hal_tetheroffload_server;
attribute hal_thermal;
attribute hal_thermal_client;
attribute hal_thermal_server;
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
new file mode 100644
index 0000000..a4c21fcd
--- /dev/null
+++ b/public/hal_tetheroffload.te
@@ -0,0 +1,3 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
+binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
diff --git a/public/te_macros b/public/te_macros
index 80b5696..d5f97f2 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -469,6 +469,7 @@
allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
+allow $1 dumpstate:fifo_file append;
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;