Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 1c7351652c69bc571b8edfa4a8874b58c73568aa^! / .
commit1c7351652c69bc571b8edfa4a8874b58c73568aa[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Thu Jul 12 13:26:15 2012 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Thu Jul 12 13:26:15 2012 -0400
treed0310de1ebec43e8531ab526a687ec9a4005d258
parentc331d0fefaec9e4b29847731d4a864aa44b1899f [diff]
Address various denials introduced by JB/4.1.

diff --git a/app.te b/app.te
index 2ea00f1..c55f4e0 100644
--- a/app.te
+++ b/app.te

@@ -40,8 +40,8 @@
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
 # Access sdcard.
-allow media_app sdcard:dir rw_dir_perms;
-allow media_app sdcard:file rw_file_perms;
+allow media_app sdcard:dir create_dir_perms;
+allow media_app sdcard:file create_file_perms;
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -119,8 +119,12 @@
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
-# Communicate over a FIFO to system processes.
+# Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
+allow appdomain system:unix_stream_socket { read write };
+
+# Communicate over a socket created by surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;

diff --git a/sdcardd.te b/sdcardd.te
index 21b8673..84471d7 100644
--- a/sdcardd.te
+++ b/sdcardd.te

@@ -7,7 +7,7 @@
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;
 allow sdcardd sdcard:filesystem mount;
-allow sdcardd self:capability { setuid setgid };
+allow sdcardd self:capability { setuid setgid dac_override };
 allow sdcardd system_data_file:dir  create_dir_perms;
 allow sdcardd system_data_file:file create_file_perms;
 

diff --git a/surfaceflinger.te b/surfaceflinger.te
index bbefa14..10a57ee 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te

@@ -23,5 +23,7 @@
 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket *;
 
-# ctl interface
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
 allow surfaceflinger ctl_default_prop:property_service set;
+

diff --git a/system.te b/system.te
index 1a94c75..04ff84c 100644
--- a/system.te
+++ b/system.te

@@ -107,6 +107,9 @@
 unix_socket_connect(system, bluetooth, bluetoothd)
 unix_socket_send(system, wpa, wpa)
 
+# Communicate over a socket created by surfaceflinger.
+allow system surfaceflinger:unix_stream_socket { read write setopt };
+
 # Perform Binder IPC.
 tmpfs_domain(system)
 binder_use(system)

diff --git a/vold.te b/vold.te
index 403771f..86dbbb7 100644
--- a/vold.te
+++ b/vold.te

@@ -53,7 +53,7 @@
 allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { write create add_name mounton };
+allow vold system_data_file:dir { open read write create add_name mounton };
 
 # Property Service
 allow vold vold_prop:property_service set;