Merge "Remove selinux denial"
diff --git a/private/app.te b/private/app.te
index e0fb6f1..b009d98 100644
--- a/private/app.te
+++ b/private/app.te
@@ -158,6 +158,11 @@
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
diff --git a/private/file_contexts b/private/file_contexts
index 71f1586..812ae5a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -445,12 +445,39 @@
# debugfs files
#
/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-/sys/kernel(/debug)?/tracing/(.*)? u:object_r:debugfs_tracing:s0
-/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
+
+#############################
+# tracefs files
+#
+/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
#############################
# asec containers
diff --git a/private/shell.te b/private/shell.te
index 333265f..1e77964 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,6 +1,7 @@
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
+allow shell debugfs_tracing:file r_file_perms;
+allow shell tracing_shell_writable:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 30fe3e2..cba1ab3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -179,6 +179,7 @@
# Perform HwBinder IPC.
hwbinder_use(system_server)
+hwallocator_use(system_server)
binder_call(system_server, hal_bluetooth)
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
diff --git a/public/file.te b/public/file.te
index d279748..cd646f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -65,6 +65,7 @@
type debugfs_tracing, fs_type, debugfs_type;
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
+type tracing_shell_writable, fs_type, debugfs_type;
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index ee12ff1..9ba0bdb 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -14,3 +14,6 @@
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:capability sys_nice;
diff --git a/public/init.te b/public/init.te
index fe72894..a65bf2c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -184,7 +184,7 @@
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
+allow init tracing_shell_writable:file w_file_perms;
userdebug_or_eng(`
# Setup and control wifi event tracing (see wifi-events.rc)
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 9f07d85..6b4d677 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -18,6 +18,11 @@
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec hal_graphics_allocator:fd use;
+# hidl access
+hwbinder_use(mediacodec)
+hwallocator_use(mediacodec)
+allow mediacodec system_file:dir { open read };
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 16b8013..fa47288 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -132,6 +132,10 @@
allow mediaserver system_server:fd use;
+# hidl access
+hwbinder_use(mediaserver)
+hwallocator_use(mediaserver)
+
###
### neverallow rules
###