Merge tag 'android-9.0.0_r33' of https://android.googlesource.com/device/google/crosshatch-sepolicy into p9xHEADp9.0

Android 9.0.0 Release 33 (PQ2A.190205.003)

Change-Id: Icfdcc1bf2bf6964dfb4599a4df650b12dc25c118

9 files changed, 30 insertions, 9 deletions

diff --git a/OWNERS b/OWNERS
index 9d3f1b1..e6fbbd4 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,9 +1,9 @@
 alanstokes@google.com
 bowgotsai@google.com
-dcashman@google.com
 jbires@google.com
 jeffv@google.com
 jgalenson@google.com
+nnk@google.com
 sspatil@google.com
 tomcherry@google.com
 trong@google.com
diff --git a/vendor/google/certs/pulse-release.x509.pem b/vendor/google/certs/pulse-release.x509.pem
new file mode 100644
index 0000000..fb11572
--- /dev/null
+++ b/vendor/google/certs/pulse-release.x509.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
diff --git a/vendor/google/keys.conf b/vendor/google/keys.conf
index 4a78849..b5e23b9 100644
--- a/vendor/google/keys.conf
+++ b/vendor/google/keys.conf
@@ -12,5 +12,8 @@ USER        : device/google/crosshatch-sepolicy/vendor/google/certs/tango_userde
 [@GOOGLE]
 ALL : device/google/crosshatch-sepolicy/vendor/google/certs/app.x509.pem
 
+[@GOOGLEPULSE]
+ALL : device/google/crosshatch-sepolicy/vendor/google/certs/pulse-release.x509.pem
+
 [@EASEL]
 ALL : device/google/crosshatch-sepolicy/vendor/google/certs/easel.x509.pem
diff --git a/vendor/google/mac_permissions.xml b/vendor/google/mac_permissions.xml
index 401dc83..9350761 100644
--- a/vendor/google/mac_permissions.xml
+++ b/vendor/google/mac_permissions.xml
@@ -24,6 +24,9 @@
     <signer signature="@GOOGLE" >
       <seinfo value="google" />
     </signer>
+    <signer signature="@GOOGLEPULSE" >
+      <seinfo value="googlepulse" />
+    </signer>
     <signer signature="@TANGO" >
       <seinfo value="tango" />
     </signer>
diff --git a/vendor/google/system_server.te b/vendor/google/system_server.te
new file mode 100644
index 0000000..581723e
--- /dev/null
+++ b/vendor/google/system_server.te
@@ -0,0 +1 @@
+allow system_server thermal_service:service_manager find;
diff --git a/vendor/google/thermalserviced.te b/vendor/google/thermalserviced.te
new file mode 100644
index 0000000..aa6a085
--- /dev/null
+++ b/vendor/google/thermalserviced.te
@@ -0,0 +1 @@
+binder_call(thermalserviced, system_server)
diff --git a/vendor/qcom/common/hal_thermal_default.te b/vendor/qcom/common/hal_thermal_default.te
index 0d56bc1..608cda0 100644
--- a/vendor/qcom/common/hal_thermal_default.te
+++ b/vendor/qcom/common/hal_thermal_default.te
@@ -2,13 +2,6 @@ allow hal_thermal_default sysfs_thermal:dir { open read search };
 allow hal_thermal_default sysfs_thermal:file { getattr open read };
 allow hal_thermal_default sysfs_thermal:lnk_file read;
 
-allow hal_thermal_default sysfs_batteryinfo:dir search;
-allow hal_thermal_default sysfs_batteryinfo:file r_file_perms;
-allow hal_thermal_default sysfs_batteryinfo:lnk_file read;
-allow hal_thermal_default sysfs_msm_subsys:dir search;
-allow hal_thermal_default sysfs_msm_subsys:file r_file_perms;
-allow hal_thermal_default sysfs_msm_subsys:lnk_file read;
-
 allow hal_thermal_default proc_stat:file { getattr open read };
 # read thermal_config
 get_prop(hal_thermal_default, vendor_thermal_prop)
diff --git a/vendor/qcom/common/hal_tui_comm.te b/vendor/qcom/common/hal_tui_comm.te
index c282127..f3f48ba 100644
--- a/vendor/qcom/common/hal_tui_comm.te
+++ b/vendor/qcom/common/hal_tui_comm.te
@@ -9,5 +9,7 @@ add_hwservice(hal_tui_comm, hal_tui_comm_hwservice)
 hwbinder_use(hal_tui_comm)
 
 binder_call(hal_tui_comm, secure_ui_service_app)
+binder_call(hal_tui_comm, hal_confirmationui_default)
+binder_call(hal_tui_comm, tee)
 
 allow hal_tui_comm hal_graphics_allocator_default:fd use;
diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts
index f5f6dca..070cf7e 100644
--- a/vendor/qcom/common/seapp_contexts
+++ b/vendor/qcom/common/seapp_contexts
@@ -22,7 +22,10 @@ user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_
 user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
 
 # Use a custom domain for GoogleCamera, to allow for Hexagon DSP access
-user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user
+user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the dogfood beta version, the same access as GoogleCamera
+user=_app seinfo=googlepulse name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
 
 #Needed for time service apk
 user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file