Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2ffd52a47283681e8a9034327930a0dbea98b77c^2..2ffd52a47283681e8a9034327930a0dbea98b77c / .
commit2ffd52a47283681e8a9034327930a0dbea98b77c[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Fri Nov 22 17:22:09 2013 -0800
committerAndroid Git Automerger <android-git-automerger@android.com>Fri Nov 22 17:22:09 2013 -0800
treec841a1d1b959cb715d6b8d91868559bd49036f0b
parent6af0cc24306d6d49118d1ceb1112875127bf55a1 [diff]
parent043b9027b3cc1c055e4ec5917f5d0d9bdc69005f [diff]
am 043b9027: Confine watchdogd, but leave it permissive for now.

* commit '043b9027b3cc1c055e4ec5917f5d0d9bdc69005f':
  Confine watchdogd, but leave it permissive for now.

diff --git a/installd.te b/installd.te
index 68a0d06..db76531 100644
--- a/installd.te
+++ b/installd.te

@@ -16,7 +16,8 @@
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd download_file:dir { read getattr };
+allow installd download_file:dir { r_dir_perms };
+allow installd download_file:file { r_file_perms };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)

diff --git a/netd.te b/netd.te
index db2f480..938fc68 100644
--- a/netd.te
+++ b/netd.te

@@ -3,7 +3,7 @@
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:capability { net_admin net_raw kill fsetid };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;

diff --git a/vold.te b/vold.te
index c41cc72..25e586a 100644
--- a/vold.te
+++ b/vold.te

@@ -27,7 +27,7 @@
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace };
+allow vold self:capability { sys_ptrace kill };
 
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
@@ -57,6 +57,7 @@
 # Property Service
 allow vold vold_prop:property_service set;
 allow vold powerctl_prop:property_service set;
+allow vold ctl_default_prop:property_service set;
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;

diff --git a/zygote.te b/zygote.te
index 11a767f..5d1f489 100644
--- a/zygote.te
+++ b/zygote.te

@@ -44,3 +44,10 @@
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file { execute_no_trans open };
+
+# handle bugreports b/10498304
+allow zygote ashmem_device:chr_file execute;
+allow zygote init:binder call;
+allow zygote shell_data_file:file { write getattr };
+allow zygote system_server:binder { transfer call };
+allow zygote servicemanager:binder { call };