Merge "Add hal_contexthub_default to zuma sepolicy; Remove dontaudit rules for chre" into udc-d1-dev am: 2c0e44805a

Original change: https://googleplex-android-review.googlesource.com/c/device/google/zuma-sepolicy/+/22613725 Change-Id: Ia79eb1e60a6fe53a2155874be0f83be644c1d9f6 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-04-13 20:18:36 +00:00 · 2023-04-13 20:18:36 +00:00 · 98bffc0a44
commit 98bffc0a44
parent 44155e103e 2c0e44805a
6 changed files with 3 additions and 14 deletions
--- a/legacy/whitechapel_pro/file_contexts
+++ b/legacy/whitechapel_pro/file_contexts
@ -2,7 +2,6 @@
 /vendor/bin/dumpsys                                                         u:object_r:vendor_dumpsys:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty           u:object_r:hal_gatekeeper_default_exec:s0
-/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
 /vendor/bin/hw/android\.hardware\.nfc-service\.st                           u:object_r:hal_nfc_default_exec:s0

 # Vendor libraries
--- a/tracking_denials/chre.te
+++ b/tracking_denials/chre.te
@ -1,4 +0,0 @@
-# b/261105224
-dontaudit chre hal_system_suspend_service:service_manager { find };
-dontaudit chre servicemanager:binder { call };
-dontaudit chre system_suspend_server:binder { call };
--- a/tracking_denials/hal_contexthub_default.te
+++ b/tracking_denials/hal_contexthub_default.te
@ -1,7 +0,0 @@
-# b/261105182
-dontaudit hal_contexthub_default chre:unix_stream_socket { connectto };
-dontaudit hal_contexthub_default chre_socket:sock_file { write };
-# b/264489794
-userdebug_or_eng(`
-  permissive hal_contexthub_default;
-')
--- a/tracking_denials/system_suspend.te
+++ b/tracking_denials/system_suspend.te
@ -1,2 +0,0 @@
-# b/261105356
-dontaudit system_suspend_server chre:binder { transfer };
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -12,6 +12,7 @@
 /vendor/bin/hw/android\.hardware\.secure_element-service.uicc               u:object_r:hal_secure_element_uicc_exec:s0
 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                       u:object_r:hal_uwb_vendor_default_exec:s0
 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel             u:object_r:hal_graphics_composer_default_exec:s0
+/vendor/bin/hw/android\.hardware\.contexthub-service\.generic               u:object_r:hal_contexthub_default_exec:s0
 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service                     u:object_r:mediacodec_google_exec:s0
 /vendor/bin/dump/dump_wlan\.sh                                              u:object_r:dump_wlan_exec:s0
 /vendor/bin/dump/dump_gsa\.sh                                               u:object_r:dump_gsa_exec:s0
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@ -0,0 +1,2 @@
+# Allow context hub HAL to communicate with daemon via socket
+unix_socket_connect(hal_contexthub_default, chre, chre)