Merge "Removing unused rules."
diff --git a/private/crash_dump.te b/private/crash_dump.te
new file mode 100644
index 0000000..b3e4d9a
--- /dev/null
+++ b/private/crash_dump.te
@@ -0,0 +1,4 @@
+### HACK: Make crash_dump permissive temporarily to catch denials without breaking backtraces.
+userdebug_or_eng(`
+ permissive crash_dump;
+')
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 23b1e78..3e58ccf 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -12,95 +12,24 @@
### PackageManager flags an app as ephemeral at install time.
net_domain(ephemeral_app)
-
-# Define and allow access to our own type for ashmem regions.
-# Label ashmem objects with our own unique type.
-tmpfs_domain(ephemeral_app)
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Map with PROT_EXEC.
-allow ephemeral_app ephemeral_app_tmpfs:file execute;
-
-# allow JITing
-allow ephemeral_app self:process execmem;
-allow ephemeral_app ashmem_device:chr_file execute;
-
-# Send logcat messages to logd.
-write_logd(ephemeral_app)
-
-# Receive and use open file descriptors inherited from zygote.
-allow ephemeral_app zygote:fd use;
-
-# Notify zygote of death;
-allow ephemeral_app zygote:process sigchld;
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow ephemeral_app zygote:unix_dgram_socket write;
-
-# Read system properties managed by zygote.
-allow ephemeral_app zygote_tmpfs:file read;
+app_domain(ephemeral_app)
# App sandbox file accesses.
allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
-# Keychain and user-trusted credentials
-r_dir_file(ephemeral_app, keychain_data_file)
-allow ephemeral_app misc_user_data_file:dir r_dir_perms;
-allow ephemeral_app misc_user_data_file:file r_file_perms;
-
# Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir search;
+allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
-# For art.
-allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
-allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
-allow ephemeral_app dalvikcache_data_file:dir getattr;
-
-# Grant GPU access. ephemeral_app needs that to render the standard UI.
-allow ephemeral_app gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(ephemeral_app)
-# Perform binder IPC to binder services.
-binder_call(ephemeral_app, surfaceflinger)
-binder_call(ephemeral_app, system_server)
-# Perform binder IPC to apps.
-binder_call(ephemeral_app, appdomain)
-
-# Allow read access to ion memory allocation device
-allow ephemeral_app ion_device:chr_file { read open };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow ephemeral_app system_server:fifo_file rw_file_perms;
-allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Inherit or receive open files from system_server.
-allow ephemeral_app system_server:fd use;
-
-# Communicate with surfaceflinger.
-allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Read files already opened under /data.
-allow ephemeral_app system_data_file:file { getattr read };
-allow ephemeral_app system_data_file:lnk_file read;
-
-# System file accesses. Check for libraries
-allow ephemeral_app system_file:dir getattr;
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# services
-allow ephemeral_app accessibility_service:service_manager find;
-allow ephemeral_app activity_service:service_manager find;
-allow ephemeral_app assetatlas_service:service_manager find;
-allow ephemeral_app connectivity_service:service_manager find;
-allow ephemeral_app display_service:service_manager find;
-allow ephemeral_app graphicsstats_service:service_manager find;
-allow ephemeral_app input_method_service:service_manager find;
-allow ephemeral_app input_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app textservices_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+# TODO: Replace app_api_service with a smaller ephemeral_api_service
+allow ephemeral_app app_api_service:service_manager find;
###
### neverallow rules
@@ -128,3 +57,7 @@
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 0ca1c58..16ecbf0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -419,6 +419,7 @@
#############################
# sysfs files
#
+/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
diff --git a/private/haldomain.te b/private/haldomain.te
index 511f78d..a8fa1a2 100644
--- a/private/haldomain.te
+++ b/private/haldomain.te
@@ -1,3 +1,5 @@
###
### Rules for all HAL implementations
###
+
+hwbinder_use(haldomain)
diff --git a/public/adbd.te b/public/adbd.te
index d60f8f1..f0df8b1 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -84,7 +84,7 @@
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd { app_data_file ephemeral_data_file }:dir search;
allow adbd { app_data_file ephemeral_data_file }:sock_file write;
-allow adbd { appdomain ephemeral_app }:unix_stream_socket connectto;
+allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
diff --git a/public/app.te b/public/app.te
index e350f45..f16a23e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -180,33 +180,33 @@
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
@@ -230,9 +230,9 @@
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-use_keystore({ appdomain -isolated_app })
+use_keystore({ appdomain -isolated_app -ephemeral_app })
allow appdomain console_device:chr_file { read write };
@@ -270,7 +270,7 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
diff --git a/public/audioserver.te b/public/audioserver.te
index 9f390e7..676b04e 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -6,7 +6,7 @@
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, { appdomain ephemeral_app })
+binder_call(audioserver, appdomain)
binder_service(audioserver)
hwbinder_use(audioserver)
diff --git a/public/domain.te b/public/domain.te
index 9151fd3..5c48384 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -297,7 +297,6 @@
neverallow {
domain
-appdomain
- -ephemeral_app
-dumpstate
-shell
userdebug_or_eng(`-su')
diff --git a/public/drmserver.te b/public/drmserver.te
index 790b283..ab42696 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -9,7 +9,7 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
-binder_call(drmserver, { appdomain ephemeral_app })
+binder_call(drmserver, appdomain)
binder_service(drmserver)
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index d64a4b4..a495211 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -49,7 +49,7 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain ephemeral_app system_server }:process signal;
+allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
@@ -85,7 +85,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
+binder_call(dumpstate, { appdomain netd wificond })
# Vibrate the device after we are done collecting the bugreport
# For binderized mode:
diff --git a/public/file.te b/public/file.te
index d1497f5..527e496 100644
--- a/public/file.te
+++ b/public/file.te
@@ -32,6 +32,7 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
@@ -95,7 +96,7 @@
# /data/anr - ANR traces
type anr_data_file, file_type, data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type;
+type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type;
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index a312e59..cab0145 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -3,6 +3,3 @@
hal_impl_domain(hal_allocator)
type hal_allocator_exec, exec_type, file_type;
-
-# hwbinder access
-hwbinder_use(hal_allocator)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 2dcbeb8..15d0e41 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -1,4 +1,3 @@
-hwbinder_use(hal_audio)
binder_use(hal_audio)
binder_call(hal_audio, audioserver)
binder_call(hal_audio, system_server)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index d061471..a3497a7 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_bluetooth)
-
r_dir_file(hal_bluetooth, system_file)
# call into the Bluetooth process (callbacks)
diff --git a/public/hal_boot.te b/public/hal_boot.te
index 6688f7f..4e7ba9e 100644
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
@@ -4,8 +4,5 @@
type hal_boot_exec, exec_type, file_type;
-# hwbinder access
-hwbinder_use(hal_boot)
-
# call into system_server process (callbacks)
binder_call(hal_boot, system_server)
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index 9d3685b..d991e9d 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_contexthub)
-
# call into system_server process (callbacks)
binder_call(hal_contexthub, system_server)
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 7884e38..55e3463 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_dumpstate)
-
# call into dumpstate process (callbacks)
binder_call(hal_dumpstate, dumpstate)
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 426b73a..db0fc6d 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -1,5 +1,3 @@
-hwbinder_use(hal_fingerprint)
-
# Scan through /system/lib64/hw looking for installed HALs
allow hal_fingerprint system_file:dir r_dir_perms;
@@ -20,4 +18,7 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
+# Allow fingerprint to find and call keystore binder interfaces
+binder_use(hal_fingerprint);
+
r_dir_file(hal_fingerprint, cgroup)
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 27912b7..a17dbcd 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_gatekeeper)
-
# call into gatekeeperd process (callbacks)
binder_call(hal_gatekeeper, gatekeeperd)
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index a883e39..753791b 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -1,4 +1 @@
-# hwbinder access
-hwbinder_use(hal_gnss)
-
binder_call(hal_gnss, system_server)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 1c357ed..45999be 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_graphics_allocator)
-
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 3753278..ee12ff1 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,5 +1,3 @@
-# HwBinder access
-hwbinder_use(hal_graphics_composer)
# IComposerCallback
binder_call(hal_graphics_composer, surfaceflinger)
@@ -15,4 +13,4 @@
# Fences
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer {appdomain ephemeral_app}:fd use;
+allow hal_graphics_composer appdomain:fd use;
diff --git a/public/hal_health.te b/public/hal_health.te
index c6391b8..341efdd 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_health)
-
# call into healthd for callbacks
binder_call(hal_health, healthd)
diff --git a/public/hal_ir.te b/public/hal_ir.te
index 3c7b51a..adfb5ae 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_ir)
-
# call into system_server process (callbacks)
binder_call(hal_ir, system_server)
diff --git a/public/hal_light.te b/public/hal_light.te
index af238dd..145b02e 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,5 +1,6 @@
-# hwbinder access
-hwbinder_use(hal_light)
-
# call into system_server process (callbacks)
binder_call(hal_light, system_server)
+
+allow hal_light sysfs_leds:lnk_file read;
+allow hal_light sysfs_leds:file rw_file_perms;
+allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
deleted file mode 100644
index 90ecc0a..0000000
--- a/public/hal_memtrack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# hwbinder access
-hwbinder_use(hal_memtrack);
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index a062a78..0c4bd9c 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,6 +1,3 @@
-# hwbinder access
-hwbinder_use(hal_nfc)
-
# call into NFC process (callbacks)
binder_call(hal_nfc, nfc)
diff --git a/public/hal_power.te b/public/hal_power.te
deleted file mode 100644
index df4cd4d..0000000
--- a/public/hal_power.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# hwbinder access
-hwbinder_use(hal_power);
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
deleted file mode 100644
index e3e48ab..0000000
--- a/public/hal_sensors.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# hwbinder access
-hwbinder_use(hal_sensors)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 6f3a38f..704adc0 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -1,5 +1,3 @@
# Perform HwBinder IPC.
-hwbinder_use(hal_telephony)
binder_call(hal_telephony, radio)
binder_call(hal_telephony, bluetooth)
-
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index 6edf8c7..a59a978 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_thermal)
-
# call into system_server process (callbacks)
binder_call(hal_thermal, system_server)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 37d015e..0d9d308 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_vibrator)
-
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 4249fdd..08102ad 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -1,5 +1,2 @@
-# hwbinder access
-hwbinder_use(hal_vr)
-
# call into system_server process
binder_call(hal_vr, system_server)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index f13d225..960f1ac 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -1,6 +1,3 @@
-## hwbinder access
-hwbinder_use(hal_wifi)
-
## call into system_server process (for invoking callbacks)
binder_call(hal_wifi, system_server)
diff --git a/public/lmkd.te b/public/lmkd.te
index e25a77f..f4e6c2d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -14,8 +14,6 @@
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
-r_dir_file(lmkd, ephemeral_app)
-allow lmkd ephemeral_app:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 2acd629..47a7738 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -22,7 +22,7 @@
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, { appdomain ephemeral_app })
+binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
@@ -48,7 +48,7 @@
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
-allow mediaserver { appdomain ephemeral_app }:fifo_file { getattr read write };
+allow mediaserver appdomain:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
diff --git a/public/rild.te b/public/rild.te
index 3981676..4d9cb21 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -28,10 +28,6 @@
# property service
set_prop(rild, radio_prop)
-set_prop(rild, net_radio_prop)
-set_prop(rild, system_radio_prop)
-auditallow rild net_radio_prop:property_service set;
-auditallow rild system_radio_prop:property_service set;
allow rild tty_device:chr_file rw_file_perms;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 699984f..2b1faec 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -12,7 +12,7 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, { appdomain ephemeral_app })
+binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger)
@@ -21,7 +21,7 @@
# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, { appdomain ephemeral_app })
+r_dir_file(surfaceflinger, appdomain)
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -42,7 +42,7 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
-allow surfaceflinger { appdomain ephemeral_app }:fd use;
+allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
# Allow a dumpstate triggered screenshot
diff --git a/public/system_server.te b/public/system_server.te
index 2cf511f..207add7 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -87,10 +87,10 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server { appdomain ephemeral_app }:process { sigkill signal };
+allow system_server appdomain:process { sigkill signal };
# Set scheduling info for apps.
-allow system_server { appdomain ephemeral_app }:process { getsched setsched };
+allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -151,10 +151,11 @@
# Perform Binder IPC.
binder_use(system_server)
-binder_call(system_server, { appdomain ephemeral_app })
+binder_call(system_server, appdomain)
binder_call(system_server, binderservicedomain)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
+binder_call(system_server, hal_fingerprint)
binder_call(system_server, gatekeeperd)
binder_call(system_server, installd)
binder_call(system_server, netd)
@@ -427,8 +428,8 @@
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
-allow system_server { appdomain ephemeral_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server { appdomain ephemeral_app }:{ fifo_file unix_stream_socket } { getattr read write };
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
diff --git a/public/zygote.te b/public/zygote.te
index 385be94..594ac57 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -13,15 +13,15 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
-allow zygote { appdomain ephemeral_app }:process dyntransition;
+allow zygote appdomain:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote { appdomain ephemeral_app }:dir { getattr search };
-allow zygote { appdomain ephemeral_app }:file { r_file_perms };
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
-allow zygote { appdomain ephemeral_app }:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
@@ -116,7 +116,7 @@
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
-neverallow zygote ~{ appdomain ephemeral_app system_server }:process dyntransition;
+neverallow zygote ~{ appdomain system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {