From f3564e9b91c423a5ecd65ef15076b5750dccceea Mon Sep 17 00:00:00 2001
From: Bowen Lai <bowenlai@google.com>
Date: Wed, 25 Dec 2024 07:18:45 +0000
Subject: [PATCH] Set up access control rule for aocxd

Test: make -j64
Bug: 385663354
Flag: EXEMPT bugfix
Change-Id: I1b6584a0643085e9d69c85b27a0ba3667aacf1cf
---
 aoc/aoc.mk                                 | 6 ++++++
 aoc/sepolicy/allowlist/aocxd_neverallow.te | 2 ++
 2 files changed, 8 insertions(+)
 create mode 100644 aoc/sepolicy/allowlist/aocxd_neverallow.te

diff --git a/aoc/aoc.mk b/aoc/aoc.mk
index 13d849c..8ef4e26 100644
--- a/aoc/aoc.mk
+++ b/aoc/aoc.mk
@@ -1,5 +1,11 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
 
+# Skip aosp_ build due to dcservice_app is not available
+ifeq (,$(filter aosp_%, $(TARGET_PRODUCT)))
+BOARD_VENDOR_SEPOLICY_DIRS += \
+        device/google/gs-common/aoc/sepolicy/allowlist
+endif
+
 PRODUCT_PACKAGES += dump_aoc \
 		    aocd \
 		    aocxd
diff --git a/aoc/sepolicy/allowlist/aocxd_neverallow.te b/aoc/sepolicy/allowlist/aocxd_neverallow.te
new file mode 100644
index 0000000..72b7b1a
--- /dev/null
+++ b/aoc/sepolicy/allowlist/aocxd_neverallow.te
@@ -0,0 +1,2 @@
+# set up rule to control the access to aocxd
+neverallow { domain -hwservicemanager -servicemanager -vndservicemanager -system_suspend_server -dumpstate -hal_audio_default -dcservice_app } aocxd:binder { call transfer };