Merge "added new seandroid rule to location domain"
diff --git a/common/fingerprintd.te b/common/fingerprintd.te
new file mode 100644
index 0000000..f0fe878
--- /dev/null
+++ b/common/fingerprintd.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following
+# disclaimer in the documentation and/or other materials provided
+# with the distribution.
+# * Neither the name of The Linux Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#==========================fingerprintd================================
+allow fingerprintd iqfp_service:service_manager find;
+binder_call(fingerprintd, qfp-daemon);
diff --git a/common/mediaserver.te b/common/mediaserver.te
index 21c8f3d..06980d7 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -68,4 +68,5 @@
allow mediaserver system_app:unix_stream_socket { connectto read write setopt };
#Allow mediaserver to access service manager STAProxyService
-allow mediaserver STAProxyService:service_manager find;
+#Allow mediaserver to access service manager wfdservice
+allow mediaserver { STAProxyService wfdservice_service }:service_manager find;
diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te
index b04508f..3147958 100644
--- a/common/qfp-daemon.te
+++ b/common/qfp-daemon.te
@@ -34,6 +34,7 @@
binder_call(qfp-daemon, servicemanager)
binder_call(qfp-daemon, system_app)
+binder_call(qfp-daemon, fingerprintd)
binder_use(qfp-daemon)
allow qfp-daemon qfp-daemon_data_file:dir { rw_dir_perms setattr };
diff --git a/common/qseecomd.te b/common/qseecomd.te
index 6b8fd44..f97849d 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -71,6 +71,10 @@
allow tee qfp-daemon_data_file:dir create_dir_perms;
allow tee qfp-daemon_data_file:file create_file_perms;
+#allow access to fingerprintd data file
+allow tee fingerprintd_data_file:dir create_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;
+
# Provide access to block devices for MDTP
allow tee mdtp_device:blk_file rw_file_perms;
allow tee dip_device:blk_file rw_file_perms;
diff --git a/common/service.te b/common/service.te
index e51acae..da26d7f 100644
--- a/common/service.te
+++ b/common/service.te
@@ -8,7 +8,7 @@
type wbc_service, service_manager_type;
type STAProxyService, service_manager_type;
type dun_service, service_manager_type;
-type imscm_service, service_manager_type;
+type imscm_service, system_api_service, service_manager_type;
type color_service, service_manager_type;
type wfdservice_service, service_manager_type;
type usf_service, service_manager_type;
diff --git a/common/system_app.te b/common/system_app.te
index 86ca2be..54cf2b5 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -73,6 +73,8 @@
binder_call(system_app, seempd)
#allow access to qfp-daemon
+allow system_app qfp-daemon_data_file:dir create_dir_perms;
+allow system_app qfp-daemon_data_file:file create_file_perms;
binder_call(system_app, qfp-daemon)
# allow system_app to interact with fido daemon
diff --git a/common/wfdservice.te b/common/wfdservice.te
index cf5bcd2..35e4791 100644
--- a/common/wfdservice.te
+++ b/common/wfdservice.te
@@ -86,3 +86,6 @@
# Allow access to mediaserver, surfaceflinger and permissionmanager
# for interaction of wfdservice
allow wfdservice {mediaserver_service permission_service surfaceflinger_service wfdservice_service}: service_manager find;
+
+#Allow setting of net_admin capability so that libnl API's can be used
+allow wfdservice self:capability net_admin;