Fix the Car emulator.

-Sync up device/generic/car/common/product to
build/make/target/product. Many files had been copied
years ago and did not contain many more recent changes.

-Consolidate car related configs in device/generic/car/common/
product/car.mk. Remove any car related configs from the other
nearby mk files so they are more similar to mk files
under build/make/target/product.

-Sync up device/generic/car/sepolicy to
build/target/board/generic/sepolicy. Some auto related sepolicy
remains here, but could be refactored out in the future.

-Remove unused car_emu* targets.

-Consolidate AndroidProducts.mk and vendorsetup.sh

-Update manifest.xml using device/generic/goldfish
and move it to device/generic/car

bug: 64302465
Test: lunch aosp_car_emu_x86-userdebug;make;emulator

Change-Id: I6fd4ef83590b3eb05af422dbbc8c39b8132cb971

27 files changed, 235 insertions, 178 deletions

diff --git a/common/init.car-emulator.rc b/common/init.car-emulator.rc
deleted file mode 100644
index 34db798..0000000
--- a/common/init.car-emulator.rc
+++ /dev/null
@@ -1,87 +0,0 @@
-import init.car.rc
-
-on early-init
-    mount debugfs debugfs /sys/kernel/debug
-
-on init
-
-on boot
-    setprop ARGH ARGH
-    setprop net.eth0.gw 10.0.2.2
-    setprop net.eth0.dns1 10.0.2.3
-    setprop net.dns1 10.0.2.3
-    setprop net.gprs.local-ip 10.0.2.15
-    setprop ro.radio.use-ppp no
-    setprop ro.build.product generic
-    setprop ro.product.device generic
-
-# fake some battery state
-    setprop status.battery.state Slow
-    setprop status.battery.level 5
-    setprop status.battery.level_raw  50
-    setprop status.battery.level_scale 9
-
-# disable some daemons the emulator doesn't want
-    stop dund
-    stop akmd
-
-# start essential services
-    start qemud
-    start goldfish-logcat
-    start goldfish-setup
-
-    setprop ro.setupwizard.mode EMULATOR
-
-# enable Google-specific location features,
-# like NetworkLocationProvider and LocationCollector
-    setprop ro.com.google.locationfeatures 1
-
-# For the emulator, which bypasses Setup Wizard, you can specify
-# account info for the device via these two properties.  Google
-# Login Service will insert these accounts into the database when
-# it is created (ie, after a data wipe).
-#
-#   setprop ro.config.hosted_account username@hosteddomain.org:password
-#   setprop ro.config.google_account username@gmail.com:password
-#
-# You MUST have a Google account on the device, and you MAY
-# additionally have a hosted account.  No other configuration is
-# supported, and arbitrary breakage may result if you specify
-# something else.
-
-on fs
-        mount_all /fstab.goldfish
-
-service goldfish-setup /system/etc/init.goldfish.sh
-    user root
-    group root
-    oneshot
-
-# The qemu-props program is used to set various system
-# properties on boot. It must be run early during the boot
-# process to avoid race conditions with other daemons that
-# might read them (e.g. surface flinger), so define it in
-# class 'core'
-#
-service qemu-props /system/bin/qemu-props
-    class core
-    user root
-    group root
-    oneshot
-
-service qemud /system/bin/qemud
-    socket qemud    stream 666
-    oneshot
-
-# -Q is a special logcat option that forces the
-# program to check wether it runs on the emulator
-# if it does, it redirects its output to the device
-# named by the androidboot.console kernel option
-# if not, is simply exits immediately
-
-service goldfish-logcat /system/bin/logcat -Q
-    oneshot
-
-service fingerprintd /system/bin/fingerprintd
-    class late_start
-    user system
diff --git a/common/product/aosp_x86.mk b/common/product/aosp_x86.mk
index be0585a..376d072 100644
--- a/common/product/aosp_x86.mk
+++ b/common/product/aosp_x86.mk
@@ -13,37 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+include device/generic/car/common/product/full_x86.mk
 
-# This is a build configuration for a full-featured build of the
-# Open-Source part of the tree. It's geared toward a US-centric
-# build quite specifically for the emulator, and might not be
-# entirely appropriate to inherit from for on-device configurations.
-
-# If running on an emulator or some other device that has a LAN connection
-# that isn't a wifi connection. This will instruct init.rc to enable the
-# network connection so that you can use it with ADB
-
-# This is for enabling ethernet support for ranchu.
-# Consider removing this after RIL support is provided in ranchu.
-PRODUCT_COPY_FILES += frameworks/native/data/etc/android.hardware.ethernet.xml:system/etc/permissions/android.hardware.ethernet.xml
-
-$(call inherit-product, $(SRC_TARGET_DIR)/product/core.mk)
-$(call inherit-product, device/generic/car/common/product/aosp_base_telephony.mk)
-$(call inherit-product, $(SRC_TARGET_DIR)/board/generic_x86/device.mk)
-
-include device/generic/car/common/product/emulator.mk
-
-ifdef NET_ETH0_STARTONBOOT
-  PRODUCT_PROPERTY_OVERRIDES += net.eth0.startonboot=1
-endif
-
-# Ensure we package the BIOS files too.
-PRODUCT_PACKAGES += \
-	bios.bin \
-	vgabios-cirrus.bin \
-
-# Overrides
 PRODUCT_NAME := aosp_x86
-PRODUCT_DEVICE := generic_x86
-PRODUCT_BRAND := Android
-PRODUCT_MODEL := AOSP on IA x86 Emulator
diff --git a/common/product/car.mk b/common/product/car.mk
new file mode 100644
index 0000000..a683ac8
--- /dev/null
+++ b/common/product/car.mk
@@ -0,0 +1,40 @@
+#
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Common Car
+PRODUCT_RESTRICT_VENDOR_FILES := false
+
+# Auto modules
+PRODUCT_PACKAGES += \
+    android.hardware.automotive.vehicle@2.1-service
+
+# Replace framework versions with dummy one, which is essentially
+# the same as removing the xml. Needs this as there is no easy
+# way to remove PRODUCT_COPY_FILES from inherited products.
+PRODUCT_COPY_FILES += \
+    device/generic/car/common/android.hardware.dummy.xml:system/etc/permissions/handheld_core_hardware.xml \
+    device/generic/car/common/bootanimations/bootanimation-832.zip:system/media/bootanimation.zip \
+    frameworks/native/data/etc/android.hardware.screen.landscape.xml:system/etc/permissions/android.hardware.screen.landscape.xml \
+    packages/services/Car/car_product/init/init.bootstat.rc:root/init.bootstat.rc \
+    packages/services/Car/car_product/init/init.car.rc:root/init.car.rc \
+
+PRODUCT_PROPERTY_OVERRIDES += \
+    android.car.drawer.unlimited=true \
+    android.car.hvac.demo=true \
+    com.android.car.radio.demo=true \
+    com.android.car.radio.demo.dual=true
+
+$(call inherit-product, packages/services/Car/car_product/build/car.mk)
diff --git a/common/product/core.mk b/common/product/core.mk
index 8280c2c..748ae7e 100644
--- a/common/product/core.mk
+++ b/common/product/core.mk
@@ -50,4 +50,14 @@ PRODUCT_PACKAGES += \
     VpnDialogs \
     MmsService
 
+# The set of packages whose code can be loaded by the system server.
+PRODUCT_SYSTEM_SERVER_APPS += \
+    FusedLocation \
+    InputDevices \
+    KeyChain \
+    Telecom \
+
+# The set of packages we want to force 'speed' compilation on.
+PRODUCT_DEXPREOPT_SPEED_APPS += \
+
 $(call inherit-product, $(SRC_TARGET_DIR)/product/core_base.mk)
diff --git a/common/product/emulator.mk b/common/product/emulator.mk
index fe9a2f3..8309a1a 100644
--- a/common/product/emulator.mk
+++ b/common/product/emulator.mk
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016 The Android Open Source Project
+# Copyright (C) 2012 The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -37,42 +37,76 @@ PRODUCT_PACKAGES += \
     libGLESv1_enc \
     qemu-props \
     qemud \
+    camera.goldfish \
     camera.goldfish.jpeg \
+    camera.ranchu \
     camera.ranchu.jpeg \
     lights.goldfish \
     gps.goldfish \
     gps.ranchu \
+    fingerprint.goldfish \
     sensors.goldfish \
-    sensors.ranchu \
+    audio.primary.goldfish \
+    audio.primary.goldfish_legacy \
+    android.hardware.audio@2.0-service \
+    vibrator.goldfish \
     power.goldfish \
-    audio.primary.goldfish
+    power.ranchu \
+    fingerprint.ranchu \
+    android.hardware.biometrics.fingerprint@2.1-service \
+    sensors.ranchu \
+    android.hardware.graphics.composer@2.1-impl \
+    android.hardware.graphics.composer@2.1-service \
+    android.hardware.graphics.allocator@2.0-service \
+    android.hardware.graphics.allocator@2.0-impl \
+    android.hardware.graphics.mapper@2.0-impl \
+    hwcomposer.goldfish \
+    hwcomposer.ranchu \
+    vintf \
+    CarrierConfig
 
-# Keymaster HAL
 PRODUCT_PACKAGES += \
     android.hardware.audio@2.0-impl \
     android.hardware.audio.effect@2.0-impl \
-    android.hardware.keymaster@3.0-impl
+    android.hardware.broadcastradio@1.0-impl \
+    android.hardware.soundtrigger@2.0-impl
+
+PRODUCT_PACKAGES += \
+    android.hardware.keymaster@3.0-impl \
+    android.hardware.keymaster@3.0-service
+
+PRODUCT_PACKAGES += \
+    android.hardware.gnss@1.0-service \
+    android.hardware.gnss@1.0-impl
+
+PRODUCT_PACKAGES += \
+    android.hardware.sensors@1.0-impl \
+    android.hardware.sensors@1.0-service
 
+PRODUCT_PACKAGES += \
+    android.hardware.power@1.0-service \
+    android.hardware.power@1.0-impl
+
+# camera service treble disable until all backwards compat is complete
+PRODUCT_PROPERTY_OVERRIDES += \
+    camera.disable_treble=1
+
+# Changed manifest to use device/generic/car/common/product/manifest.xml
 PRODUCT_COPY_FILES += \
     device/generic/goldfish/fstab.goldfish:root/fstab.goldfish \
     device/generic/goldfish/init.goldfish.rc:root/init.goldfish.rc \
     device/generic/goldfish/init.goldfish.sh:system/etc/init.goldfish.sh \
+    device/generic/goldfish/init.ranchu-core.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.ranchu-core.sh \
+    device/generic/goldfish/init.ranchu-net.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.ranchu-net.sh \
+    device/generic/goldfish/init.ranchu.rc:root/init.ranchu.rc \
     device/generic/goldfish/ueventd.goldfish.rc:root/ueventd.goldfish.rc \
     device/generic/goldfish/init.ranchu.rc:root/init.ranchu.rc \
     device/generic/goldfish/fstab.ranchu:root/fstab.ranchu \
     device/generic/goldfish/ueventd.ranchu.rc:root/ueventd.ranchu.rc \
+    device/generic/car/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml \
+    device/generic/goldfish/input/goldfish_rotary.idc:system/usr/idc/goldfish_rotary.idc \
     frameworks/native/data/etc/android.hardware.usb.accessory.xml:system/etc/permissions/android.hardware.usb.accessory.xml
 
 PRODUCT_PACKAGE_OVERLAYS := device/generic/goldfish/overlay
 
-# Vendor Interface Manifest
-PRODUCT_COPY_FILES += \
-    device/generic/car/common/product/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml
-
-# Graphics HAL
-PRODUCT_PACKAGES += \
-    android.hardware.graphics.allocator@2.0-impl \
-    android.hardware.graphics.allocator@2.0-service \
-    android.hardware.graphics.mapper@2.0-impl
-
 PRODUCT_CHARACTERISTICS := emulator
diff --git a/common/product/full_base.mk b/common/product/full_base.mk
index 929e5d8..b8b5976 100644
--- a/common/product/full_base.mk
+++ b/common/product/full_base.mk
@@ -21,6 +21,10 @@
 
 PRODUCT_PACKAGES := \
     libfwdlockengine \
+    OpenWnn \
+    libWnnEngDic \
+    libWnnJpnDic \
+    libwnndict \
     WAPPushManager
 
 PRODUCT_PACKAGES += \
@@ -30,7 +34,8 @@ PRODUCT_PACKAGES += \
     LiveWallpapersPicker \
     MagicSmokeWallpapers \
     NoiseField \
-    PhaseBeam
+    PhaseBeam \
+    PhotoTable
 
 # Additional settings used in all AOSP builds
 PRODUCT_PROPERTY_OVERRIDES := \
diff --git a/common/product/full_x86.mk b/common/product/full_x86.mk
new file mode 100644
index 0000000..4c21816
--- /dev/null
+++ b/common/product/full_x86.mk
@@ -0,0 +1,44 @@
+#
+# Copyright (C) 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# This is a build configuration for a full-featured build of the
+# Open-Source part of the tree. It's geared toward a US-centric
+# build quite specifically for the emulator, and might not be
+# entirely appropriate to inherit from for on-device configurations.
+
+# If running on an emulator or some other device that has a LAN connection
+# that isn't a wifi connection. This will instruct init.rc to enable the
+# network connection so that you can use it with ADB
+
+$(call inherit-product, device/generic/car/common/product/aosp_base_telephony.mk)
+$(call inherit-product, $(SRC_TARGET_DIR)/board/generic_x86/device.mk)
+
+include device/generic/car/common/product/emulator.mk
+
+ifdef NET_ETH0_STARTONBOOT
+  PRODUCT_PROPERTY_OVERRIDES += net.eth0.startonboot=1
+endif
+
+# Ensure we package the BIOS files too.
+PRODUCT_PACKAGES += \
+    bios.bin \
+    vgabios-cirrus.bin \
+
+# Overrides
+PRODUCT_NAME := full_x86
+PRODUCT_DEVICE := generic_x86
+PRODUCT_BRAND := Android
+PRODUCT_MODEL := AOSP on IA Emulator
diff --git a/common/product/generic_no_telephony.mk b/common/product/generic_no_telephony.mk
index 4d37fe9..3e2bcf6 100644
--- a/common/product/generic_no_telephony.mk
+++ b/common/product/generic_no_telephony.mk
@@ -41,7 +41,6 @@ PRODUCT_PACKAGES += \
 
 PRODUCT_PACKAGES += \
     audio.primary.default \
-    audio_policy.default \
     local_time.default \
     vibrator.default \
     power.default
@@ -58,7 +57,6 @@ $(call inherit-product-if-exists, external/google-fonts/carrois-gothic-sc/fonts.
 $(call inherit-product-if-exists, external/google-fonts/coming-soon/fonts.mk)
 $(call inherit-product-if-exists, external/google-fonts/cutive-mono/fonts.mk)
 $(call inherit-product-if-exists, external/noto-fonts/fonts.mk)
-$(call inherit-product-if-exists, external/naver-fonts/fonts.mk)
 $(call inherit-product-if-exists, external/roboto-fonts/fonts.mk)
 $(call inherit-product-if-exists, external/hyphenation-patterns/patterns.mk)
 $(call inherit-product-if-exists, frameworks/base/data/keyboards/keyboards.mk)
diff --git a/common/product/manifest.xml b/common/product/manifest.xml
deleted file mode 100644
index e108de6..0000000
--- a/common/product/manifest.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<manifest version="1.0" type="device">
-    <hal format="hidl">
-        <name>android.hardware.graphics.allocator</name>
-        <transport>hwbinder</transport>
-        <version>2.0</version>
-        <interface>
-            <name>IAllocator</name>
-            <instance>default</instance>
-        </interface>
-    </hal>
-    <hal format="hidl">
-        <name>android.hardware.graphics.mapper</name>
-        <transport arch="32+64">passthrough</transport>
-        <version>2.0</version>
-        <interface>
-            <name>IMapper</name>
-            <instance>default</instance>
-        </interface>
-    </hal>
-</manifest>
diff --git a/common/sepolicy/bootanim.te b/common/sepolicy/bootanim.te
index a46e5c3..b4b1eef 100644
--- a/common/sepolicy/bootanim.te
+++ b/common/sepolicy/bootanim.te
@@ -1 +1,4 @@
+allow bootanim self:process execmem;
+allow bootanim ashmem_device:chr_file execute;
+
 set_prop(bootanim, qemu_prop)
diff --git a/common/sepolicy/domain.te b/common/sepolicy/domain.te
index 24a2920..c5bb959 100644
--- a/common/sepolicy/domain.te
+++ b/common/sepolicy/domain.te
@@ -2,9 +2,8 @@
 dontaudit domain kernel:system module_request;
 
 # For /sys/qemu_trace files in the emulator.
-allow domain sysfs_qemu_trace:dir search;
-allow domain sysfs_qemu_trace:file rw_file_perms;
+allow domain sysfs_writable:dir search;
+allow domain sysfs_writable:file rw_file_perms;
 allow domain qemu_device:chr_file rw_file_perms;
 
 get_prop(domain, qemu_prop)
-
diff --git a/common/sepolicy/file.te b/common/sepolicy/file.te
index f1ab099..9227f80 100644
--- a/common/sepolicy/file.te
+++ b/common/sepolicy/file.te
@@ -1,2 +1,2 @@
-type sysfs_qemu_trace, fs_type, sysfs_type, mlstrustedobject;
 type qemud_socket, file_type;
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
diff --git a/common/sepolicy/fsck.te b/common/sepolicy/fsck.te
deleted file mode 100644
index 1500b5f..0000000
--- a/common/sepolicy/fsck.te
+++ /dev/null
@@ -1 +0,0 @@
-allow fsck persist_block_device:blk_file rw_file_perms;
diff --git a/common/sepolicy/goldfish_setup.te b/common/sepolicy/goldfish_setup.te
new file mode 100644
index 0000000..78d20fc
--- /dev/null
+++ b/common/sepolicy/goldfish_setup.te
@@ -0,0 +1,29 @@
+# goldfish-setup service: runs init.goldfish.sh script
+type goldfish_setup, domain;
+type goldfish_setup_exec, exec_type, file_type;
+
+init_daemon_domain(goldfish_setup)
+
+# Inherit open file to shell (interpreter) for script.
+allow goldfish_setup shell_exec:file rx_file_perms;
+
+# Run ifconfig, route commands to configure interfaces and routes.
+allow goldfish_setup system_file:file execute_no_trans;
+allow goldfish_setup toolbox_exec:file rx_file_perms;
+allow goldfish_setup self:capability { net_admin net_raw };
+allow goldfish_setup self:udp_socket create_socket_perms;
+allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
+
+wakelock_use(goldfish_setup)
+net_domain(goldfish_setup)
+
+# Set net.eth0.dns*, debug.sf.nobootanimation
+set_prop(goldfish_setup, system_prop)
+set_prop(goldfish_setup, debug_prop)
+
+# Set ro.radio.noril
+set_prop(goldfish_setup, radio_noril_prop)
+
+# Stop ril-daemon service (by setting ctl.stop to ril-daemon, which
+# transforms to a permission check on ctl.ril-daemon).
+set_prop(goldfish_setup, ctl_rildaemon_prop)
diff --git a/common/sepolicy/hal_gnss_default.te b/common/sepolicy/hal_gnss_default.te
new file mode 100644
index 0000000..0dd3d03
--- /dev/null
+++ b/common/sepolicy/hal_gnss_default.te
@@ -0,0 +1,3 @@
+#============= hal_gnss_default ==============
+allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/common/sepolicy/hal_graphics_composer_default.te b/common/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..034bdef
--- /dev/null
+++ b/common/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,3 @@
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
+
diff --git a/common/sepolicy/hal_vehicle_hwservice.te b/common/sepolicy/hal_vehicle_hwservice.te
index 0622fe8..836d21f 100644
--- a/common/sepolicy/hal_vehicle_hwservice.te
+++ b/common/sepolicy/hal_vehicle_hwservice.te
@@ -1 +1 @@
-add_hwservice(hal_vehicle_default, hal_vehicle_hwservice)
+add_hwservice(hal_vehicle_default, hal_vehicle_hwservice)
\ No newline at end of file
diff --git a/common/sepolicy/init.te b/common/sepolicy/init.te
new file mode 100644
index 0000000..3aa81d1
--- /dev/null
+++ b/common/sepolicy/init.te
@@ -0,0 +1 @@
+allow init tmpfs:lnk_file create_file_perms;
diff --git a/common/sepolicy/logd.te b/common/sepolicy/logd.te
deleted file mode 100644
index b8b50e5..0000000
--- a/common/sepolicy/logd.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# goldfish logcat service:  runs logcat -Q in logd domain
-
-# See global logd.te, these only set for eng & userdebug, allow for all builds
-
-#domain_auto_trans(init, logcat_exec, logd)
-
-# Read from logd.
-read_logd(logd)
-
-# Write to /dev/ttyS2 and /dev/ttyGF2.
-allow logd serial_device:chr_file { write open };
diff --git a/common/sepolicy/logpersist.te b/common/sepolicy/logpersist.te
new file mode 100644
index 0000000..3fc0250
--- /dev/null
+++ b/common/sepolicy/logpersist.te
@@ -0,0 +1,13 @@
+# goldfish logcat service:  runs logcat -Q in logpersist domain
+
+# See global logcat.te/logpersist.te, only set for eng & userdebug,
+# allow for all builds in a non-conflicting manner.
+
+domain_auto_trans(init, logcat_exec, logpersist)
+
+# Read from logd.
+unix_socket_connect(logpersist, logdr, logd)
+
+# Write to /dev/ttyS2 and /dev/ttyGF2.
+allow logpersist serial_device:chr_file { write open };
+get_prop(logpersist, qemu_cmdline)
diff --git a/common/sepolicy/netd.te b/common/sepolicy/netd.te
new file mode 100644
index 0000000..2b002ec
--- /dev/null
+++ b/common/sepolicy/netd.te
@@ -0,0 +1 @@
+dontaudit netd self:capability sys_module;
diff --git a/common/sepolicy/property.te b/common/sepolicy/property.te
index 059a5c8..04c5bc1 100644
--- a/common/sepolicy/property.te
+++ b/common/sepolicy/property.te
@@ -1,3 +1,8 @@
-
 type qemu_prop, property_type;
+type qemu_cmdline, property_type;
+type radio_noril_prop, property_type;
 
+# opengles_prop is removed because it conflicts with car_product
+# TODO If this is resolved, then most of the copied sepolicy can be removed
+# in favor of using device/goldfish/sepolicy.
+# type opengles_prop, property_type;
diff --git a/common/sepolicy/property_contexts b/common/sepolicy/property_contexts
index 36b8ec1..c66a85f 100644
--- a/common/sepolicy/property_contexts
+++ b/common/sepolicy/property_contexts
@@ -1,4 +1,6 @@
-
 qemu.                   u:object_r:qemu_prop:s0
+qemu.cmdline            u:object_r:qemu_cmdline:s0
 ro.emu.                 u:object_r:qemu_prop:s0
 ro.emulator.            u:object_r:qemu_prop:s0
+ro.radio.noril          u:object_r:radio_noril_prop:s0
+ro.opengles.            u:object_r:opengles_prop:s0
diff --git a/common/sepolicy/qemu_props.te b/common/sepolicy/qemu_props.te
new file mode 100644
index 0000000..d5571fd
--- /dev/null
+++ b/common/sepolicy/qemu_props.te
@@ -0,0 +1,12 @@
+# qemu-props service:  Sets system properties on boot.
+type qemu_props, domain;
+type qemu_props_exec, exec_type, file_type;
+
+init_daemon_domain(qemu_props)
+
+# Set properties.
+set_prop(qemu_props, qemu_prop)
+set_prop(qemu_props, dalvik_prop)
+set_prop(qemu_props, config_prop)
+set_prop(qemu_props, opengles_prop)
+set_prop(qemu_props, qemu_cmdline)
diff --git a/common/sepolicy/qemud.te b/common/sepolicy/qemud.te
index a774ba1..eee21c4 100644
--- a/common/sepolicy/qemud.te
+++ b/common/sepolicy/qemud.te
@@ -6,4 +6,3 @@ init_daemon_domain(qemud)
 
 # Access /dev/ttyS1 and /dev/ttyGF1.
 allow qemud serial_device:chr_file rw_file_perms;
-allow qemud proc:file r_file_perms;
diff --git a/common/sepolicy/surfaceflinger.te b/common/sepolicy/surfaceflinger.te
index 6285794..e03d07e 100644
--- a/common/sepolicy/surfaceflinger.te
+++ b/common/sepolicy/surfaceflinger.te
@@ -1 +1,4 @@
+allow surfaceflinger self:process execmem;
+allow surfaceflinger ashmem_device:chr_file execute;
+
 set_prop(surfaceflinger, qemu_prop)
diff --git a/common/sepolicy/system_server.te b/common/sepolicy/system_server.te
index 3af4b4d..7aab33e 100644
--- a/common/sepolicy/system_server.te
+++ b/common/sepolicy/system_server.te
@@ -1,3 +1,6 @@
+unix_socket_connect(system_server, qemud, qemud)
+get_prop(system_server, opengles_prop)
+get_prop(system_server, radio_noril_prop)
+
 # For gss
 allow system_server gss_device:chr_file rw_file_perms;
-