Merge "Remove access to sock_file for hal_nfc"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6470b0e..dfaee86 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,7 +5,15 @@
# Only allow domains in AOSP to use the untrusted_app_all attribute.
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
-define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app mediaprovider }')
+define(`all_untrusted_apps',`{
+ ephemeral_app
+ isolated_app
+ mediaprovider
+ untrusted_app
+ untrusted_app_25
+ untrusted_app_all
+ untrusted_v2_app
+}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 67e514a..ac2f39b 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -59,6 +59,9 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
hal_client_domain(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony)
@@ -72,6 +75,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 4be6401..63f56c8 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -17,6 +17,7 @@
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
allow mediaprovider surfaceflinger_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 549ace6..6a11448 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -101,6 +101,7 @@
allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
diff --git a/public/kernel.te b/public/kernel.te
index e705287..75043b8 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -50,6 +50,9 @@
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel sdcard_type:file { read write };
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests: