Merge "Revert "Strip exec* permissions from unconfined domains.""
diff --git a/Android.mk b/Android.mk
index a3cd385..fa6cd78 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,14 +10,6 @@
MLS_SENS=1
MLS_CATS=1024
-ifeq ($(TARGET_BUILD_VARIANT),user)
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell.te
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te
-else
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell_user.te
- BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te
-endif
-
# Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
# Builds the singular path for each replace file.
sepolicy_replace_paths :=
@@ -77,7 +69,7 @@
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
@mkdir -p $(dir $@)
- $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
+ $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
diff --git a/app.te b/app.te
index 7d4acfb..00af7e7 100644
--- a/app.te
+++ b/app.te
@@ -158,6 +158,10 @@
# For art.
allow appdomain dalvikcache_data_file:file execute;
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+allow appdomain unlabeled:file x_file_perms;
+
###
### CTS-specific rules
###
diff --git a/bluetooth.te b/bluetooth.te
index a391ef7..a6e0c4e 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,6 @@
# bluetooth subsystem
type bluetooth, domain;
+permissive bluetooth;
app_domain(bluetooth)
# Data file accesses.
diff --git a/dhcp.te b/dhcp.te
index e710360..2baca81 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -2,7 +2,6 @@
permissive dhcp;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
-type dhcp_system_file, file_type, data_file_type;
init_daemon_domain(dhcp)
net_domain(dhcp)
@@ -16,8 +15,6 @@
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
allow dhcp system_prop:property_service set ;
-allow dhcp dhcp_system_file:file rx_file_perms;
-allow dhcp dhcp_system_file:dir r_dir_perms;
unix_socket_connect(dhcp, property, init)
allow dhcp owntty_device:chr_file rw_file_perms;
diff --git a/domain.te b/domain.te
index 653a507..75dbe7c 100644
--- a/domain.te
+++ b/domain.te
@@ -33,9 +33,6 @@
###
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;
-# b/9858255 - debuggerd sockets are not getting properly labeled.
-# TODO: Remove this temporary workaround.
-allow domain init:unix_stream_socket connectto;
# Root fs.
allow domain rootfs:dir r_dir_perms;
@@ -129,9 +126,8 @@
# capability, it's essentially useless. This is needed to allow an app with
# relabelto to relabel unlabeled files.
#
-allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
allow domain unlabeled:dir { create_dir_perms relabelfrom };
-allow domain unlabeled:lnk_file { create_file_perms };
neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
###
diff --git a/file_contexts b/file_contexts
index 6c530a6..42b783f 100644
--- a/file_contexts
+++ b/file_contexts
@@ -138,8 +138,6 @@
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/tf_daemon u:object_r:tee_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
-/system/etc/ppp(/.*)? u:object_r:ppp_system_file:s0
-/system/etc/dhcpcd(/.*)? u:object_r:dhcp_system_file:s0
/system/xbin/su u:object_r:su_exec:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
@@ -170,6 +168,7 @@
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/mediadrm(/.*)? u:object_r:media_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/isolated_app.te b/isolated_app.te
index 07b9b44..f1ddb37 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -20,6 +20,3 @@
allow isolated_app dalvikcache_data_file:file execute;
allow isolated_app apk_data_file:dir getattr;
-
-allow isolated_app init:unix_stream_socket { read write getattr getopt };
-allow isolated_app init_tmpfs:file read;
diff --git a/keystore.te b/keystore.te
index 3b5ac3f..f89504f 100644
--- a/keystore.te
+++ b/keystore.te
@@ -10,3 +10,4 @@
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file rw_file_perms;
+allow keystore tee:unix_stream_socket connectto;
diff --git a/mediaserver.te b/mediaserver.te
index 6097ccb..f84a424 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -62,3 +62,7 @@
# Allow abstract socket connection
allow mediaserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
diff --git a/ppp.te b/ppp.te
index bc1bafc..1f61fdd 100644
--- a/ppp.te
+++ b/ppp.te
@@ -2,6 +2,5 @@
type ppp, domain;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
-type ppp_system_file, file_type;
unconfined_domain(ppp)
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/shell.te b/shell.te
index 18c1dfc..6b9f996 100644
--- a/shell.te
+++ b/shell.te
@@ -9,7 +9,9 @@
# XXX Transition into its own domain?
app_domain(shell)
-# userdebug/eng shell is also permissive to permit setenforce.
-permissive shell;
+userdebug_or_eng(`
+ # userdebug/eng shell is also permissive to permit setenforce.
+ permissive shell;
+')
# inherits from shelldomain.te
diff --git a/shell_user.te b/shell_user.te
deleted file mode 100644
index ad30802..0000000
--- a/shell_user.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# Domain for shell processes spawned by ADB
-type shell, domain, shelldomain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# inherits from shelldomain.te
diff --git a/su.te b/su.te
index 2a3d007..b4b9f6d 100644
--- a/su.te
+++ b/su.te
@@ -1,13 +1,17 @@
-type su, domain;
+# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
-domain_auto_trans(shell, su_exec, su)
-# Allow dumpstate to call su on userdebug / eng builds to collect
-# additional information.
-domain_auto_trans(dumpstate, su_exec, su)
+userdebug_or_eng(`
+ type su, domain;
+ domain_auto_trans(shell, su_exec, su)
-# su is unconfined.
-unconfined_domain(su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
-# su is also permissive to permit setenforce.
-permissive su;
+ # su is unconfined.
+ unconfined_domain(su)
+
+ # su is also permissive to permit setenforce.
+ permissive su;
+')
diff --git a/su_user.te b/su_user.te
deleted file mode 100644
index 6f936a0..0000000
--- a/su_user.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-# No allow rules
diff --git a/surfaceflinger.te b/surfaceflinger.te
index e926bc8..39781fc 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -44,3 +44,8 @@
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
allow surfaceflinger shell_data_file:file write;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee:unix_stream_socket connectto;
+allow surfaceflinger tee_device:chr_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index 09e6ec5..22d739b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -174,6 +174,9 @@
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
allow system_server system_wpa_socket:sock_file create_file_perms;
+# Remove sockets created by wpa_supplicant
+allow system_server wpa_socket:sock_file unlink;
+
# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -236,3 +239,8 @@
# For SELinuxPolicyInstallReceiver
selinux_manage_policy(system_server)
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow system_server unlabeled:file execute;
diff --git a/te_macros b/te_macros
index a05b7ac..9396e4f 100644
--- a/te_macros
+++ b/te_macros
@@ -321,3 +321,9 @@
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
diff --git a/zygote.te b/zygote.te
index 9092457..b6a527c 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,7 +21,9 @@
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
allow zygote dalvikcache_data_file:dir rw_dir_perms;
-allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };
+allow zygote dalvikcache_data_file:file create_file_perms;
+# For art.
+allow zygote dalvikcache_data_file:file execute;
# Execute dexopt.
allow zygote system_file:file x_file_perms;
# Control cgroups.
@@ -50,3 +52,8 @@
allow zygote shell_data_file:file { write getattr };
allow zygote system_server:binder { transfer call };
allow zygote servicemanager:binder { call };
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow zygote unlabeled:file execute;