Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev
diff --git a/bluetooth.te b/bluetooth.te
index a79023d..f77bd0d 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -70,4 +70,4 @@
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
neverallow bluetooth self:capability ~net_admin;
-neverallow bluetooth self:capability2 ~wake_alarm;
+neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/system_server.te b/system_server.te
index 0b18eb4..c9d8f3b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -101,9 +101,13 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
-# WifiWatchdog uses a packet_socket
+# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms;
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create_socket_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 94396cf..fb76317 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -80,6 +80,9 @@
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
+# allow cts to query all services
+allow untrusted_app servicemanager:service_manager list;
+
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;