Merge "Address SELinux denials with clatd."
diff --git a/hostapd.te b/hostapd.te
index a5ed62a..e6e88e9 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -11,6 +11,7 @@
allow hostapd wifi_data_file:file rw_file_perms;
allow hostapd wifi_data_file:dir create_dir_perms;
+type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
allow hostapd wpa_socket:dir create_dir_perms;
allow hostapd wpa_socket:sock_file create_file_perms;
allow hostapd netd:fd use;
diff --git a/init_shell.te b/init_shell.te
index 8ff5c48..e1ca03a 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,4 +1,6 @@
-# Restricted domain for shell processes spawned by init
+# Restricted domain for shell processes spawned by init.
+# Normally these are shell commands or scripts invoked via sh
+# from an init*.rc file. No service should ever run in this domain.
type init_shell, domain, shelldomain;
domain_auto_trans(init, shell_exec, init_shell)
unconfined_domain(init_shell)
diff --git a/shell.te b/shell.te
index ad30802..b5f0377 100644
--- a/shell.te
+++ b/shell.te
@@ -1,4 +1,4 @@
-# Domain for shell processes spawned by ADB
+# Domain for shell processes spawned by ADB or console service.
type shell, domain, shelldomain, mlstrustedsubject;
type shell_exec, exec_type, file_type;
diff --git a/su.te b/su.te
index 1317fb2..5ba5776 100644
--- a/su.te
+++ b/su.te
@@ -2,6 +2,9 @@
type su_exec, exec_type, file_type;
userdebug_or_eng(`
+ # Domain used for su processes, as well as for adbd and adb shell
+ # after performing an adb root command. The domain definition is
+ # wrapped to ensure that it does not exist at all on -user builds.
type su, domain;
domain_auto_trans(shell, su_exec, su)
diff --git a/system_server.te b/system_server.te
index 945b59b..ca95abf 100644
--- a/system_server.te
+++ b/system_server.te
@@ -255,4 +255,4 @@
# Be consistent with DAC permissions. Allow system_server to write to
# /sys/module/lowmemorykiller/parameters/adj
# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file w_file_perms;
+allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
diff --git a/untrusted_app.te b/untrusted_app.te
index 96c7009..16499c1 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -1,9 +1,20 @@
###
### Untrusted apps.
###
-### This file defines the rules for untrusted apps. An "untrusted
-### app" is an APP with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000).
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by one of the four platform keys. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
###
### untrusted_app includes all the appdomain rules, plus the
### additional following rules:
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 1ebf556..fd454bf 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -16,8 +16,8 @@
allow wpa random_device:chr_file r_file_perms;
# Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:sock_file wpa_socket;
-allow wpa wpa_socket:dir { rw_dir_perms setattr };
+type_transition wpa wifi_data_file:dir wpa_socket "sockets";
+allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;
# Allow wpa_cli to work. wpa_cli creates a socket in