Update the API 32 based on system/sepolicy/public

Change-Id: Ieaf3ae511ac33b035d52691f84998ba23f4387d5

10 files changed, 29 insertions, 2 deletions

diff --git a/prebuilts/api/32.0/private/domain.te b/prebuilts/api/32.0/private/domain.te
index b91d36d85..78aaf55d6 100644
--- a/prebuilts/api/32.0/private/domain.te
+++ b/prebuilts/api/32.0/private/domain.te
@@ -539,3 +539,8 @@ enforce_debugfs_restriction(`
       -tracefs_type
   }:file no_rw_file_perms;
 ')
+
+
+###Mediaserverwrapper 64 Bit Property  addition
+get_prop(domain, vendor_medsrv_set_64b)
+
diff --git a/prebuilts/api/32.0/private/file_contexts b/prebuilts/api/32.0/private/file_contexts
index 0330d888d..d61bf0f44 100644
--- a/prebuilts/api/32.0/private/file_contexts
+++ b/prebuilts/api/32.0/private/file_contexts
@@ -230,6 +230,7 @@
 /system/bin/sload_f2fs	--	u:object_r:e2fs_exec:s0
 /system/bin/make_f2fs	--	u:object_r:e2fs_exec:s0
 /system/bin/fsck_msdos	--	u:object_r:fsck_exec:s0
+/system/bin/newfs_msdos		u:object_r:fsck_exec:s0
 /system/bin/tcpdump	--	u:object_r:tcpdump_exec:s0
 /system/bin/tune2fs	--	u:object_r:fsck_exec:s0
 /system/bin/resize2fs	--	u:object_r:fsck_exec:s0
@@ -263,6 +264,8 @@
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
 /system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/mediaserverwrapper u:object_r:mediaserverwrapper_exec:s0
+/system/bin/mediaserver64  u:object_r:mediaserver_exec:s0
 /system/bin/mediametrics	u:object_r:mediametrics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
diff --git a/prebuilts/api/32.0/private/mediaserverwrapper.te b/prebuilts/api/32.0/private/mediaserverwrapper.te
new file mode 100644
index 000000000..354338ee2
--- /dev/null
+++ b/prebuilts/api/32.0/private/mediaserverwrapper.te
@@ -0,0 +1,9 @@
+type mediaserverwrapper, domain, coredomain;
+type mediaserverwrapper_exec, system_file_type, exec_type, file_type;
+type mediaserverwrapper_tmpfs, file_type;
+init_daemon_domain(mediaserverwrapper)
+domain_auto_trans(mediaserverwrapper, mediaserver_exec, mediaserver);
+allow mediaserverwrapper mediaserver_exec:file { execute open read getattr map execute_no_trans };
+allow mediaserver mediaserverwrapper:fd use;
+# Let vendor_init set vendor_medsrv_set_64b.
+set_prop(vendor_init, vendor_medsrv_set_64b)
\ No newline at end of file
diff --git a/prebuilts/api/32.0/private/property.te b/prebuilts/api/32.0/private/property.te
index 587cf5e2f..fdc320612 100644
--- a/prebuilts/api/32.0/private/property.te
+++ b/prebuilts/api/32.0/private/property.te
@@ -39,6 +39,7 @@ system_internal_prop(verity_status_prop)
 system_internal_prop(zygote_wrap_prop)
 system_internal_prop(ctl_mediatranscoding_prop)
 system_internal_prop(ctl_odsign_prop)
+vendor_restricted_prop(vendor_medsrv_set_64b)
 
 ###
 ### Neverallow rules
diff --git a/prebuilts/api/32.0/private/property_contexts b/prebuilts/api/32.0/private/property_contexts
index f235b35b7..f8c887a9b 100644
--- a/prebuilts/api/32.0/private/property_contexts
+++ b/prebuilts/api/32.0/private/property_contexts
@@ -1229,3 +1229,6 @@ ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
 
 # dck properties
 ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+###mediaserver 64 bit enable flag
+ro.mediaserver.64b.enable u:object_r:vendor_medsrv_set_64b:s0 exact bool
diff --git a/prebuilts/api/32.0/private/vr_hwc.te b/prebuilts/api/32.0/private/vr_hwc.te
index 053c03d98..51d242061 100644
--- a/prebuilts/api/32.0/private/vr_hwc.te
+++ b/prebuilts/api/32.0/private/vr_hwc.te
@@ -2,5 +2,3 @@ typeattribute vr_hwc coredomain;
 
 # Daemon started by init.
 init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/32.0/public/fsck_untrusted.te b/prebuilts/api/32.0/public/fsck_untrusted.te
index 8510c9424..149ea6c03 100644
--- a/prebuilts/api/32.0/public/fsck_untrusted.te
+++ b/prebuilts/api/32.0/public/fsck_untrusted.te
@@ -11,6 +11,7 @@ allow fsck_untrusted vold:fifo_file { read write getattr };
 # Run fsck on vold block devices
 allow fsck_untrusted block_device:dir search;
 allow fsck_untrusted vold_device:blk_file rw_file_perms;
+allowxperm fsck_untrusted vold_device:blk_file ioctl BLKGETSIZE;
 
 allow fsck_untrusted proc_mounts:file r_file_perms;
 
diff --git a/prebuilts/api/32.0/public/gpuservice.te b/prebuilts/api/32.0/public/gpuservice.te
index c862d0b7f..443cc45a3 100644
--- a/prebuilts/api/32.0/public/gpuservice.te
+++ b/prebuilts/api/32.0/public/gpuservice.te
@@ -1,2 +1,3 @@
 # gpuservice - server for gpu stats and other gpu related services
 type gpuservice, domain;
+get_prop(gpuservice, graphics_config_prop)
\ No newline at end of file
diff --git a/prebuilts/api/32.0/public/recovery.te b/prebuilts/api/32.0/public/recovery.te
index 364988887..33658e86f 100644
--- a/prebuilts/api/32.0/public/recovery.te
+++ b/prebuilts/api/32.0/public/recovery.te
@@ -133,6 +133,10 @@ recovery_only(`
 
   # Allow mounting /metadata for writing update states
   allow recovery metadata_file:dir { getattr mounton };
+
+  # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+  allow recovery devpts:chr_file rw_file_perms;
+  allow recovery kmsg_device:chr_file { getattr w_file_perms };
 ')
 
 ###
diff --git a/prebuilts/api/32.0/public/system_server.te b/prebuilts/api/32.0/public/system_server.te
index edefadfb0..4016ba398 100644
--- a/prebuilts/api/32.0/public/system_server.te
+++ b/prebuilts/api/32.0/public/system_server.te
@@ -15,3 +15,5 @@ neverallow {
   -vendor_init
   -system_server
 } power_debug_prop:property_service set;
+# Read ro.gfx.* properties
+get_prop(system_server, graphics_config_prop)