DO NOT MERGE - Merge qt-dev-plus-aosp-without-vendor (5699924) into stage-aosp-master

Bug: 134405016 Change-Id: Iabc35a41afa0d200bb126abc10a809f36bd4a46a
author: Xin Li <delphij@google.com> 2019-07-01 20:59:11 +0000
committer: Xin Li <delphij@google.com> 2019-07-01 20:59:11 +0000
commit: 7079bb5d75470f5689b889083129a1a3bf9cebbe (patch)
tree: ab1358bd32decaef2aff49a5693703849df5f235 /sepolicy
parent: ec2781bb1596145fcdb7ca5e1c6ea0eced778418 (diff)
parent: b1f5d957079cc77a7cc7c50f77abee2eb0a156d8 (diff)
download: wahoo-7079bb5d75470f5689b889083129a1a3bf9cebbe.tar.gz
30 files changed, 80 insertions, 56 deletions
diff --git a/sepolicy/private/mediaswcodec.te b/sepolicy/private/mediaswcodec.te
new file mode 100644
index 00000000..36907500
--- /dev/null
+++ b/sepolicy/private/mediaswcodec.te
@@ -0,0 +1,2 @@
+allow mediaswcodec gpu_device:chr_file { ioctl open read write };
+
diff --git a/sepolicy/public/init.te b/sepolicy/public/init.te
new file mode 100644
index 00000000..e93b2e89
--- /dev/null
+++ b/sepolicy/public/init.te
@@ -0,0 +1 @@
+allow init vold_data_file:dir { relabelfrom };
diff --git a/sepolicy/public/ueventd.te b/sepolicy/public/ueventd.te
new file mode 100644
index 00000000..985c8ec4
--- /dev/null
+++ b/sepolicy/public/ueventd.te
@@ -0,0 +1 @@
+allow ueventd metadata_file:dir search;
diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te
index 594f22a9..b9adc4c5 100644
--- a/sepolicy/vendor/cameraserver.te
+++ b/sepolicy/vendor/cameraserver.te
@@ -8,5 +8,4 @@ allow cameraserver sysfs_camera:dir search;
 
 allow cameraserver system_server:unix_stream_socket { read write };
 
-# TODO (b/37688918) Verify that this is actually needed and not a violation of treble
 binder_call(cameraserver, mediacodec)
diff --git a/sepolicy/vendor/con_monitor.te b/sepolicy/vendor/con_monitor.te
index 8730e566..e1ba346c 100644
--- a/sepolicy/vendor/con_monitor.te
+++ b/sepolicy/vendor/con_monitor.te
@@ -9,4 +9,4 @@ allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
 allow con_monitor_app radio_vendor_data_file:file create_file_perms;
 allow con_monitor_app radio_service:service_manager find;
 allow con_monitor_app audioserver_service:service_manager find;
-hal_client_domain(con_monitor_app, hal_power);
-\ No newline at end of file
+hal_client_domain(con_monitor_app, hal_power_stats);
+\ No newline at end of file
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 6f859044..8e8e364d 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -37,6 +37,7 @@ type debugfs_tzdbg, debugfs_type, fs_type;
 
 # /proc
 type proc_wifi_dbg, fs_type, proc_type;
+type proc_swappiness, fs_type, proc_type;
 
 type qmuxd_socket, file_type;
 type netmgrd_socket, file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 345527ef..b66f65ae 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -167,35 +167,40 @@
 /vendor/bin/oemlock_provision   u:object_r:hal_bootctl_default_exec:s0
 /vendor/bin/oemlock-bridge      u:object_r:hal_bootctl_default_exec:s0
 /vendor/bin/hw/android\.hardware\.usb@1\.1-service\.wahoo             u:object_r:hal_usb_impl_exec:s0
-/vendor/bin/hw/android\.hardware\.power@1\.2-service\.wahoo-libperfmgr u:object_r:hal_power_default_exec:s0
+/vendor/bin/hw/android\.hardware\.power@1\.3-service\.pixel-libperfmgr      u:object_r:hal_power_default_exec:s0
 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0
 /vendor/bin/chre                u:object_r:chre_exec:s0
 /vendor/bin/time_daemon         u:object_r:time_daemon_exec:s0
 /vendor/bin/imsrcsd             u:object_r:hal_rcsservice_exec:s0
 /vendor/bin/init\.qcom\.devstart\.sh                                 u:object_r:init-qcom-devstart-sh_exec:s0
 /vendor/bin/init\.qcom\.ipastart\.sh                                 u:object_r:init-qcom-ipastart-sh_exec:s0
-/vendor/bin/init\.qcom\.wlan\.sh                                     u:object_r:init-qcom-wlan-sh_exec:s0
 /vendor/bin/init\.insmod\.sh                                         u:object_r:init-insmod-sh_exec:s0
 /vendor/etc/init\.insmod\.cfg                                        u:object_r:init-insmod-sh_exec:s0
 /vendor/bin/init\.power\.sh     u:object_r:init_power_exec:s0
 /vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
 /vendor/bin/ramoops             u:object_r:ramoops_exec:s0
 /vendor/bin/init\.ramoops\.sh   u:object_r:ramoops_exec:s0
+/vendor/bin/init\.fingerprint\.sh                                    u:object_r:init-fingerprint_exec:s0
 
 /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti          u:object_r:hal_bluetooth_default_exec:s0
-/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
-/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@1\.2-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@1\.2-service-lazy\.clearkey     u:object_r:hal_drm_clearkey_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@1\.2-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
+/vendor/bin/hw/android\.hardware\.drm@1\.2-service-lazy\.widevine     u:object_r:hal_drm_widevine_exec:s0
 /vendor/bin/hw/android\.hardware\.vibrator@1\.2-service\.wahoo        u:object_r:hal_vibrator_default_exec:s0
 /vendor/bin/hw/android\.hardware\.health@2\.0-service\.wahoo          u:object_r:hal_health_default_exec:s0
 /vendor/bin/hw/android\.hardware\.keymaster@3\.0-service-qti         u:object_r:hal_keymaster_qti_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti        u:object_r:hal_gatekeeper_qti_exec:s0
 /vendor/bin/hw/android\.hardware\.gnss@1\.0-service-qti              u:object_r:hal_gnss_qti_exec:s0
+/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel         u:object_r:hal_thermal_default_exec:s0
 
 ###############################################
 # same-process HAL files and their dependencies
 #
+/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/gralloc\.msm8998\.so   u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libqdMetaData\.so         u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/lib_aion_buffer\.so       u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libqservice\.so           u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libqdutils\.so            u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libadreno_utils\.so       u:object_r:same_process_hal_file:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
index 28d1f7a0..46b5afff 100644
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -3,6 +3,7 @@ genfscon proc /debug/fwdump                           u:object_r:proc_wifi_dbg:s
 genfscon proc /debugdriver/driverdump                 u:object_r:proc_wifi_dbg:s0
 genfscon proc /ath_pktlog/cld                         u:object_r:proc_wifi_dbg:s0
 genfscon proc /irq                                    u:object_r:proc_irq:s0
+genfscon proc /sys/vm/swappiness                      u:object_r:proc_swappiness:s0
 
 genfscon sysfs /devices/soc/soc:qcom,cpubw            u:object_r:sysfs_msm_subsys:s0
 genfscon sysfs /devices/soc/soc:qcom,mincpubw         u:object_r:sysfs_msm_subsys:s0
diff --git a/sepolicy/vendor/hal_drm_clearkey.te b/sepolicy/vendor/hal_drm_clearkey.te
index 5632c3b2..6d4a8152 100644
--- a/sepolicy/vendor/hal_drm_clearkey.te
+++ b/sepolicy/vendor/hal_drm_clearkey.te
@@ -1,4 +1,4 @@
-# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey
+# policy for /vendor/bin/hw/android.hardware.drm clearkey service
 type hal_drm_clearkey, domain;
 type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
 
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index 8e6eca1b..bfa6a6b2 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -1,4 +1,3 @@
-# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.widevine
 type hal_drm_widevine, domain;
 type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
 
diff --git a/sepolicy/vendor/hal_dumpstate_impl.te b/sepolicy/vendor/hal_dumpstate_impl.te
index 60c781bd..a2f8ffce 100644
--- a/sepolicy/vendor/hal_dumpstate_impl.te
+++ b/sepolicy/vendor/hal_dumpstate_impl.te
@@ -8,6 +8,10 @@ init_daemon_domain(hal_dumpstate_impl)
 allow hal_dumpstate_impl vendor_shell_exec:file rx_file_perms;
 allow hal_dumpstate_impl vendor_toolbox_exec:file rx_file_perms;
 
+# Allow to read pixel-trace trace file
+allow hal_dumpstate_impl debugfs_tracing_instances:dir search;
+allow hal_dumpstate_impl debugfs_tracing_instances:file r_file_perms;
+
 userdebug_or_eng(`
   # smlog_dump
   domain_auto_trans(hal_dumpstate_impl, smlog_dump_exec, smlog_dump)
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index 42aa3935..c5e36687 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -16,7 +16,6 @@ allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_mana
 
 r_dir_file(hal_graphics_composer_default, sysfs_leds)
 
-# TODO(b/37666508): Remove the following line upon resolution of the bug
 allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
 
 # HWC_UeventThread
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
index dce10ed5..7e6f60d3 100644
--- a/sepolicy/vendor/hal_power_default.te
+++ b/sepolicy/vendor/hal_power_default.te
@@ -1,15 +1,6 @@
 allow hal_power_default sysfs_graphics:dir search;
 allow hal_power_default sysfs_graphics:file r_file_perms;
 
-allow hal_power_default debugfs_rpm:file r_file_perms;
-
-allow hal_power_default debugfs_wlan:dir r_dir_perms;
-allow hal_power_default debugfs_wlan:file r_file_perms;
-
-allow hal_power_default sysfs_easel:dir search;
-allow hal_power_default sysfs_easel:file r_file_perms;
-
-
 # To do powerhint on nodes defined in powerhint.json
 allow hal_power_default sysfs_msm_subsys:dir search;
 allow hal_power_default sysfs_msm_subsys:file rw_file_perms;
@@ -17,6 +8,11 @@ allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
 allow hal_power_default latency_device:chr_file rw_file_perms;
 allow hal_power_default cgroup:dir search;
 allow hal_power_default cgroup:file rw_file_perms;
+allow hal_power_default sysfs_touch:file w_file_perms;
+allow hal_power_default sysfs_touch:dir search;
 
 # To get/set powerhal state property
 set_prop(hal_power_default, power_prop)
+
+# interact with thermal_config
+set_prop(hal_power_default, thermal_prop)
diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te
index da4c2989..5c773db3 100644
--- a/sepolicy/vendor/hal_power_stats_default.te
+++ b/sepolicy/vendor/hal_power_stats_default.te
@@ -1,6 +1,7 @@
 # power.stats HAL needs access to rpm, and wlan sysfs nodes in /d/
 r_dir_file(hal_power_stats_default, debugfs_rpm)
 r_dir_file(hal_power_stats_default, debugfs_wlan)
+get_prop(hal_power_stats_default, exported_wifi_prop) # Needed to detect wifi on/off
 
 # power.stats HAL needs access to the easel sysfs node
 r_dir_file(hal_power_stats_default, sysfs_easel)
diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te
new file mode 100644
index 00000000..13c129f6
--- /dev/null
+++ b/sepolicy/vendor/hal_thermal_default.te
@@ -0,0 +1,7 @@
+allow hal_thermal_default sysfs_thermal:dir r_dir_perms;
+allow hal_thermal_default sysfs_thermal:file r_file_perms;
+allow hal_thermal_default sysfs_thermal:lnk_file read;
+allow hal_thermal_default proc_stat:file r_file_perms;
+
+# read thermal_config
+get_prop(hal_thermal_default, thermal_prop)
diff --git a/sepolicy/vendor/hal_vr.te b/sepolicy/vendor/hal_vr.te
deleted file mode 100644
index a88dcb82..00000000
--- a/sepolicy/vendor/hal_vr.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# interact with thermal_config
-set_prop(hal_vr, thermal_prop)
-
-# Access to touch vrmode node
-allow hal_vr sysfs_touch:dir r_dir_perms;
-allow hal_vr sysfs_touch:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
index a0155584..d6f02d59 100644
--- a/sepolicy/vendor/hal_wifi_default.te
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -11,6 +11,9 @@ allow hal_wifi_default wlan_device:chr_file w_file_perms;
 # Allow wifi hal to read debug info from the driver.
 r_dir_file(hal_wifi_default, proc_wifi_dbg)
 
+# Write wlan driver/fw version into property
+set_prop(hal_wifi_default, vendor_wifi_version)
+
 dontaudit hal_wifi_default kernel:system module_request;
 dontaudit hal_wifi_default self:capability sys_module;
 
@@ -19,4 +22,4 @@ userdebug_or_eng(`
 
 # Allow wifi hal to access wlan debugfs files and directories
 allow hal_wifi_default debugfs_wlan:dir r_dir_perms;
-')
-\ No newline at end of file
+')
diff --git a/sepolicy/vendor/init-fingerprint.te b/sepolicy/vendor/init-fingerprint.te
new file mode 100644
index 00000000..7053f0da
--- /dev/null
+++ b/sepolicy/vendor/init-fingerprint.te
@@ -0,0 +1,10 @@
+type init-fingerprint, domain;
+type init-fingerprint_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-fingerprint)
+
+allow init-fingerprint vendor_shell_exec:file rx_file_perms;
+allow init-fingerprint vendor_toolbox_exec:file rx_file_perms;
+
+set_prop(init-fingerprint, vendor_fingerprint_prop)
+set_prop(init-fingerprint, ctl_start_prop)
diff --git a/sepolicy/vendor/init-wlan-sh.te b/sepolicy/vendor/init-wlan-sh.te
deleted file mode 100644
index 3380c861..00000000
--- a/sepolicy/vendor/init-wlan-sh.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type init-qcom-wlan-sh, domain;
-type init-qcom-wlan-sh_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(init-qcom-wlan-sh)
-
-allow init-qcom-wlan-sh vendor_shell_exec:file rx_file_perms;
-allow init-qcom-wlan-sh vendor_toolbox_exec:file rx_file_perms;
-
-# Set the vendor.wlan.driver.version and vendor.wlan.firmware.version property
-set_prop(init-qcom-wlan-sh, vendor_wifi_version)
-
-# /sys/kernel/wifi/wlan/driver_version and /sys/kernel/wifi/wlan/fw/0/version
-allow init-qcom-wlan-sh sysfs_msm_wlan:dir r_dir_perms;
-allow init-qcom-wlan-sh sysfs_msm_wlan:file r_file_perms;
diff --git a/sepolicy/vendor/location.te b/sepolicy/vendor/location.te
index 67471df6..02f8d4a1 100644
--- a/sepolicy/vendor/location.te
+++ b/sepolicy/vendor/location.te
@@ -35,7 +35,7 @@ r_dir_file(location, sysfs_type)
 
 dontaudit location kernel:system module_request;
 
-allow location proc_net:file r_file_perms;
+allow location proc_net_type:file r_file_perms;
 
 # execute /vendor/bin/lowi-server
 allow location location_exec:file rx_file_perms;
@@ -46,4 +46,4 @@ allow location location_data_file:{ file sock_file } create_file_perms;
 
 userdebug_or_eng(`
   allow location diag_device:chr_file rw_file_perms;
-')
-\ No newline at end of file
+')
diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te
index 7bbcc592..2dce2413 100644
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -43,7 +43,7 @@ dontaudit netmgrd diag_device:chr_file rw_file_perms;
 #Ignore if device loading for private IOCTL failed
 dontaudit netmgrd kernel:system { module_request };
 
-allow netmgrd proc_net:file rw_file_perms;
+allow netmgrd proc_net_type:file rw_file_perms;
 allow netmgrd netmgr_data_file:dir rw_dir_perms;
 allow netmgrd netmgr_data_file:file create_file_perms;
 
diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
index 594a4f56..f6628b03 100644
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te
@@ -25,3 +25,6 @@ type vendor_usb_config_prop, property_type;
 type vendor_charge_prop, property_type;
 type vendor_nfc_prop, property_type;
 type vendor_ramoops_prop, property_type;
+
+# fingerprint
+type vendor_fingerprint_prop, property_type;
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index a8c28e77..83081751 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -17,15 +17,18 @@ vendor.debug.ssrdump       u:object_r:vendor_ssr_prop:s0
 persist.sys.cnss.          u:object_r:cnss_diag_prop:s0
 sys.listeners.registered   u:object_r:tee_listener_prop:s0
 wc_transport.              u:object_r:wc_prop:s0
-sys.qcom.thermalcfg        u:object_r:thermal_prop:s0
-ctl.vendor.thermal-engine  u:object_r:thermal_prop:s0
+vendor.qcom.thermalcfg     u:object_r:thermal_prop:s0
+vendor.thermal.config      u:object_r:thermal_prop:s0
 persist.sys.modem.diag.    u:object_r:modem_diag_prop:s0
 sys.modem.diag.            u:object_r:modem_diag_prop:s0
 sys.time.set               u:object_r:sys_time_prop:s0
 persist.radio.atfwd.start  u:object_r:atfwd_start_prop:s0
 sys.logger.bluetooth       u:object_r:bluetooth_log_prop:s0
-vendor.powerhal.state      u:object_r:power_prop:s0
-vendor.powerhal.audio      u:object_r:power_prop:s0
+vendor.powerhal.state                           u:object_r:power_prop:s0
+vendor.powerhal.audio                           u:object_r:power_prop:s0
+vendor.powerhal.lpm                             u:object_r:power_prop:s0
+vendor.powerhal.init                            u:object_r:power_prop:s0
+vendor.powerhal.rendering                       u:object_r:power_prop:s0
 vendor.wlan.driver.version    u:object_r:vendor_wifi_version:s0
 vendor.wlan.firmware.version  u:object_r:vendor_wifi_version:s0
 persist.vendor.usb.config  u:object_r:vendor_usb_config_prop:s0
@@ -53,6 +56,9 @@ vendor.debug.egl.changepixelformat  u:object_r:public_vendor_default_prop:s0
 vendor.debug.prerotation.disable  u:object_r:public_vendor_default_prop:s0
 vendor.debug.rs.           u:object_r:public_vendor_default_prop:s0
 vendor.debug.egl.swapinterval      u:object_r:public_vendor_default_prop:s0
+vendor.gralloc.disable_ubwc u:object_r:public_vendor_default_prop:s0
+vendor.debug.egl.profiler   u:object_r:public_vendor_default_prop:s0
+vendor.gralloc.enable_ahardware_buffer  u:object_r:public_vendor_default_prop:s0
 
 # public_vendor_system_prop
 # They are public_vendor_system_props for vendor-specific extension.
@@ -214,3 +220,7 @@ persist.vendor.nfc.                     u:object_r:vendor_nfc_prop:s0
 
 # ramoops
 vendor.ramoops.                    u:object_r:vendor_ramoops_prop:s0
+
+# fingerprint
+vendor.fps.init.succeed               u:object_r:vendor_fingerprint_prop:s0
+vendor.fps.init_retry.count           u:object_r:vendor_fingerprint_prop:s0
diff --git a/sepolicy/vendor/ramdump.te b/sepolicy/vendor/ramdump.te
index 7514dead..e0592272 100644
--- a/sepolicy/vendor/ramdump.te
+++ b/sepolicy/vendor/ramdump.te
@@ -22,5 +22,7 @@ userdebug_or_eng(`
   # read from /fstab.taimen
   allow ramdump rootfs:file r_file_perms;
 
+  dontaudit ramdump metadata_file:dir search;
+
   r_dir_file(ramdump, sysfs_type)
 ')
diff --git a/sepolicy/vendor/seapp_contexts b/sepolicy/vendor/seapp_contexts
index a4f429ba..e1f512c9 100644
--- a/sepolicy/vendor/seapp_contexts
+++ b/sepolicy/vendor/seapp_contexts
@@ -1,7 +1,7 @@
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file
 user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all
 user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
-user=_app seinfo=platform name=com.google.mds domain=mds_app type=app_data_file levelFrom=all
+user=_app seinfo=google name=com.google.mds domain=mds_app type=app_data_file levelFrom=all
 
 #TODO Remove user "system" when b/63588267 is resolved
 user=system seinfo=platform name=com.qualcomm.telephony domain=qtelephony type=system_app_data_file
@@ -29,4 +29,4 @@ user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app t
 user=_app seinfo=easel name=com.google.android.imaging.easel.service domain=easelservice_app type=app_data_file levelFrom=user
 
 #Domain for connectivity monitor
-user=radio seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
index 31c7ff72..d7b84619 100644
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -23,5 +23,3 @@ typeattribute system_server system_writes_vendor_properties_violators;
 set_prop(system_server, public_vendor_system_prop)
 
 dontaudit system_server self:capability sys_module;
-
-allow system_server thermal_service:service_manager find;
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
index bc1ab540..2bd2bd95 100644
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -19,8 +19,6 @@ allow thermal-engine sysfs_rmtfs:dir search;
 allow thermal-engine sysfs_rmtfs:file r_file_perms;
 # to read /proc/stat
 allow thermal-engine proc_stat:file { getattr open read };
-# IThermal Thermal HAL
-hal_server_domain(thermal-engine, hal_thermal)
 
 allow thermal-engine thermal_device:chr_file rw_file_perms;
 
diff --git a/sepolicy/vendor/thermalserviced.te b/sepolicy/vendor/thermalserviced.te
deleted file mode 100644
index aa6a0857..00000000
--- a/sepolicy/vendor/thermalserviced.te
+++ /dev/null
@@ -1 +0,0 @@
-binder_call(thermalserviced, system_server)
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index b74bba47..0953dcb0 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -11,6 +11,7 @@ allow vendor_init {
 
 allow vendor_init debugfs_clk:file w_file_perms;
 allow vendor_init proc_uid_cpupower:file write;
+allow vendor_init proc_swappiness:file w_file_perms;
 dontaudit vendor_init kernel:system module_request;
 
 # Allow vendor_init to write to /proc/sysrq-trigger on userdebug and eng builds
@@ -29,3 +30,9 @@ set_prop(vendor_init, vendor_charge_prop)
 
 dontaudit vendor_init unlabeled:dir getattr;
 dontaudit vendor_init unlabeled:file getattr;
+
+allow vendor_init debugfs_tracing_instances:dir create_dir_perms;
+allow vendor_init debugfs_tracing_instances:file w_file_perms;
+
+# Write to touch vrmode node
+allow vendor_init sysfs_touch:file w_file_perms;
diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te
index a6f143c2..a6123328 100644
--- a/sepolicy/vendor/wcnss_service.te
+++ b/sepolicy/vendor/wcnss_service.te
@@ -12,7 +12,7 @@ allow wcnss_service per_mgr_service:service_manager find;
 allow wcnss_service vendor_shell_exec:file rx_file_perms;
 allow wcnss_service vendor_toolbox_exec:file rx_file_perms;
 
-allow wcnss_service proc_net:file w_file_perms;
+allow wcnss_service proc_net_type:file { getattr w_file_perms };
 
 allow wcnss_service self:socket create_socket_perms;
 allowxperm wcnss_service self:socket ioctl msm_sock_ipc_ioctls;
@@ -23,8 +23,6 @@ allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl;
 allow wcnss_service cnss_vendor_data_file:dir create_dir_perms;
 allow wcnss_service cnss_vendor_data_file:file create_file_perms;
 
-allow wcnss_service proc_net:file getattr;
-
 r_dir_file(wcnss_service, sysfs_msm_subsys)
 # pkt logging for cnss_diag
 userdebug_or_eng(`
author	Xin Li <delphij@google.com>	2019-07-01 20:59:11 +0000
committer	Xin Li <delphij@google.com>	2019-07-01 20:59:11 +0000
commit	7079bb5d75470f5689b889083129a1a3bf9cebbe (patch)
tree	ab1358bd32decaef2aff49a5693703849df5f235 /sepolicy
parent	ec2781bb1596145fcdb7ca5e1c6ea0eced778418 (diff)
parent	b1f5d957079cc77a7cc7c50f77abee2eb0a156d8 (diff)
download	wahoo-7079bb5d75470f5689b889083129a1a3bf9cebbe.tar.gz