Merge "dmesgd: sepolicies"
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index c909986..db20696 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -39,3 +39,6 @@
# Allow to add a service to the servicemanager
add_service(automotive_display_service, fwk_automotive_display_service);
+
+# Allow to communicate with EVS services
+binder_call(automotive_display_service, hal_evs)
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index f1307ad..d146ae3 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -19,12 +19,15 @@
diced
diced_exec
fwk_automotive_display_service
+ evsmanagerd
+ evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
fs_bpf_vendor
gesture_prop
hal_contexthub_service
hal_camera_service
+ hal_evs_service
hal_dice_service
hal_drm_service
hal_dumpstate_service
diff --git a/private/evsmanagerd.te b/private/evsmanagerd.te
new file mode 100644
index 0000000..3772628
--- /dev/null
+++ b/private/evsmanagerd.te
@@ -0,0 +1,39 @@
+# evsmanager
+typeattribute evsmanagerd coredomain;
+typeattribute evsmanagerd evsmanager_service_server;
+
+type evsmanagerd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(evsmanagerd);
+
+# Declares as a binder service
+binder_service(evsmanagerd)
+
+# Allows to add a service to service_manager
+add_service(evsmanagerd, evsmanagerd_service)
+
+# Allows to use the binder IPC
+binder_use(evsmanagerd)
+
+# Allows binder IPCs to the various system services
+binder_call(evsmanagerd, system_server)
+
+# Allows to use EVS HAL implementations
+hal_client_domain(evsmanagerd, hal_evs)
+
+# Allows to write messages to the shell
+allow evsmanagerd shell:fd use;
+allow evsmanagerd shell:fifo_file write;
+
+# Allows to use the graphics allocator
+allow evsmanagerd hal_graphics_allocator:fd use;
+
+# Allows to use a bootstrap statsd
+allow evsmanagerd statsbootstrap_service:service_manager find;
+
+# Allows binder IPCs to the CarService
+binder_call(evsmanagerd, appdomain)
+
+# For HIDL evs manager implementation
+allow evsmanagerd hal_evs_hwservice:hwservice_manager add;
+allow evsmanagerd hidl_base_hwservice:hwservice_manager add;
diff --git a/private/file_contexts b/private/file_contexts
index ac79859..16569ba 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -378,6 +378,8 @@
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
+/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
+/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
#############################
# Vendor files
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d47134b..5cf0711 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -137,7 +137,7 @@
isSystemServer=true domain=system_server_startup
-user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 7075f4d..4fb4b29 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,6 @@
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
@@ -75,6 +77,7 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
+android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_automotive_display_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 1c7f657..bc7543b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -125,6 +125,9 @@
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow to use files supplied by hal_evs
+allow surfaceflinger hal_evs:fd use;
+
# Allow pushing jank event atoms to statsd
userdebug_or_eng(`
unix_socket_send(surfaceflinger, statsdw, statsd)
diff --git a/public/attributes b/public/attributes
index 73861bd..4db8ba1 100644
--- a/public/attributes
+++ b/public/attributes
@@ -398,6 +398,7 @@
attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
+attribute evsmanager_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/evsmanagerd.te b/public/evsmanagerd.te
new file mode 100644
index 0000000..cde0380
--- /dev/null
+++ b/public/evsmanagerd.te
@@ -0,0 +1,2 @@
+# evsmanager daemon
+type evsmanagerd, domain;
diff --git a/public/hal_evs.te b/public/hal_evs.te
index 789333a..09a40d8 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -1,5 +1,15 @@
hwbinder_use(hal_evs_client)
hwbinder_use(hal_evs_server)
+
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+
+# Below lines are equivalent to hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
+# except it allows evsmanagerd to add hal_evs_hwservice.
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+allow hal_evs_server hal_evs_hwservice:hwservice_manager { add find };
+allow hal_evs_server hidl_base_hwservice:hwservice_manager add;
+neverallow { domain -hal_evs_server -evsmanagerd } hal_evs_hwservice:hwservice_manager add;
+
+# Allows to add a service
+hal_attribute_service(hal_evs, hal_evs_service)
diff --git a/public/service.te b/public/service.te
index 46eaff1..8c4ae56 100644
--- a/public/service.te
+++ b/public/service.te
@@ -13,6 +13,7 @@
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
+type evsmanagerd_service, service_manager_type;
type fingerprintd_service, service_manager_type;
type fwk_automotive_display_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
@@ -273,6 +274,7 @@
type hal_dice_service, vendor_service, protected_service, service_manager_type;
type hal_drm_service, vendor_service, service_manager_type;
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
+type hal_evs_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 762cf20..4faa05a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -8,7 +8,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 57a0299..d1d4559 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -6,10 +6,19 @@
type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_evs_default)
-allow hal_evs_default hal_graphics_allocator_server:fd use;
-
-# allow to use surface flinger
-allow hal_evs_default automotive_display_service_server:fd use;
+# allow to use a graphic buffer
+hal_client_domain(hal_evs_default, hal_configstore)
+hal_client_domain(hal_evs_default, hal_graphics_allocator)
+hal_client_domain(hal_evs_default, hal_graphics_composer)
# allow to use automotive display service
+binder_call(hal_evs_default, automotive_display_service_server)
allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;
+
+# allow to access EGL
+allow hal_evs_default gpu_device:chr_file rw_file_perms;
+allow hal_evs_default gpu_device:dir search;
+
+# allow to monitor uevents and access video devices
+allow hal_evs_default device:dir r_dir_perms;
+allow hal_evs_default video_device:chr_file rw_file_perms;
