commit 12aac021854775b0335c136f80c7c65c235a7432
author Erik Kline <ek@google.com> Tue Feb 23 00:05:09 2016 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Tue Feb 23 00:05:09 2016 +0000
tree 1942feb307227c7f05bd5facd96aa5c2d9622b1e
parent f40afcb1b487724f98e8e33997c11c6c3d4454aa
parent 5fba8e11a98310cfdf32ff89641099b197088a3a

Merge "Permit bluetooth to run DhcpClient" into nyc-dev

app.te

diff --git a/app.te b/app.te
index b89d4e1..5927eb9 100644
--- a/app.te
+++ b/app.te
@@ -110,6 +110,10 @@
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
 
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
 # % adb shell dumpsys procstats --start-testing
@@ -208,7 +212,8 @@
 allow appdomain console_device:chr_file { read write };
 
 # only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 

audioserver.te

diff --git a/audioserver.te b/audioserver.te
index eeed985..f53b824 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -113,7 +113,8 @@
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules

dex2oat.te

diff --git a/dex2oat.te b/dex2oat.te
index df3cc42..58fcef8 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
 # dex2oat
-type dex2oat, domain, mlstrustedsubject, domain_deprecated;
+type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;
 
 allow dex2oat dalvikcache_data_file:file write;
@@ -15,7 +15,7 @@
 allow dex2oat unlabeled:file read;
 allow dex2oat oemfs:file read;
 allow dex2oat apk_tmp_file:file read;
-allow dex2oat app_data_file:file {read write lock};
+allow dex2oat user_profile_data_file:file {read lock};
 
 ##################
 # A/B OTA Dexopt #

domain.te

diff --git a/domain.te b/domain.te
index e24036b..9d377e5 100644
--- a/domain.te
+++ b/domain.te
@@ -551,3 +551,11 @@
   -ueventd
   -vold
 } fuse_device:chr_file *;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+  domain
+  -installd
+  -profman
+} profman_exec:file no_x_file_perms;

file.te

diff --git a/file.te b/file.te
index 685cfe0..ff60c04 100644
--- a/file.te
+++ b/file.te
@@ -85,6 +85,8 @@
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/ota
 type ota_data_file, file_type, data_file_type;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell

file_contexts

diff --git a/file_contexts b/file_contexts
index 9222324..ed8e30e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -203,6 +203,7 @@
 /system/bin/dex2oat     u:object_r:dex2oat_exec:s0
 # patchoat executable has (essentially) the same requirements as dex2oat.
 /system/bin/patchoat    u:object_r:dex2oat_exec:s0
+/system/bin/profman     u:object_r:profman_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -289,6 +290,10 @@
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 /data/misc/trace(/.*)?          u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
 
 # Fingerprint data
 /data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0

gatekeeperd.te

diff --git a/gatekeeperd.te b/gatekeeperd.te
index 81d7fdf..051daca 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -24,4 +24,7 @@
 allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
 allow gatekeeperd gatekeeper_data_file:file create_file_perms;
 
+# For hardware properties retrieval
+allow gatekeeperd hardwareproperties_service:service_manager find;
+
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;

installd.te

diff --git a/installd.te b/installd.te
index f685a48..688a7e6 100644
--- a/installd.te
+++ b/installd.te
@@ -66,6 +66,9 @@
 # Run dex2oat in its own sandbox.
 domain_auto_trans(installd, dex2oat_exec, dex2oat)
 
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
@@ -109,6 +112,10 @@
     autoplay_data_file
 }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
 
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+
 # Create and use pty created by android_fork_execvp().
 allow installd devpts:chr_file rw_file_perms;
 

ioctl_macros

diff --git a/ioctl_macros b/ioctl_macros
index 7345879..466870e 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -8,8 +8,6 @@
 SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
 SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
 SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-# commonly used TTY ioctls
-TIOCOUTQ FIOCLEX
 }')
 
 # socket ioctls never allowed to unprivileged apps
@@ -41,3 +39,6 @@
 # Dev private ioctl i.e. hardware specific ioctls
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')

logd.te

diff --git a/logd.te b/logd.te
index aa24c05..95a30ef 100644
--- a/logd.te
+++ b/logd.te
@@ -22,6 +22,10 @@
 allow logd pstorefs:dir search;
 allow logd pstorefs:file r_file_perms;
 
+# Set persist.sys. and sys.powerctl
+set_prop(logd, safemode_prop)
+set_prop(logd, powerctl_prop)
+
 # Access device logging gating property
 get_prop(logd, device_logging_prop)
 

mediadrmserver.te

diff --git a/mediadrmserver.te b/mediadrmserver.te
index f4b5ecc..bd2264d 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -49,7 +49,8 @@
 allow mediadrmserver mediaserver_service:service_manager { add find };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules

mediaserver.te

diff --git a/mediaserver.te b/mediaserver.te
index a305060..7aa6ec7 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -120,7 +120,8 @@
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules

priv_app.te

diff --git a/priv_app.te b/priv_app.te
index 275020f..79e9e96 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -31,6 +31,7 @@
 allow priv_app app_api_service:service_manager find;
 allow priv_app system_api_service:service_manager find;
 allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app recovery_service:service_manager find;
 
 # Traverse into /mnt/media_rw for bypassing FUSE daemon
 # TODO: narrow this to just MediaProvider

profman.te

diff --git a/profman.te b/profman.te
new file mode 100644
index 0000000..ac34e89
--- /dev/null
+++ b/profman.te
@@ -0,0 +1,9 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { read write lock };
+
+allow profman installd:fd use;
+
+neverallow profman app_data_file:notdevfile_class_set open;

property.te

diff --git a/property.te b/property.te
index c649a90..26d15ff 100644
--- a/property.te
+++ b/property.te
@@ -33,5 +33,6 @@
 type dalvik_prop, property_type, core_property_type;
 type config_prop, property_type, core_property_type;
 type device_logging_prop, property_type;
+type safemode_prop, property_type;
 
 allow property_type tmpfs:filesystem associate;

property_contexts

diff --git a/property_contexts b/property_contexts
index 9e936ca..fed44df 100644
--- a/property_contexts
+++ b/property_contexts
@@ -43,6 +43,8 @@
 persist.log.tag         u:object_r:logd_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.sys.            u:object_r:system_prop:s0
+persist.sys.safemode    u:object_r:safemode_prop:s0
+persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0

service.te

diff --git a/service.te b/service.te
index 34bd50a..63636f6 100644
--- a/service.te
+++ b/service.te
@@ -54,6 +54,7 @@
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
 type hardware_service, system_server_service, service_manager_type;
+type hardwareproperties_service, app_api_service, system_server_service, service_manager_type;
 type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
 type input_method_service, app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, system_server_service, service_manager_type;
@@ -81,6 +82,7 @@
 type print_service, app_api_service, system_server_service, service_manager_type;
 type processinfo_service, system_server_service, service_manager_type;
 type procstats_service, app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, system_server_service, service_manager_type;
 type rttmanager_service, app_api_service, system_server_service, service_manager_type;

service_contexts

diff --git a/service_contexts b/service_contexts
index 39e004c..e23f72b 100644
--- a/service_contexts
+++ b/service_contexts
@@ -44,6 +44,7 @@
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
 hardware                                  u:object_r:hardware_service:s0
+hardwareproperties                        u:object_r:hardwareproperties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
 inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
@@ -101,6 +102,7 @@
 radio.phonesubinfo                        u:object_r:radio_service:s0
 radio.phone                               u:object_r:radio_service:s0
 radio.sms                                 u:object_r:radio_service:s0
+recovery                                  u:object_r:recovery_service:s0
 restrictions                              u:object_r:restrictions_service:s0
 rttmanager                                u:object_r:rttmanager_service:s0
 samplingprofiler                          u:object_r:samplingprofiler_service:s0

system_server.te

diff --git a/system_server.te b/system_server.te
index 2e131b3..1bbe9ef 100644
--- a/system_server.te
+++ b/system_server.te
@@ -295,6 +295,7 @@
 
 # Property Service write
 set_prop(system_server, system_prop)
+set_prop(system_server, safemode_prop)
 set_prop(system_server, dhcp_prop)
 set_prop(system_server, net_radio_prop)
 set_prop(system_server, system_radio_prop)

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index 30364b0..189f3c5 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -171,6 +171,7 @@
   -app_data_file            # The apps sandbox itself
   -media_rw_data_file       # Internal storage. Known that apps can
                             # leave artfacts here after uninstall.
+  -user_profile_data_file   # Access to profile files
   userdebug_or_eng(`
     -method_trace_data_file # only on ro.debuggable=1
     -coredump_file          # userdebug/eng only

vold.te

diff --git a/vold.te b/vold.te
index 9a1ccfe..fb3673c 100644
--- a/vold.te
+++ b/vold.te
@@ -185,6 +185,9 @@
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;
 
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;