Merge "init: Allow SETPCAP for dropping bounding set."

commit: 02c8383521fe4d436da8d704499e6b4638e041d7 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue Nov 01 20:23:14 2016 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Nov 01 20:23:14 2016 +0000
tree: 3b56063b656410dd5d6f1ee8fd740559d0af2ff4
parent: 184851a212ad8716940be014c9e3cda3d3eac6a3 [diff]
parent: 847bfa4ab2c2b8b5bdd9fd51736599689d6a4c12 [diff]
diff --git a/private/file_contexts b/private/file_contexts
index 8c94bfb..76297c3 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -225,7 +225,7 @@
 /system/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_exec:s0
 /system/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_exec:s0
 /system/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_exec:s0
-/system/bin/hw/wifi_hal_legacy                                u:object_r:wifi_hal_legacy_exec:s0
+/system/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_exec:s0
 
 #############################
 # Vendor files

diff --git a/private/wifi_hal_legacy.te b/private/hal_wifi.te
similarity index 77%
rename from private/wifi_hal_legacy.te
rename to private/hal_wifi.te
index cb2c6da..7c1b7b6 100644
--- a/private/wifi_hal_legacy.te
+++ b/private/hal_wifi.te

@@ -1,3 +1,3 @@
 # type_transition must be private policy the domain_trans rules could stay
 # public, but conceptually should go with this
-init_daemon_domain(wifi_hal_legacy)
+init_daemon_domain(hal_wifi)

diff --git a/public/domain.te b/public/domain.te
index f732676..bbf4d68 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -108,6 +108,7 @@
   domain
   -appdomain
   -dex2oat
+  -dumpstate
   -recovery
   -zygote
 } libart_file:file { execute read open getattr };

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index b8ad83c..6e3b671 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te

@@ -62,8 +62,28 @@
 # Read /data/dalvik-cache.
 allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -init -installd -system_server -zygote } dalvikcache_data_file:dir { search getattr };
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -installd -system_server -zygote } dalvikcache_data_file:file r_file_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -debuggerd
+  -dex2oat
+  -dumpstate
+  -init
+  -installd
+  -system_server
+  -zygote
+} dalvikcache_data_file:dir { search getattr };
+auditallow {
+  domain_deprecated
+  -appdomain
+  -debuggerd
+  -dex2oat
+  -dumpstate
+  -init
+  -installd
+  -system_server
+  -zygote
+} dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
 allow domain_deprecated cache_file:dir r_dir_perms;
@@ -96,11 +116,52 @@
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -init
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:dir r_dir_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -init
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -clatd
+  -dumpstate
+  -init
+  -netd
+  -system_server
+  -vold
+  -wpa
+  -zygote
+} proc_net:{ file lnk_file } r_file_perms;
 
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 690e843..57e8703 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -95,6 +95,9 @@
 allow dumpstate fuse_device:chr_file getattr;
 allow dumpstate { dm_device cache_block_device }:blk_file getattr;
 
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
 binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
@@ -118,7 +121,9 @@
 allow dumpstate dumpstate_tmpfs:file execute;
 allow dumpstate self:process execmem;
 # For art.
-allow dumpstate dalvikcache_data_file:file execute;
+allow dumpstate libart_file:file { r_file_perms execute };
+allow dumpstate dalvikcache_data_file:dir { search getattr };
+allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
 
 # For Bluetooth
@@ -133,6 +138,9 @@
 read_logd(dumpstate)
 control_logd(dumpstate)
 
+# Read /proc/net
+allow dumpstate proc_net:file r_file_perms;
+
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;

diff --git a/public/hal_wifi.te b/public/hal_wifi.te
new file mode 100644
index 0000000..1f117d2
--- /dev/null
+++ b/public/hal_wifi.te

@@ -0,0 +1,22 @@
+# wifi legacy hal
+type hal_wifi, domain;
+type hal_wifi_exec, exec_type, file_type;
+
+## hwbinder access
+hwbinder_use(hal_wifi)
+
+## call into wificond process (callbacks)
+binder_call(hal_wifi, wificond)
+
+r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, sysfs_type)
+
+# allow hal wifi set interfaces up and down
+allow hal_wifi self:udp_socket create_socket_perms;
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
+
+allow hal_wifi self:capability { net_admin net_raw };
+# allow hal_wifi to speak to nl80211 in the kernel
+allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;

diff --git a/public/kernel.te b/public/kernel.te
index 556904c..c404fc0 100644
--- a/public/kernel.te
+++ b/public/kernel.te

@@ -87,9 +87,6 @@
 # possible causes include:
 # - The program is a kernel usermodehelper.  In this case, define a domain
 #   for the program and domain_auto_trans() to it.
-# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
-#   program was left in the kernel domain and is now trying to execute
-#   some other program.  Fix your init.rc file.
 # - You are running an exploit which switched to the init task credentials
 #   and is then trying to exec a shell or other program.  You lose!
-neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
+neverallow kernel *:file { entrypoint execute_no_trans };

diff --git a/public/system_server.te b/public/system_server.te
index c562b65..f700a77 100644
--- a/public/system_server.te
+++ b/public/system_server.te

@@ -200,7 +200,7 @@
 allow system_server sysfs_thermal:file r_file_perms;
 
 # TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file write;
+allow system_server sysfs_vibrator:file { write append };
 
 # TODO: added to match above sysfs rule. Remove me?
 allow system_server sysfs_usb:file w_file_perms;
@@ -308,10 +308,10 @@
 
 # Receive and use open app data files passed over binder IPC.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
 
 # Receive and use open /data/media files passed over binder IPC.
-allow system_server media_rw_data_file:file { getattr read write };
+allow system_server media_rw_data_file:file { getattr read write append };
 
 # Relabel apk files.
 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };

diff --git a/public/wifi_hal_legacy.te b/public/wifi_hal_legacy.te
deleted file mode 100644
index ccdd96c..0000000
--- a/public/wifi_hal_legacy.te
+++ /dev/null

@@ -1,19 +0,0 @@
-# wifi legacy hal
-type wifi_hal_legacy, domain;
-type wifi_hal_legacy_exec, exec_type, file_type;
-
-## hwbinder access
-hwbinder_use(wifi_hal_legacy)
-
-## call into wificond process (callbacks)
-binder_call(wifi_hal_legacy, wificond)
-
-r_dir_file(wifi_hal_legacy, proc_net)
-r_dir_file(wifi_hal_legacy, sysfs_type)
-
-allow wifi_hal_legacy self:udp_socket create_socket_perms;
-allow wifi_hal_legacy self:capability { net_admin net_raw };
-# allow wifi_hal_legacy to speak to nl80211 in the kernel
-allow wifi_hal_legacy self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wifi_hal_legacy self:netlink_generic_socket create_socket_perms_no_ioctl;

diff --git a/public/wificond.te b/public/wificond.te
index 82c10c1..c6b85fc 100644
--- a/public/wificond.te
+++ b/public/wificond.te

@@ -4,10 +4,10 @@
 
 binder_use(wificond)
 binder_call(wificond, system_server)
-binder_call(wificond, wpa)
 
 hwbinder_use(wificond)
-binder_call(wificond, wifi_hal_legacy)
+binder_call(wificond, hal_wifi)
+binder_call(wificond, wpa)
 
 allow wificond wificond_service:service_manager { add find };
 

diff --git a/public/wpa.te b/public/wpa.te
index 3cb042b..863b6b9 100644
--- a/public/wpa.te
+++ b/public/wpa.te

@@ -21,10 +21,9 @@
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
 
-# Binder interface exposed by WPA.
-binder_use(wpa)
+# HIDL interface exposed by WPA.
+hwbinder_use(wpa)
 binder_call(wpa, wificond)
-allow wpa wpa_supplicant_service:service_manager { add find };
 
 # Create a socket for receiving info from wpa
 allow wpa wpa_socket:dir create_dir_perms;
commit	02c8383521fe4d436da8d704499e6b4638e041d7	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue Nov 01 20:23:14 2016 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Nov 01 20:23:14 2016 +0000
tree	3b56063b656410dd5d6f1ee8fd740559d0af2ff4
parent	184851a212ad8716940be014c9e3cda3d3eac6a3 [diff]
parent	847bfa4ab2c2b8b5bdd9fd51736599689d6a4c12 [diff]