Merge "Adding permission for traceur to use content provider"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf9d0d3..bb9142d 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -183,6 +183,7 @@
   hal_bluetooth_hwservice
   hal_bootctl_hwservice
   hal_camera_hwservice
+  hal_confirmationui_hwservice
   hal_contexthub_hwservice
   hal_drm_hwservice
   hal_dumpstate_hwservice
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9d173be..9dd2ee7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -466,6 +466,7 @@
     proc_kmsg
     proc_loadavg
     proc_max_map_count
+    proc_min_free_order_shift
     proc_mounts
     proc_page_cluster
     proc_pagetypeinfo
@@ -478,6 +479,7 @@
     proc_uid_time_in_state
     proc_uid_concurrent_active_time
     proc_uid_concurrent_policy_time
+    proc_uid_cpupower
     proc_uptime
     proc_version
     proc_vmallocinfo
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3a906e9..ca26357 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
     fs_bpf
     hal_broadcastradio_hwservice
     hal_cas_hwservice
+    hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
     hal_tetheroffload_hwservice
diff --git a/private/file_contexts b/private/file_contexts
index 9083b0c..b2a22a2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,6 +38,7 @@
 /sdcard             u:object_r:rootfs:s0
 
 # SELinux policy files
+/vendor_file_contexts   u:object_r:file_contexts_file:s0
 /nonplat_file_contexts  u:object_r:file_contexts_file:s0
 /plat_file_contexts     u:object_r:file_contexts_file:s0
 /mapping_sepolicy\.cil   u:object_r:sepolicy_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 76f5bdd..8f0d489 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -66,6 +66,7 @@
 genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
 genfscon proc /timer_list u:object_r:proc_timer:s0
 genfscon proc /timer_stats u:object_r:proc_timer:s0
 genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -77,6 +78,7 @@
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
 genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
 genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 661e2ae..38a9af2 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@
 android.hardware.broadcastradio::IBroadcastRadioFactory         u:object_r:hal_broadcastradio_hwservice:s0
 android.hardware.camera.provider::ICameraProvider               u:object_r:hal_camera_hwservice:s0
 android.hardware.configstore::ISurfaceFlingerConfigs            u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI                u:object_r:hal_confirmationui_hwservice:s0
 android.hardware.contexthub::IContexthub                        u:object_r:hal_contexthub_hwservice:s0
 android.hardware.cas::IMediaCasService                          u:object_r:hal_cas_hwservice:s0
 android.hardware.drm::ICryptoFactory                            u:object_r:hal_drm_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index b885263..a887a61 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -99,7 +99,14 @@
 ###
 
 # only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+neverallow {
+  domain
+  -incident
+  -incidentd
+  -statsd
+  -system_app
+  -system_server
+} incident_service:service_manager find;
 
 # only incidentd and the other root services in limited circumstances
 # can get to the files in /data/misc/incidents
diff --git a/private/keystore.te b/private/keystore.te
index a9647c6..90c4727 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -5,6 +5,12 @@
 # talk to keymaster
 hal_client_domain(keystore, hal_keymaster)
 
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
 # Offer the Wifi Keystore HwBinder service
 typeattribute keystore wifi_keystore_service_server;
 add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/statsd.te b/private/statsd.te
index b04a7da..dad3c6c 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -41,8 +41,9 @@
 
 # Grant statsd with permissions to register the services.
 allow statsd {
-  statscompanion_service
   app_api_service
+  incident_service
+  statscompanion_service
   system_api_service
 }:service_manager find;
 
diff --git a/private/system_server.te b/private/system_server.te
index 6ebcab5..642c8bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -718,6 +718,7 @@
 }:file r_file_perms;
 
 allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
 
 r_dir_file(system_server, rootfs)
 
diff --git a/public/app.te b/public/app.te
index 582995a..3c29946 100644
--- a/public/app.te
+++ b/public/app.te
@@ -547,3 +547,6 @@
 
 # Apps cannot access proc_uid_concurrent_policy_time
 neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
diff --git a/public/attributes b/public/attributes
index 11ffd2e..66ce7d0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -209,6 +209,7 @@
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(configstore);
+hal_attribute(confirmationui);
 hal_attribute(contexthub);
 hal_attribute(drm);
 hal_attribute(cas);
diff --git a/public/file.te b/public/file.te
index c6b2a79..02a4360 100644
--- a/public/file.te
+++ b/public/file.te
@@ -8,6 +8,7 @@
 type proc_security, fs_type;
 type proc_drop_caches, fs_type;
 type proc_overcommit_memory, fs_type;
+type proc_min_free_order_shift, fs_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -55,6 +56,7 @@
 type proc_uid_time_in_state, fs_type;
 type proc_uid_concurrent_active_time, fs_type;
 type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
new file mode 100644
index 0000000..228e864
--- /dev/null
+++ b/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09e3068..f6ab621 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@
 type hal_broadcastradio_hwservice, hwservice_manager_type;
 type hal_camera_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;
 type hal_drm_hwservice, hwservice_manager_type;
 type hal_cas_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index ddbe323..c3e36ea 100644
--- a/public/init.te
+++ b/public/init.te
@@ -287,6 +287,7 @@
   proc_extra_free_kbytes
   proc_net
   proc_max_map_count
+  proc_min_free_order_shift
   proc_overcommit_memory
   proc_panic
   proc_page_cluster
diff --git a/public/su.te b/public/su.te
index 88065f6..edc62c3 100644
--- a/public/su.te
+++ b/public/su.te
@@ -62,6 +62,7 @@
   typeattribute su hal_bootctl_client;
   typeattribute su hal_camera_client;
   typeattribute su hal_configstore_client;
+  typeattribute su hal_confirmationui_client;
   typeattribute su hal_contexthub_client;
   typeattribute su hal_drm_client;
   typeattribute su hal_cas_client;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b1efe1d..c56b45c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -33,127 +33,47 @@
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
-  -system_file
-  -system_ndebug_socket
-  -unlabeled
-  -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init {
-  file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
   -runtime_event_log_tags_file
-  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
+  -core_data_file_type
+  -exec_type
   -system_file
   -vendor_file_type
-  -exec_type
-  -vold_data_file
-  -keystore_data_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index f754db7..a490e06 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -11,7 +11,7 @@
 r_dir_file(vold, proc_net)
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
 allow vold sysfs_dm:file w_file_perms;
 allow vold sysfs_usb:file w_file_perms;
 allow vold sysfs_zram_uevent:file w_file_perms;
@@ -89,9 +89,6 @@
 allow vold domain:process { signal sigkill };
 allow vold self:global_capability_class_set { sys_ptrace kill };
 
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
 allow vold kmsg_device:chr_file rw_file_perms;
 
 # Run fsck in the fsck domain.
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b4961d7..e2d3ef7 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,6 +9,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service          u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service    u:object_r:hal_configstore_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service            u:object_r:hal_cas_default_exec:s0
diff --git a/vendor/hal_confirmationui_default.te b/vendor/hal_confirmationui_default.te
new file mode 100644
index 0000000..832c687
--- /dev/null
+++ b/vendor/hal_confirmationui_default.te
@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)