Merge "adbd/shell: grant access to sepolicy for cts" into oc-dev
am: bab5872cb1
Change-Id: I0341e66bd3a8fcbddf9daf7da84187430b5747d6
diff --git a/private/service_contexts b/private/service_contexts
index a65cb01..943cdee 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
diff --git a/public/netd.te b/public/netd.te
index 81f4af4..35d9b7c 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -80,6 +80,9 @@
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
###
### Neverallow rules
###
diff --git a/public/service.te b/public/service.te
index 9172353..96a692a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -81,6 +81,7 @@
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
index d18609a..fdee588 100644
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -65,6 +65,10 @@
Displays the types associated with the specified attribute name.
+ sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -r <name>
+
+ Displays the attributes associated with the specified type name.
+
NEVERALLOW CHECKING (neverallow)
sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
[-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
index 474bda2..ae98aa9 100644
--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
@@ -1,39 +1,81 @@
+#include <getopt.h>
+
#include "attribute.h"
void attribute_usage() {
- fprintf(stderr, "\tattribute <attribute-name>\n");
+ fprintf(stderr, "\tattribute <name> [-r|--reverse]\n");
}
-static int list_attribute(policydb_t * policydb, char *name)
-{
- struct type_datum *attr;
+static void retrieve_mapping(policydb_t *policydb, struct type_datum *dat, char *name, int reverse) {
struct ebitmap_node *n;
unsigned int bit;
- attr = hashtab_search(policydb->p_types.table, name);
- if (!attr) {
+ if (reverse) {
+ ebitmap_for_each_bit(&policydb->type_attr_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ if (!strcmp(policydb->p_type_val_to_name[bit], name))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ } else {
+ ebitmap_for_each_bit(&policydb->attr_type_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ }
+}
+
+static int list_attribute(policydb_t *policydb, char *name, int reverse)
+{
+ struct type_datum *dat;
+
+ dat = hashtab_search(policydb->p_types.table, name);
+ if (!dat) {
fprintf(stderr, "%s is not defined in this policy.\n", name);
return -1;
}
- if (attr->flavor != TYPE_ATTRIB) {
- fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
- return -1;
+ if (reverse) {
+ if (dat->flavor != TYPE_TYPE) {
+ fprintf(stderr, "%s is an attribute not a type in this policy.\n", name);
+ return -1;
+ }
+ } else {
+ if (dat->flavor != TYPE_ATTRIB) {
+ fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
+ return -1;
+ }
}
-
- ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
- if (!ebitmap_node_get_bit(n, bit))
- continue;
- printf("%s\n", policydb->p_type_val_to_name[bit]);
- }
+ retrieve_mapping(policydb, dat, name, reverse);
return 0;
}
int attribute_func (int argc, char **argv, policydb_t *policydb) {
- if (argc != 2) {
+ int reverse = 0;
+ char ch;
+
+ struct option attribute_options[] = {
+ {"reverse", no_argument, NULL, 'r'},
+ {NULL, 0, NULL, 0}
+ };
+
+ while ((ch = getopt_long(argc, argv, "r", attribute_options, NULL)) != -1) {
+ switch (ch) {
+ case 'r':
+ reverse = 1;
+ break;
+ default:
+ USAGE_ERROR = true;
+ return -1;
+ }
+ }
+
+ if (argc != 2 && !(reverse && argc == 3)) {
USAGE_ERROR = true;
return -1;
}
- return list_attribute(policydb, argv[1]);
+ return list_attribute(policydb, argv[optind], reverse);
}