am aeb110ce: am e05487ac: init.te: Don\'t allow mounting on top of /proc
* commit 'aeb110ce39e8aa7917979927fad56b828701e797':
init.te: Don't allow mounting on top of /proc
diff --git a/adbd.te b/adbd.te
index 57b1e48..b640597 100644
--- a/adbd.te
+++ b/adbd.te
@@ -74,10 +74,6 @@
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
-# b/18078338 - allow read access to executable types on /system
-# to assist with debugging OTA issues.
-allow adbd exec_type:file r_file_perms;
-
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
diff --git a/bluetooth.te b/bluetooth.te
index 890c1d9..f30e7ef 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -56,6 +56,9 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+# Bluetooth Sim Access Profile Socket to the RIL
+unix_socket_connect(bluetooth, sap_uim, rild)
+
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/domain.te b/domain.te
index 7bc2292..d033d4e 100644
--- a/domain.te
+++ b/domain.te
@@ -185,7 +185,7 @@
} self:capability sys_ptrace;
# Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
+neverallow { domain -kernel -init -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
# Limit raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
@@ -267,7 +267,7 @@
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -init -ueventd } device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
@@ -306,7 +306,7 @@
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
diff --git a/file.te b/file.te
index 7bd3843..e6ad9e2 100644
--- a/file.te
+++ b/file.te
@@ -175,7 +175,7 @@
type vold_socket, file_type;
type wpa_socket, file_type;
type zygote_socket, file_type;
-
+type sap_uim_socket, file_type;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/file_contexts b/file_contexts
index 0fc096d..a83b290 100644
--- a/file_contexts
+++ b/file_contexts
@@ -80,6 +80,7 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
diff --git a/service_contexts b/service_contexts
index 49773b7..e782c7d 100644
--- a/service_contexts
+++ b/service_contexts
@@ -64,6 +64,8 @@
media.camera u:object_r:mediaserver_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
+media.resource_manager u:object_r:mediaserver_service:s0
+media.radio u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
media_projection u:object_r:media_projection_service:s0
media_router u:object_r:media_router_service:s0
diff --git a/system_server.te b/system_server.te
index d8e5978..9691cfb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -163,7 +163,9 @@
allow system_server video_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
-allow system_server audio_device:chr_file r_file_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;