Merge "Move allow rules of sdk_sandbox to apex policy"
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
index 3a35814..401f78c 100644
--- a/mac_permissions/Android.bp
+++ b/mac_permissions/Android.bp
@@ -14,6 +14,15 @@
// This file contains module definitions for mac_permissions.xml files.
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
se_build_files {
name: "keys.conf",
srcs: ["keys.conf"],
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 4b296c9..163a300 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -10,9 +10,13 @@
(type iorapd_exec)
(type iorapd_service)
(type iorapd_tmpfs)
+(type lowpan_service)
(type timezone_service)
(type tzdatacheck)
(type tzdatacheck_exec)
+(type wpantund)
+(type wpantund_exec)
+(type wpantund_service)
(type zoneinfo_data_file)
(expandtypeattribute (DockObserver_service_33_0) true)
diff --git a/private/file_contexts b/private/file_contexts
index de2c898..fedea70 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -333,7 +333,6 @@
/system/bin/profcollectd u:object_r:profcollectd_exec:s0
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
diff --git a/private/service_contexts b/private/service_contexts
index 0e9d4e8..4a4eef4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -178,7 +178,6 @@
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
-lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
file_integrity u:object_r:file_integrity_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index b783446..aa674d0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -300,7 +300,6 @@
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
-binder_call(system_server, wpantund)
binder_service(system_server)
# Use HALs
diff --git a/private/wpantund.te b/private/wpantund.te
deleted file mode 100644
index e91662c..0000000
--- a/private/wpantund.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute wpantund coredomain;
-
-init_daemon_domain(wpantund)
diff --git a/public/service.te b/public/service.te
index b8a628c..a75d6a3 100644
--- a/public/service.te
+++ b/public/service.te
@@ -122,7 +122,6 @@
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, app_api_service, system_server_service, service_manager_type;
@@ -258,7 +257,6 @@
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
-type wpantund_service, system_api_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
diff --git a/public/wpantund.te b/public/wpantund.te
deleted file mode 100644
index 8ddd693..0000000
--- a/public/wpantund.te
+++ /dev/null
@@ -1,29 +0,0 @@
-type wpantund, domain;
-type wpantund_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(wpantund, hal_lowpan)
-net_domain(wpantund)
-
-binder_use(wpantund)
-binder_call(wpantund, system_server)
-
-# wpantund needs to be able to check in with the lowpan_service
-allow wpantund lowpan_service:service_manager find;
-
-# Allow wpantund to call any callbacks that have been registered with it.
-# Generally, only privileged apps are able to register callbacks with
-# wpantund, so we are limiting the scope for callbacks to only privileged
-# apps. We also add shell to allow the command-line utility `lowpanctl`
-# to work properly from `adb shell`.
-allow wpantund {priv_app shell}:binder call;
-
-# create sockets to set interfaces up and down, add multicast groups, etc.
-allow wpantund self:udp_socket create_socket_perms;
-
-# setting interface state up/down and changing MTU are privileged ioctls
-allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
-
-# Allow us to bring up a TUN network interface.
-allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:global_capability_class_set { net_admin net_raw };
-allow wpantund self:tun_socket create;