commit 0a5f3d4626cd7e4da99485f903419cd8b2fea893
author Daniel Sandler <dsandler@android.com> Tue Feb 23 19:12:39 2016 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Tue Feb 23 19:12:39 2016 +0000
tree 97c295ff77226267cfcdffa0a8de33a1b23086f7
parent a92c7fe3fb6c0ce9060dbd66b4d52c51d410f663
parent 00004ba1fff4d70254476f92e8529c97e2d2e4ed

Merge "Allow access to the daydream ("dreams") service." into nyc-dev

app.te

diff --git a/app.te b/app.te
index 438e01f..5927eb9 100644
--- a/app.te
+++ b/app.te
@@ -212,7 +212,8 @@
 allow appdomain console_device:chr_file { read write };
 
 # only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 

audioserver.te

diff --git a/audioserver.te b/audioserver.te
index eeed985..f53b824 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -113,7 +113,8 @@
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules

bluetooth.te

diff --git a/bluetooth.te b/bluetooth.te
index 6a329b7..1817820 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -24,6 +24,8 @@
 allow bluetooth self:capability2 wake_alarm;
 
 # tethering
+allow bluetooth self:packet_socket create_socket_perms;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
 allow bluetooth self:tun_socket create_socket_perms;
 allow bluetooth efs_file:dir search;
 
@@ -59,6 +61,6 @@
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin, wake_alarm and block_suspend
-neverallow bluetooth self:capability ~net_admin;
+# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
 neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };

ioctl_macros

diff --git a/ioctl_macros b/ioctl_macros
index 7345879..466870e 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -8,8 +8,6 @@
 SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
 SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
 SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-# commonly used TTY ioctls
-TIOCOUTQ FIOCLEX
 }')
 
 # socket ioctls never allowed to unprivileged apps
@@ -41,3 +39,6 @@
 # Dev private ioctl i.e. hardware specific ioctls
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')

logd.te

diff --git a/logd.te b/logd.te
index aa24c05..95a30ef 100644
--- a/logd.te
+++ b/logd.te
@@ -22,6 +22,10 @@
 allow logd pstorefs:dir search;
 allow logd pstorefs:file r_file_perms;
 
+# Set persist.sys. and sys.powerctl
+set_prop(logd, safemode_prop)
+set_prop(logd, powerctl_prop)
+
 # Access device logging gating property
 get_prop(logd, device_logging_prop)
 

mediadrmserver.te

diff --git a/mediadrmserver.te b/mediadrmserver.te
index f4b5ecc..bd2264d 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -49,7 +49,8 @@
 allow mediadrmserver mediaserver_service:service_manager { add find };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules

mediaserver.te

diff --git a/mediaserver.te b/mediaserver.te
index a305060..7aa6ec7 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -120,7 +120,8 @@
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules

netd.te

diff --git a/netd.te b/netd.te
index 2c0fb15..98a1a2a 100644
--- a/netd.te
+++ b/netd.te
@@ -30,15 +30,6 @@
 # XXX Split into its own type.
 allow netd sysfs:file write;
 
-# Set dhcp lease for PAN connection
-set_prop(netd, dhcp_prop)
-set_prop(netd, system_prop)
-auditallow netd system_prop:property_service set;
-
-# Connect to PAN
-domain_auto_trans(netd, dhcp_exec, dhcp)
-allow netd dhcp:process signal;
-
 # Needed to update /data/misc/wifi/hostapd.conf
 # TODO: See what we can do to reduce the need for
 # these capabilities
@@ -64,10 +55,19 @@
 
 set_prop(netd, ctl_mdnsd_prop)
 
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+binder_service(netd)
+allow netd netd_service:service_manager add;
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
 allow netd netdomain:fd use;
 
+
 ###
 ### Neverallow rules
 ###

priv_app.te

diff --git a/priv_app.te b/priv_app.te
index 275020f..79e9e96 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -31,6 +31,7 @@
 allow priv_app app_api_service:service_manager find;
 allow priv_app system_api_service:service_manager find;
 allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app recovery_service:service_manager find;
 
 # Traverse into /mnt/media_rw for bypassing FUSE daemon
 # TODO: narrow this to just MediaProvider

property.te

diff --git a/property.te b/property.te
index c649a90..26d15ff 100644
--- a/property.te
+++ b/property.te
@@ -33,5 +33,6 @@
 type dalvik_prop, property_type, core_property_type;
 type config_prop, property_type, core_property_type;
 type device_logging_prop, property_type;
+type safemode_prop, property_type;
 
 allow property_type tmpfs:filesystem associate;

property_contexts

diff --git a/property_contexts b/property_contexts
index 9e936ca..fed44df 100644
--- a/property_contexts
+++ b/property_contexts
@@ -43,6 +43,8 @@
 persist.log.tag         u:object_r:logd_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.sys.            u:object_r:system_prop:s0
+persist.sys.safemode    u:object_r:safemode_prop:s0
+persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0

service.te

diff --git a/service.te b/service.te
index 80e6142..e33fd7a 100644
--- a/service.te
+++ b/service.te
@@ -12,6 +12,7 @@
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
+type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
@@ -82,6 +83,7 @@
 type print_service, app_api_service, system_server_service, service_manager_type;
 type processinfo_service, system_server_service, service_manager_type;
 type procstats_service, app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, system_server_service, service_manager_type;
 type rttmanager_service, app_api_service, system_server_service, service_manager_type;

service_contexts

diff --git a/service_contexts b/service_contexts
index 1d18a60..d3c7d72 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,6 +2,7 @@
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
+android.net.INetd                         u:object_r:netd_service:s0
 android.os.UpdateEngineService            u:object_r:update_engine_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
@@ -102,6 +103,7 @@
 radio.phonesubinfo                        u:object_r:radio_service:s0
 radio.phone                               u:object_r:radio_service:s0
 radio.sms                                 u:object_r:radio_service:s0
+recovery                                  u:object_r:recovery_service:s0
 restrictions                              u:object_r:restrictions_service:s0
 rttmanager                                u:object_r:rttmanager_service:s0
 samplingprofiler                          u:object_r:samplingprofiler_service:s0

system_server.te

diff --git a/system_server.te b/system_server.te
index 2e131b3..fc36949 100644
--- a/system_server.te
+++ b/system_server.te
@@ -136,6 +136,7 @@
 binder_call(system_server, fingerprintd)
 binder_call(system_server, { appdomain autoplay_app })
 binder_call(system_server, dumpstate)
+binder_call(system_server, netd)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
@@ -295,6 +296,7 @@
 
 # Property Service write
 set_prop(system_server, system_prop)
+set_prop(system_server, safemode_prop)
 set_prop(system_server, dhcp_prop)
 set_prop(system_server, net_radio_prop)
 set_prop(system_server, system_radio_prop)
@@ -396,6 +398,7 @@
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };