commit 2d86b6502d151c6e143f1b43b70b94667fe9ffe5
author Frank Li <lifr@google.com> Thu Jan 17 04:15:00 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jan 17 04:15:00 2019 +0000
tree c34126ab3bc1b62f59bd482687ac98d7b41e5cbd
parent 938d0c2bf6d67da152ada667f86dbdab1e0d12a0
parent 980c08c9995e70e6e07b10b101d243092026fd1b

Merge "Allow netd to write to statsd"

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index bc1defb..e33a9cd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -143,7 +143,7 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
 neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
 # apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
 neverallow { domain -init -system_server } staging_data_file:file

private/rs.te

diff --git a/private/rs.te b/private/rs.te
index f0c9409..5aa2d54 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -28,15 +28,3 @@
 
 # File descriptors passed from app to renderscript
 allow rs untrusted_app_all:fd use;
-
-# TODO: Explain why these dontaudits are needed. Most likely
-# these are file descriptors leaking across an exec() boundary
-# due to a missing O_CLOEXEC / SOCK_CLOEXEC
-dontaudit rs untrusted_app_all:unix_stream_socket { read write };
-dontaudit rs untrusted_app_all:fifo_file { read write };
-
-# TODO: Explain why this is necessary. I think this is a zygote
-# created logging socket and system server parceled file descriptor
-# which is not using the O_CLOEXEC flag.
-dontaudit rs zygote:fd use;
-dontaudit rs system_server:fd use;

public/app.te

diff --git a/public/app.te b/public/app.te
index 0a5f0b4..6e760d1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -404,7 +404,6 @@
 # Unix domain sockets.
 neverallow appdomain adbd_socket:sock_file write;
 neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
 
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;

public/kernel.te

diff --git a/public/kernel.te b/public/kernel.te
index d3a6079..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,11 +81,12 @@
 # Access to /data/misc/vold/virtual_disk.
 allow kernel vold_data_file:file { read write };
 
-# Allow the kernel to read APEX file descriptors and data files;
+# Allow the kernel to read APEX file descriptors and (staged) data files;
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
 allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.