commit 006ede391e0b17d8fb4826b7f748c4545a2c3977
author Nick Kralevich <nnk@google.com> Fri Feb 27 14:44:19 2015 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Feb 27 14:44:20 2015 +0000
tree 1500ab7a6b94a93c7984738e1a4a7b9fc7f89616
parent a3364dfd25cb42edf116903dce6890dd95ef36db
parent b4c4424c99dcb5aace69f3bc5593635e045fb519

Merge "dontaudit clatd self:capability ipc_lock"

domain.te

diff --git a/domain.te b/domain.te
index bc55237..d835ee9 100644
--- a/domain.te
+++ b/domain.te
@@ -180,7 +180,7 @@
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 
 # Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
 
 # Limit raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;

init.te

diff --git a/init.te b/init.te
index 8b0ab42..14e9f80 100644
--- a/init.te
+++ b/init.te
@@ -140,6 +140,7 @@
 # Transitions to seclabel processes in init.rc
 domain_trans(init, rootfs, adbd)
 domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
 recovery_only(`
   domain_trans(init, rootfs, recovery)
 ')

kernel.te

diff --git a/kernel.te b/kernel.te
index fa8ccd5..ff34ece 100644
--- a/kernel.te
+++ b/kernel.te
@@ -45,7 +45,7 @@
 
 # MTP sync (b/15835289)
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel vold:fd use;
+allow kernel untrusted_app:fd use;
 allow kernel sdcard_type:file { read write };
 
 # Allow the kernel to read OBB files from app directories. (b/17428116)
@@ -53,6 +53,7 @@
 # Fixes CTS tests:
 #  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
 #  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel vold:fd use;
 allow kernel app_data_file:file read;
 
 ###

slideshow.te

diff --git a/slideshow.te b/slideshow.te
new file mode 100644
index 0000000..1a22fb5
--- /dev/null
+++ b/slideshow.te
@@ -0,0 +1,13 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+write_klog(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+