Sync with device/google/zuma-sepolicy cfa00dfc881e3

Bug: 272725898
Change-Id: I9125ed760c0b4c688cf37720f5d4a744f2484be7

vendor/file_contexts

@@ -163,5 +163,5 @@
 /dev/dma_heap/farawimg-secure                                               u:object_r:faceauth_heap_device:s0
 /dev/dma_heap/vframe-secure                                                 u:object_r:video_secure_heap_device:s0
 /dev/dma_heap/vscaler-secure                                                u:object_r:video_secure_heap_device:s0
-/dev/dma_heap/vstream-secure                                                u:object_r:video_secure_heap_device:s0
+/dev/dma_heap/vstream-secure                                                u:object_r:dmabuf_system_secure_heap_device:s0
 /dev/uci                                                                    u:object_r:uci_device:s0

vendor/google_camera_app.te

@@ -6,3 +6,10 @@ allow google_camera_app gxp_device:chr_file rw_file_perms;
 
 # Allows camera app to access the PowerHAL.
 hal_client_domain(google_camera_app, hal_power)
+
+# Allow camera app to access the a subset of app services.
+allow google_camera_app app_api_service:service_manager find;
+
+# Allows GCA to access the EdgeTPU device.
+allow google_camera_app edgetpu_app_service:service_manager find;
+allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };

vendor/hal_bootctl_default.te

@@ -1,3 +1,4 @@
 allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sysfs_ota:file rw_file_perms;
+allow hal_bootctl_default tee_device:chr_file rw_file_perms;

vendor/hal_camera_default.te

@@ -14,6 +14,10 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms;
 allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
 allow hal_camera_default edgetpu_vendor_service:service_manager find;
 binder_call(hal_camera_default, edgetpu_vendor_server)
+# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging
+# library has a dependency on edgetpu_app_service, see b/275016466.
+allow hal_camera_default edgetpu_app_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_app_server)
 
 # Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;

vendor/logd.te

@@ -0,0 +1,4 @@
+r_dir_file(logd, logbuffer_device)
+allow logd logbuffer_device:chr_file r_file_perms;
+allow logd trusty_log_device:chr_file r_file_perms;
+

vendor/property.te

@@ -10,3 +10,4 @@ vendor_internal_prop(vendor_usb_config_prop)
 
 # Dynamic sensor
 vendor_internal_prop(vendor_dynamic_sensor_prop)
+

vendor/property_contexts

@@ -17,3 +17,4 @@ vendor.usb.                                u:object_r:vendor_usb_config_prop:s0
 
 # Dynamic sensor
 vendor.dynamic_sensor.                     u:object_r:vendor_dynamic_sensor_prop:s0
+

vendor/twoshay.te

@@ -1,2 +1,4 @@
 # Allow ITouchContextService callback
 binder_call(twoshay, systemui_app)
+
+binder_call(twoshay, hal_radioext_default)