Merge "hal_audio: remove access to audiohal_data_file"
diff --git a/private/file_contexts b/private/file_contexts
index d87d9bf..03bd889 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -376,7 +376,6 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
@@ -396,6 +395,9 @@
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+# storaged proto files
+/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1f451be..dc7e389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -91,10 +91,6 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
-# only the package named com.android.shell can run in the shell domain
-neverallow domain=shell name=((?!com\.android\.shell).)*
-neverallow user=shell name=((?!com\.android\.shell).)*
-
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
@@ -104,7 +100,7 @@
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
+user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 3510686..9879913 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -178,6 +178,7 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, storaged)
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
@@ -585,6 +586,7 @@
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
+allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
diff --git a/public/shell.te b/public/shell.te
index 44d8121..3ef1486 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -115,6 +115,7 @@
allow shell proc_modules:file r_file_perms;
allow shell proc_stat:file r_file_perms;
allow shell proc_timer:file r_file_perms;
+allow shell proc_version:file r_file_perms;
allow shell proc_zoneinfo:file r_file_perms;
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
diff --git a/public/vold.te b/public/vold.te
index 197eead..2c2f147 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -199,10 +199,10 @@
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
-neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
index ddb5882..cc4cdae 100644
--- a/public/vold_prepare_subdirs.te
+++ b/public/vold_prepare_subdirs.te
@@ -14,5 +14,6 @@
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:capability dac_override;
allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { add_name write };
-allow vold_prepare_subdirs vold_data_file:dir { create getattr setattr };
+allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
+allow vold_prepare_subdirs vold_data_file:file { getattr unlink };