Merge "allow wcnss_filter CAP_SYS_NICE, Bluetooth HAL binder to system_server"

android_filesystem_config.h

@@ -36,6 +36,7 @@ static const struct fs_path_config android_device_files[] = {
     { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/cnss-daemon"},
     { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/imsdatadaemon" },
     { 00755, AID_SYSTEM,    AID_RADIO,     (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/ims_rtp_daemon" },
+    { 00755, AID_SYSTEM,    AID_SYSTEM,    (1ULL << CAP_SYS_NICE), "vendor/bin/wcnss_filter" },
 #ifdef NO_ANDROID_FILESYSTEM_CONFIG_DEVICE_DIRS
     { 00000, AID_ROOT,      AID_ROOT,      0, "system/etc/fs_config_dirs" },
 #endif

sepolicy/hal_bluetooth_default.te

@@ -2,4 +2,8 @@ allow hal_bluetooth_default bt_device:chr_file rw_file_perms;
 
 allow hal_bluetooth_default wcnss_filter:unix_stream_socket connectto;
 
+# talk to system_server to set priority
+allow hal_bluetooth fwk_scheduler_hwservice:hwservice_manager find;
+allow hal_bluetooth system_server:binder call;
+
 set_prop(hal_bluetooth_default, wc_prop)

sepolicy/wcnss_filter.te

@@ -12,6 +12,9 @@ userdebug_or_eng(`
 permissive wcnss_filter;
 ')
 
+# allow wcnss to set threads to RT priority
+allow wcnss_filter self:capability sys_nice;
+
 # TODO(b/34274385): Remove this once Bluetooh HAL is guaranteed to not be run in passthrough mode
 # What's going on here is that Bluetooth HAL is talking over sockets to wcnss_filter, which is
 # permitted. However, those rules target hal_bluetooth rather than hal_bluetooth_server and thus