Merge "Allows init to send signals."
diff --git a/app.te b/app.te
index 7364d24..9a86d1c 100644
--- a/app.te
+++ b/app.te
@@ -123,8 +123,7 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
-auditallow { appdomain -isolated_app } gpu_device:chr_file execute;
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
# Use the Binder.
binder_use(appdomain)
@@ -220,8 +219,8 @@
selinux_check_context(appdomain)
# appdomain should not be accessing information on /sys
-auditallow appdomain sysfs:dir { open getattr read ioctl };
-auditallow appdomain sysfs:file r_file_perms;
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
###
### Neverallow rules
diff --git a/domain.te b/domain.te
index 98edece..fb672ad 100644
--- a/domain.te
+++ b/domain.te
@@ -96,6 +96,9 @@
allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file read;
+# read any sysfs symlinks
+allow domain sysfs:lnk_file read;
+
# libc references /data/misc/zoneinfo for timezone related information
r_dir_file(domain, zoneinfo_data_file)
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 36f8d99..5bc8bda 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -51,12 +51,11 @@
# Read already opened /cache files.
allow domain_deprecated { cache_file cache_recovery_file }:dir r_dir_perms;
allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read };
-allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
+allow domain_deprecated cache_file:lnk_file r_file_perms;
# Likely not needed. auditallow to be sure
auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:dir r_dir_perms;
auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt -recovery } cache_recovery_file:file { getattr read };
-auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
# For /acct/uid/*/tasks.
allow domain_deprecated cgroup:dir { search write };
diff --git a/priv_app.te b/priv_app.te
index 7099044..bd98ab7 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -36,8 +36,8 @@
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-auditallow priv_app cache_recovery_file:dir create_dir_perms;
-auditallow priv_app cache_recovery_file:file create_file_perms;
+auditallow priv_app cache_recovery_file:dir no_w_dir_perms;
+auditallow priv_app cache_recovery_file:file no_w_file_perms;
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
diff --git a/su.te b/su.te
index f263821..f58f7a3 100644
--- a/su.te
+++ b/su.te
@@ -5,7 +5,7 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, domain_deprecated, mlstrustedsubject;
+ type su, domain, mlstrustedsubject;
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect