Merge "system_server: allow appendable file descriptors"
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index e6e827b..6e3b671 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -79,6 +79,7 @@
-debuggerd
-dex2oat
-dumpstate
+ -init
-installd
-system_server
-zygote
@@ -115,8 +116,38 @@
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow domain_deprecated inotify:dir r_dir_perms;
auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -init
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -rild
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:dir r_dir_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -init
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -rild
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:{ file lnk_file } r_file_perms;
auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 20f8bda..57e8703 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -95,6 +95,9 @@
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
diff --git a/public/kernel.te b/public/kernel.te
index 556904c..c404fc0 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -87,9 +87,6 @@
# possible causes include:
# - The program is a kernel usermodehelper. In this case, define a domain
# for the program and domain_auto_trans() to it.
-# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
-# program was left in the kernel domain and is now trying to execute
-# some other program. Fix your init.rc file.
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
-neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
+neverallow kernel *:file { entrypoint execute_no_trans };