Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e47782171a98057c591b5d31db261cb8a4b26ae0^2..e47782171a98057c591b5d31db261cb8a4b26ae0 / .
commite47782171a98057c591b5d31db261cb8a4b26ae0[log] [tgz]
authorDevin Moore <devinmoore@google.com>Fri Jun 10 18:04:28 2022 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Jun 10 18:04:28 2022 +0000
tree00c837c68831e090cbd0332b9564067122b2d0b7
parentb2984a49bd60866ecf2f7cfebd14a301f29e4b9a [diff]
parent309a355088340e16f7ba5cf2ed748963e577a16b [diff]
Merge "Add permissions for new netd AIDL HAL"
diff --git a/Android.mk b/Android.mk
index c98de45..fae4cba 100644
--- a/Android.mk
+++ b/Android.mk

@@ -54,15 +54,7 @@
 REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
 
 SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
-  # TODO: Disallow BOARD_PLAT_*
-  SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-endif
 SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
-  # TODO: Disallow BOARD_PLAT_*
-  SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
-endif
 
 PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
 PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)

diff --git a/build/soong/policy.go b/build/soong/policy.go
index b1840da..3946a04 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go

@@ -45,10 +45,9 @@
 	"mls",
 	"policy_capabilities",
 	"te_macros",
-	"attributes",
 	"ioctl_defines",
 	"ioctl_macros",
-	"*.te",
+	"attributes|*.te",
 	"roles_decl",
 	"roles",
 	"users",
@@ -198,7 +197,10 @@
 
 func findPolicyConfOrder(name string) int {
 	for idx, pattern := range policyConfOrder {
-		if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
+		// We could use regexp but it seems like an overkill
+		if pattern == "attributes|*.te" && (name == "attributes" || strings.HasSuffix(name, ".te")) {
+			return idx
+		} else if pattern == name {
 			return idx
 		}
 	}

diff --git a/private/update_verifier.te b/private/update_verifier.te
index 5e1b27b..a8cef37 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te

@@ -7,3 +7,10 @@
 
 # Allow to set the OTA related properties e.g. ota.warm_reset.
 set_prop(update_verifier, ota_prop)
+
+# allow update_verifier to connect to snapuserd daemon
+allow update_verifier snapuserd_socket:sock_file write;
+allow update_verifier snapuserd:unix_stream_socket connectto;
+
+# virtual a/b properties
+get_prop(update_verifier, virtual_ab_prop)

diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 52769dd..8adf8d3 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te

@@ -11,3 +11,8 @@
 
 # communicate with servicemanager
 binder_call(hal_vehicle_server, servicemanager)
+
+# communicate with statsd
+hwbinder_use(hal_vehicle_default)
+allow hal_vehicle_default fwk_stats_hwservice:hwservice_manager find;
+binder_call(hal_vehicle_default, stats_service_server)