Merge "Revert "Ensure only com.android.shell can run in the shell domain.""
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a791009..2a32f14 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -569,6 +569,7 @@
sysfs_android_usb
sysfs_dm
sysfs_ipv4
+ sysfs_net
sysfs_power
sysfs_rtc
sysfs_switch
diff --git a/private/file_contexts b/private/file_contexts
index d87d9bf..03bd889 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -376,7 +376,6 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
@@ -396,6 +395,9 @@
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+# storaged proto files
+/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2cc6f70..7bf252d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,8 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
-genfscon proc /asound/cards u:object_r:proc_asound:s0
-genfscon proc /asound/devices u:object_r:proc_asound:s0
+genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
@@ -72,6 +71,7 @@
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
diff --git a/private/priv_app.te b/private/priv_app.te
index 60fb411..f4cfc17 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -114,6 +114,9 @@
# suppress denials when safetynet scans /system
dontaudit priv_app exec_type:file getattr;
+dontaudit priv_app device:dir read;
+dontaudit priv_app proc_interrupts:file read;
+dontaudit priv_app proc_modules:file read;
###
### neverallow rules
diff --git a/private/system_server.te b/private/system_server.te
index 44b3b0c..9879913 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -178,6 +178,7 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, storaged)
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
@@ -585,6 +586,7 @@
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
+allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
@@ -758,11 +760,8 @@
neverallow system_server dex2oat_exec:file no_x_file_perms;
# system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
- data_file_type
- -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
+# in /data
+neverallow system_server data_file_type:file no_x_file_perms;
# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 42d9290..a814f16 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@
read_runtime_log_tags(dumpstate)
# Read files in /proc
+allow dumpstate proc_cmdline:file r_file_perms;
allow dumpstate proc_meminfo:file r_file_perms;
allow dumpstate proc_net:file r_file_perms;
allow dumpstate proc_pagetypeinfo:file r_file_perms;
@@ -198,6 +199,16 @@
-vold_service
-vr_hwc_service
}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ dumpstate_service
+ gatekeeper_service
+ incident_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/file.te b/public/file.te
index 435b852..323198a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -55,6 +55,7 @@
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
diff --git a/public/netd.te b/public/netd.te
index aa99da2..a1917b3 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -38,9 +38,11 @@
allow netd proc_net:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
-r_dir_file(netd, sysfs_type)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
# Allows setting interface MTU
-allow netd sysfs:file write;
+allow netd sysfs_net:file w_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
diff --git a/public/shell.te b/public/shell.te
index fb650bf..3ef1486 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,14 +106,16 @@
hwbinder_use(shell)
allow shell hwservicemanager:hwservice_manager list;
-# allow shell to look through /proc/ for ps, top, netstat
+# allow shell to look through /proc/ for lsmod, ps, top, netstat.
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
allow shell proc_filesystems:file r_file_perms;
allow shell proc_interrupts:file r_file_perms;
allow shell proc_meminfo:file r_file_perms;
+allow shell proc_modules:file r_file_perms;
allow shell proc_stat:file r_file_perms;
allow shell proc_timer:file r_file_perms;
+allow shell proc_version:file r_file_perms;
allow shell proc_zoneinfo:file r_file_perms;
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
diff --git a/public/vold.te b/public/vold.te
index 197eead..2c2f147 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -199,10 +199,10 @@
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
-neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
index ddb5882..cc4cdae 100644
--- a/public/vold_prepare_subdirs.te
+++ b/public/vold_prepare_subdirs.te
@@ -14,5 +14,6 @@
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:capability dac_override;
allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { add_name write };
-allow vold_prepare_subdirs vold_data_file:dir { create getattr setattr };
+allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
+allow vold_prepare_subdirs vold_data_file:file { getattr unlink };