commit 21186a1fc3019f44ce43260c15c7510a7d80004c
author Tom Cherry <tomcherry@google.com> Wed Mar 25 20:35:39 2015 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Mar 25 20:35:40 2015 +0000
tree b802368729c676d55e4c6a89a945fa24d2c62943
parent a7eb161e71797285175676a3a4e2cb86c1a0dec8
parent d2522cb396398ab0a6a385e9bebc9c7c2395a3f9

Merge "add /odm to file_contexts"

domain.te

diff --git a/domain.te b/domain.te
index 32aa900..12633c8 100644
--- a/domain.te
+++ b/domain.te
@@ -381,3 +381,18 @@
 # On userdebug/eng builds, only dumpstate, shell, and
 # su itself execute su.
 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow domain {
+  file_type
+  -system_data_file
+  -apk_data_file
+  -app_data_file
+  -asec_public_file
+}:file execmod;
+
+neverallow { domain -appdomain } file_type:file execmod;

fsck.te

diff --git a/fsck.te b/fsck.te
index 22ff7b1..ab4ee31 100644
--- a/fsck.te
+++ b/fsck.te
@@ -16,6 +16,21 @@
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+}:blk_file no_rw_file_perms;
+
 # Only allow entry from init via the e2fsck binary.
 neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;

gpsd.te

diff --git a/gpsd.te b/gpsd.te
index 33b1df6..2e05092 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -18,3 +18,11 @@
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+
+###
+### neverallow
+###
+
+# gpsd can never have capabilities other than block_suspend
+neverallow gpsd self:capability *;
+neverallow gpsd self:capability2 ~block_suspend;

procrank.te

diff --git a/procrank.te b/procrank.te
index 06b33f8..680d549 100644
--- a/procrank.te
+++ b/procrank.te
@@ -5,9 +5,11 @@
   type procrank, domain, mlstrustedsubject;
 
   domain_auto_trans(shell, procrank_exec, procrank)
+  domain_auto_trans(dumpstate, procrank_exec, procrank)
   allow procrank self:capability sys_ptrace;
   allow procrank devpts:chr_file { read write getattr ioctl };
+  allow procrank dumpstate:unix_stream_socket { read write getattr };
   r_dir_file(procrank, domain)
-  allow procrank shell:fd use;
+  allow procrank { shell dumpstate }:fd use;
   allow procrank adbd:process sigchld;
 ')