Merge changes I4b2a7e0e,Id72e1a2c into qt-dev
* changes:
Move shared sepolicy for carservice_app
Fix selinux neverallow build errors
diff --git a/car_product/sepolicy/private/carservice_app.te b/car_product/sepolicy/private/carservice_app.te
index 3c72a79..d8ed7db 100644
--- a/car_product/sepolicy/private/carservice_app.te
+++ b/car_product/sepolicy/private/carservice_app.te
@@ -3,6 +3,7 @@
# Allow Car Service to be the client of Vehicle and Audio Control HALs
hal_client_domain(carservice_app, hal_audiocontrol)
+hal_client_domain(carservice_app, hal_health)
hal_client_domain(carservice_app, hal_vehicle)
# Allow to set boot.car_service_created property
@@ -11,6 +12,8 @@
# Allow Car Service to register itself with ServiceManager
allow carservice_app carservice_service:service_manager add;
+allow carservice_app wifi_service:service_manager find;
+
# Allow Car Service to access certain system services.
# Keep alphabetically sorted.
allow carservice_app {
@@ -46,6 +49,8 @@
allow carservice_app system_car_data_file:dir create_dir_perms;
allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms;
+allow carservice_app cgroup:file rw_file_perms;
+
# For I/O stats tracker
allow carservice_app proc_uid_io_stats:file { read open getattr };
diff --git a/car_product/sepolicy/private/system_app.te b/car_product/sepolicy/private/system_app.te
new file mode 100644
index 0000000..232b117
--- /dev/null
+++ b/car_product/sepolicy/private/system_app.te
@@ -0,0 +1 @@
+hal_client_domain(system_app, hal_vehicle)
diff --git a/evs/sepolicy/evs_app.te b/evs/sepolicy/evs_app.te
index b5e3c95..8c036b3 100644
--- a/evs/sepolicy/evs_app.te
+++ b/evs/sepolicy/evs_app.te
@@ -6,11 +6,11 @@
hal_client_domain(evs_app, hal_graphics_allocator)
# allow init to launch processes in this context
-type evs_app_exec, exec_type, file_type;
+type evs_app_exec, exec_type, file_type, system_file_type;
init_daemon_domain(evs_app)
# gets access to its own files on disk
-type evs_app_files, file_type;
+type evs_app_files, file_type, system_file_type;
allow evs_app evs_app_files:file { getattr open read };
allow evs_app evs_app_files:dir search;
diff --git a/evs/sepolicy/evs_driver.te b/evs/sepolicy/evs_driver.te
index 3d5263e..f1f31e9 100644
--- a/evs/sepolicy/evs_driver.te
+++ b/evs/sepolicy/evs_driver.te
@@ -1,9 +1,10 @@
# evs_mock mock hardware driver service
type hal_evs_driver, domain, coredomain;
hal_server_domain(hal_evs_driver, hal_evs)
+hal_client_domain(hal_evs_driver, hal_evs)
# allow init to launch processes in this context
-type hal_evs_driver_exec, exec_type, file_type;
+type hal_evs_driver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(hal_evs_driver)
binder_use(hal_evs_driver)
diff --git a/evs/sepolicy/evs_manager.te b/evs/sepolicy/evs_manager.te
index 58ea6aa..51acac1 100644
--- a/evs/sepolicy/evs_manager.te
+++ b/evs/sepolicy/evs_manager.te
@@ -2,10 +2,9 @@
type evs_manager, domain, coredomain;
hal_server_domain(evs_manager, hal_evs)
hal_client_domain(evs_manager, hal_evs)
-add_hwservice(hal_evs, hal_evs_hwservice)
# allow init to launch processes in this context
-type evs_manager_exec, exec_type, file_type;
+type evs_manager_exec, exec_type, file_type, system_file_type;
init_daemon_domain(evs_manager)
# allow use of hwservices