Merge "dontaudit su"
diff --git a/app.te b/app.te
index 7e53724..296a536 100644
--- a/app.te
+++ b/app.te
@@ -133,6 +133,10 @@
# /data/dalvik-cache/profiles
allow appdomain dalvikcache_profiles_data_file:file write;
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
###
### CTS-specific rules
###
@@ -314,7 +318,9 @@
# Access to syslog(2) or /proc/kmsg.
neverallow { appdomain -system_app -unconfineddomain }
- kernel:system { syslog_read syslog_mod syslog_console };
+ kernel:system { syslog_mod syslog_console };
+neverallow { appdomain -system_app -unconfineddomain -shelldomain }
+ kernel:system syslog_read;
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
diff --git a/file.te b/file.te
index 00f1589..874f45f 100644
--- a/file.te
+++ b/file.te
@@ -75,6 +75,7 @@
type media_rw_data_file, file_type, data_file_type;
type nfc_data_file, file_type, data_file_type;
type radio_data_file, file_type, data_file_type;
+type shared_relro_file, file_type, data_file_type;
type systemkeys_data_file, file_type, data_file_type;
type vpn_data_file, file_type, data_file_type;
type wifi_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index b7d3cb1..c871d95 100644
--- a/file_contexts
+++ b/file_contexts
@@ -196,6 +196,7 @@
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
+/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
diff --git a/seapp_contexts b/seapp_contexts
index 91cfe72..57b443f 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,6 +39,7 @@
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
user=shell domain=shell type=shell_data_file
user=_isolated domain=isolated_app
user=_app seinfo=platform domain=platform_app type=app_data_file
diff --git a/shared_relro.te b/shared_relro.te
new file mode 100644
index 0000000..54bdbb9
--- /dev/null
+++ b/shared_relro.te
@@ -0,0 +1,10 @@
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
+
+# Grant write access to the shared relro files/directory.
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
diff --git a/shelldomain.te b/shelldomain.te
index 0a86426..3dd0941 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -32,3 +32,6 @@
# Directory read access and file write access is already granted
# in domain.te.
allow shelldomain debugfs:file r_file_perms;
+
+# allow shell to run dmesg
+allow shelldomain kernel:system syslog_read;