Merge "healthd: add sepolicy"
diff --git a/app.te b/app.te
index fb76831..d90185c 100644
--- a/app.te
+++ b/app.te
@@ -1,66 +1,172 @@
-#
-# Domains for apps that do not run with one of the predefined
-# platform UIDs (system, radio, nfc, ...).
-#
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
-#
-# Apps signed with the platform key.
-#
-type platform_app, domain;
-permissive platform_app;
-app_domain(platform_app)
-platform_app_domain(platform_app)
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-unconfined_domain(platform_app)
+# Allow apps to connect to the keystore
+unix_socket_connect(appdomain, keystore, keystore)
-# Apps signed with the media key.
-type media_app, domain;
-permissive media_app;
-app_domain(media_app)
-platform_app_domain(media_app)
-# Access the network.
-net_domain(media_app)
-unconfined_domain(media_app)
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
-# Apps signed with the shared key.
-type shared_app, domain;
-permissive shared_app;
-app_domain(shared_app)
-platform_app_domain(shared_app)
-# Access the network.
-net_domain(shared_app)
-# Access bluetooth.
-bluetooth_domain(shared_app)
-unconfined_domain(shared_app)
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
-# Apps signed with the release key (testkey in AOSP).
-type release_app, domain;
-permissive release_app;
-app_domain(release_app)
-platform_app_domain(release_app)
-# Access the network.
-net_domain(release_app)
-# Access bluetooth.
-bluetooth_domain(release_app)
-unconfined_domain(release_app)
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
-# Services with isolatedProcess=true in their manifest.
-# In order for isolated_apps to interact with apps that have levelFromUid=true
-# set it must be an mlstrustedsubject.
-type isolated_app, domain, mlstrustedsubject;
-permissive isolated_app;
-app_domain(isolated_app)
-unconfined_domain(isolated_app)
+# Communicate with system_server.
+allow appdomain system:fifo_file rw_file_perms;
+allow appdomain system:unix_stream_socket { read write setopt };
+binder_call(appdomain, system)
-#
-# Untrusted apps.
-#
-type untrusted_app, domain;
-permissive untrusted_app;
-app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-unconfined_domain(untrusted_app)
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+binder_call(appdomain, surfaceflinger)
+
+# App sandbox file accesses.
+allow appdomain app_data_file:dir create_dir_perms;
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+
+# Read/write data files created by the platform apps if they
+# were passed to the app via binder or local IPC. Do not allow open.
+allow appdomain platform_app_data_file:file { getattr read write };
+
+# lib subdirectory of /data/data dir is system-owned.
+allow appdomain system_data_file:dir r_dir_perms;
+allow appdomain system_data_file:file { execute open };
+
+# Execute the shell or other system executables.
+allow appdomain shell_exec:file rx_file_perms;
+allow appdomain system_file:file rx_file_perms;
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { read write };
+
+# Write to /data/anr/traces.txt.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid_proc:file rw_file_perms;
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file r_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+
+# Appdomain interaction with isolated apps
+r_dir_file(appdomain, isolated_app)
+binder_call(appdomain, isolated_app)
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain isolated_app:unix_stream_socket { read write };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write };
+allow appdomain cache_backup_file:file { read write };
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file getattr;
+
+# Allow all applications to read downloaded files
+allow appdomain download_file:file r_file_perms;
+file_type_auto_trans(appdomain, download_file, download_file)
+
+# Allow applications to communicate with netd via /dev/socket/dnsproxyd
+# to do DNS resolution
+unix_socket_connect(appdomain, dnsproxyd, netd)
+
+# Allow applications to communicate with drmserver over binder
+binder_call(appdomain, drmserver)
+
+# Allow applications to communicate with mediaserver over binder
+binder_call(appdomain, mediaserver)
+
+# Allow applications to make outbound tcp connections to any port
+allow appdomain port_type:tcp_socket name_connect;
+
+# Allow apps to see changes to the routing table.
+allow appdomain self:netlink_route_socket {
+ read
+ bind
+ create
+ nlmsg_read
+ ioctl
+ getattr
+ setattr
+ getopt
+ setopt
+ shutdown
+};
+
+# Allow apps to use rawip sockets. This is needed for apps which execute
+# /system/bin/ping, for example.
+allow appdomain self:rawip_socket create_socket_perms;
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# Only exception is sys_nice for binder, might not be necessary.
+neverallow { appdomain -unconfineddomain } self:capability ~sys_nice;
+neverallow { appdomain -unconfineddomain } self:capability2 *;
+
+# Block device access.
+neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
+
+# Kernel memory access.
+neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
+
+# Setting SELinux enforcing status or booleans.
+# Conditionally allowed to system_app for SEAndroidManager.
+neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
+
+# Load security policy.
+neverallow appdomain kernel:security load_policy;
+
+# Privileged netlink socket interfaces.
+neverallow { appdomain -unconfineddomain }
+ self:{
+ netlink_socket
+ netlink_firewall_socket
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_selinux_socket
+ netlink_audit_socket
+ netlink_ip6fw_socket
+ netlink_dnrt_socket
+ netlink_kobject_uevent_socket
+ } *;
+
+# ptrace access to non-app domains.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
+
+# Transition to a non-app domain.
+neverallow { appdomain -unconfineddomain } ~appdomain:process { transition dyntransition };
+
+# Write to /system.
+neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set write;
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+# Exception for system_app for Settings.
+neverallow { appdomain -unconfineddomain -system_app } system_data_file:dir_file_class_set write;
diff --git a/attributes b/attributes
index 7d491e2..6123d6c 100644
--- a/attributes
+++ b/attributes
@@ -64,3 +64,6 @@
# Allow domains used for platform (signed by build key) apps.
attribute platformappdomain;
+
+# All domains which are allowed the "relabelto" permission
+attribute relabeltodomain;
diff --git a/debuggerd.te b/debuggerd.te
index f78b902..31453c9 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -5,3 +5,5 @@
init_daemon_domain(debuggerd)
unconfined_domain(debuggerd)
+relabelto_domain(debuggerd)
+allow debuggerd tombstone_data_file:dir relabelto;
diff --git a/dnsmasq.te b/dnsmasq.te
new file mode 100644
index 0000000..ff81367
--- /dev/null
+++ b/dnsmasq.te
@@ -0,0 +1,7 @@
+type dnsmasq, domain;
+permissive dnsmasq;
+type dnsmasq_exec, exec_type, file_type;
+
+init_daemon_domain(dnsmasq)
+net_domain(dnsmasq)
+unconfined_domain(dnsmasq)
diff --git a/domain.te b/domain.te
index e69de29..291c562 100644
--- a/domain.te
+++ b/domain.te
@@ -0,0 +1,144 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file { read getattr };
+
+# Search /storage/emulated tmpfs mount.
+allow domain tmpfs:dir r_dir_perms;
+
+# binder adjusts the nice value during IPC.
+allow domain self:capability sys_nice;
+
+# Intra-domain accesses.
+allow domain self:process ~{ execstack execheap ptrace };
+allow domain self:fd use;
+allow domain self:dir r_dir_perms;
+allow domain self:lnk_file r_file_perms;
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+allow domain system:fd use;
+
+# Connect to adbd and use a socket transferred from it.
+allow domain adbd:unix_stream_socket connectto;
+allow domain adbd:fd use;
+allow domain adbd:unix_stream_socket { getattr read write shutdown };
+
+###
+### Talk to debuggerd.
+###
+allow domain debuggerd:process sigchld;
+allow domain debuggerd:unix_stream_socket connectto;
+# b/9858255 - debuggerd sockets are not getting properly labeled.
+# TODO: Remove this temporary workaround.
+allow domain init:unix_stream_socket connectto;
+
+# Root fs.
+allow domain rootfs:dir r_dir_perms;
+allow domain rootfs:file r_file_perms;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file read;
+allow domain devpts:dir search;
+allow domain device:file read;
+allow domain socket_device:dir search;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file r_file_perms;
+allow domain ashmem_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain powervr_device:chr_file rw_file_perms;
+allow domain log_device:dir search;
+allow domain log_device:chr_file rw_file_perms;
+allow domain nv_device:chr_file rw_file_perms;
+allow domain alarm_device:chr_file r_file_perms;
+allow domain urandom_device:chr_file r_file_perms;
+allow domain random_device:chr_file r_file_perms;
+allow domain properties_device:file r_file_perms;
+
+# Filesystem accesses.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# System file accesses.
+allow domain system_file:dir r_dir_perms;
+allow domain system_file:file r_file_perms;
+allow domain system_file:file execute;
+allow domain system_file:lnk_file read;
+
+# Read files already opened under /data.
+allow domain system_data_file:dir { search getattr };
+allow domain system_data_file:file { getattr read };
+allow domain system_data_file:lnk_file read;
+
+# Read apk files under /data/app.
+allow domain apk_data_file:dir search;
+allow domain apk_data_file:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow domain dalvikcache_data_file:dir { search getattr };
+allow domain dalvikcache_data_file:file r_file_perms;
+
+# Read already opened /cache files.
+allow domain cache_file:dir r_dir_perms;
+allow domain cache_file:file { getattr read };
+allow domain cache_file:lnk_file read;
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
+#Allow access to ion memory allocation device
+allow domain ion_device:chr_file rw_file_perms;
+
+# For /sys/qemu_trace files in the emulator.
+bool in_qemu false;
+if (in_qemu) {
+allow domain sysfs:file rw_file_perms;
+}
+allow domain sysfs_writable:file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(domain, proc)
+r_dir_file(domain, sysfs)
+r_dir_file(domain, inotify)
+r_dir_file(domain, cgroup)
+
+# debugfs access
+allow domain debugfs:dir r_dir_perms;
+allow domain debugfs:file w_file_perms;
+
+# security files
+allow domain security_file:dir { search getattr };
+allow domain security_file:file getattr;
+
+######## Backwards compatibility - Unlabeled files ############
+
+# Revert to DAC rules when looking at unlabeled files. Over time, the number
+# of unlabeled files should decrease.
+# TODO: delete these rules in the future.
+#
+# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
+# capability, it's essentially useless. This is needed to allow an app with
+# relabelto to relabel unlabeled files.
+#
+allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:dir { create_dir_perms relabelfrom };
+allow domain unlabeled:lnk_file { create_file_perms };
+neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
+
+###
+### neverallow rules
+###
+
+# Only init should be able to load SELinux policies
+neverallow { domain -init } kernel:security load_policy;
diff --git a/file_contexts b/file_contexts
index 766bf59..2161e8e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -18,7 +18,6 @@
# Empty directories
/lost\+found u:object_r:rootfs:s0
/proc u:object_r:rootfs:s0
-/sys u:object_r:rootfs:s0
# SELinux policy files
/file_contexts u:object_r:rootfs:s0
@@ -150,6 +149,8 @@
/system/xbin/su u:object_r:su_exec:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
/system/bin/ping u:object_r:ping_exec:s0
+/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
+/system/bin/hostapd u:object_r:hostapd_exec:s0
#############################
# Vendor files
#
diff --git a/hostapd.te b/hostapd.te
new file mode 100644
index 0000000..f13b2e0
--- /dev/null
+++ b/hostapd.te
@@ -0,0 +1,7 @@
+type hostapd, domain;
+permissive hostapd;
+type hostapd_exec, exec_type, file_type;
+
+init_daemon_domain(hostapd)
+net_domain(hostapd)
+unconfined_domain(hostapd)
diff --git a/init.te b/init.te
index 5b7463e..9be5955 100644
--- a/init.te
+++ b/init.te
@@ -4,5 +4,9 @@
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
+relabelto_domain(init)
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;
+
+allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow init kernel:security load_policy;
diff --git a/installd.te b/installd.te
index 4ad5513..3c43b05 100644
--- a/installd.te
+++ b/installd.te
@@ -1,7 +1,27 @@
# installer daemon
type installd, domain;
-permissive installd;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
-unconfined_domain(installd)
+relabelto_domain(installd)
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd system_data_file:file create_file_perms;
+allow installd system_data_file:lnk_file create;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd data_file_type:dir create_dir_perms;
+allow installd data_file_type:dir { relabelfrom relabelto };
+allow installd data_file_type:{ file lnk_file } { getattr unlink };
+allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
+allow installd system_file:file x_file_perms;
+allow installd cgroup:dir create_dir_perms;
+dontaudit installd self:capability sys_admin;
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file r_file_perms;
diff --git a/isolated_app.te b/isolated_app.te
new file mode 100644
index 0000000..77f14d3
--- /dev/null
+++ b/isolated_app.te
@@ -0,0 +1,23 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+### isolated_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type isolated_app, domain;
+permissive isolated_app;
+app_domain(isolated_app)
+
+# Appdomain interaction with isolated apps
+r_dir_file(appdomain, isolated_app)
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow isolated_app appdomain:unix_stream_socket { read write };
diff --git a/kernel.te b/kernel.te
index 5502ed8..023e457 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,3 +3,6 @@
permissive kernel;
# The kernel is unconfined.
unconfined_domain(kernel)
+relabelto_domain(kernel)
+
+allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
diff --git a/media_app.te b/media_app.te
new file mode 100644
index 0000000..f0f987f
--- /dev/null
+++ b/media_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the media key.
+###
+
+type media_app, domain;
+permissive media_app;
+app_domain(media_app)
+platform_app_domain(media_app)
+# Access the network.
+net_domain(media_app)
+unconfined_domain(media_app)
+relabelto_domain(media_app)
+allow media_app download_file:dir relabelto;
diff --git a/netd.te b/netd.te
index 6f294ed..8636af1 100644
--- a/netd.te
+++ b/netd.te
@@ -2,7 +2,79 @@
type netd, domain;
type netd_exec, exec_type, file_type;
-permissive netd;
-unconfined_domain(netd)
init_daemon_domain(netd)
+allow netd self:capability { net_admin net_raw kill };
+allow netd self:netlink_kobject_uevent_socket *;
+allow netd self:netlink_route_socket *;
+allow netd self:netlink_nflog_socket *;
+allow netd self:rawip_socket *;
+allow netd self:udp_socket *;
+allow netd node:udp_socket node_bind;
+allow netd port:udp_socket name_bind;
+allow netd self:unix_stream_socket *;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+allow netd devpts:chr_file rw_file_perms;
+
+# For /proc/sys/net/ipv[46]/route/flush.
+# XXX Split /proc/sys/net into its own type.
+allow netd proc:file write;
+
+# For /sys/modules/bcmdhd/parameters/firmware_path
+# XXX Split into its own type.
+allow netd sysfs:file write;
+
+# Set dhcp lease for PAN connection
+unix_socket_connect(netd, property, init)
+allow netd system_prop:property_service set;
+
+# Connect to PAN
domain_auto_trans(netd, dhcp_exec, dhcp)
+allow netd dhcp:process signal;
+
+# Needed to update /data/misc/wifi/hostapd.conf
+# TODO: See what we can do to reduce the need for
+# these capabilities
+allow netd self:capability { dac_override chown fowner };
+allow netd wifi_data_file:file create_file_perms;
+allow netd wifi_data_file:dir rw_dir_perms;
+
+# Allow netd to spawn hostapd in it's own domain
+domain_auto_trans(netd, hostapd_exec, hostapd)
+allow netd hostapd:process signal;
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd dnsmasq:process signal;
+
+# Support netd running mdnsd
+# TODO: prune this back further
+allow netd ctl_default_prop:property_service set;
+allow netd device:sock_file write;
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# Kernel memory access.
+neverallow netd kmem_device:chr_file { read write };
+
+# Setting SELinux enforcing status or booleans.
+# Conditionally allowed to system_app for SEAndroidManager.
+neverallow netd kernel:security { setenforce setbool };
+
+# Load security policy.
+neverallow netd kernel:security load_policy;
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/platform_app.te b/platform_app.te
new file mode 100644
index 0000000..38d8fcd
--- /dev/null
+++ b/platform_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
+permissive platform_app;
+app_domain(platform_app)
+platform_app_domain(platform_app)
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+unconfined_domain(platform_app)
diff --git a/property.te b/property.te
index 69dff91..d0c77a4 100644
--- a/property.te
+++ b/property.te
@@ -10,3 +10,4 @@
type audio_prop, property_type;
type security_prop, property_type;
type bluetooth_prop, property_type;
+type powerctl_prop, property_type;
diff --git a/property_contexts b/property_contexts
index e32cddd..6c47c9f 100644
--- a/property_contexts
+++ b/property_contexts
@@ -20,6 +20,7 @@
runtime. u:object_r:system_prop:s0
hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.powerctl u:object_r:powerctl_prop:s0
service. u:object_r:system_prop:s0
wlan. u:object_r:system_prop:s0
dhcp. u:object_r:system_prop:s0
diff --git a/release_app.te b/release_app.te
new file mode 100644
index 0000000..285f483
--- /dev/null
+++ b/release_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the release key (testkey in AOSP).
+###
+
+type release_app, domain;
+permissive release_app;
+app_domain(release_app)
+platform_app_domain(release_app)
+# Access the network.
+net_domain(release_app)
+# Access bluetooth.
+bluetooth_domain(release_app)
+unconfined_domain(release_app)
diff --git a/seapp_contexts b/seapp_contexts
index 491c9fd..41d3dd8 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -43,3 +43,4 @@
user=_app seinfo=media domain=media_app type=platform_app_data_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_isolated domain=isolated_app
+user=shell domain=shell type=shell_data_file
diff --git a/shared_app.te b/shared_app.te
new file mode 100644
index 0000000..b66fbfb
--- /dev/null
+++ b/shared_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the shared key.
+###
+
+type shared_app, domain;
+permissive shared_app;
+app_domain(shared_app)
+platform_app_domain(shared_app)
+# Access the network.
+net_domain(shared_app)
+# Access bluetooth.
+bluetooth_domain(shared_app)
+unconfined_domain(shared_app)
diff --git a/system.te b/system.te
index fc76cd4..24d4a67 100644
--- a/system.te
+++ b/system.te
@@ -6,6 +6,13 @@
type system, domain;
permissive system;
unconfined_domain(system);
+relabelto_domain(system);
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
+allow system self:zygote { specifyids specifyrlimits specifyseinfo };
+
+allow system backup_data_file:dir relabelto;
+allow system cache_backup_file:dir relabelto;
+allow system apk_data_file:file relabelto;
+allow system apk_tmp_file:file relabelto;
diff --git a/te_macros b/te_macros
index 1c78c96..310612c 100644
--- a/te_macros
+++ b/te_macros
@@ -109,6 +109,13 @@
')
#####################################
+# relabelto_domain(domain)
+# Allows this domain to use the relabelto permission
+define(`relabelto_domain', `
+typeattribute $1 relabeltodomain;
+')
+
+#####################################
# platform_app_domain(domain)
# Allow permissions specific to platform apps.
define(`platform_app_domain', `
diff --git a/unconfined.te b/unconfined.te
index 9f100a3..9b1b992 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -1,5 +1,5 @@
allow unconfineddomain self:capability_class_set *;
-allow unconfineddomain kernel:security *;
+allow unconfineddomain kernel:security ~load_policy;
allow unconfineddomain kernel:system *;
allow unconfineddomain self:memprotect *;
allow unconfineddomain domain:process *;
@@ -11,8 +11,8 @@
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain fs_type:filesystem *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *;
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
diff --git a/untrusted_app.te b/untrusted_app.te
new file mode 100644
index 0000000..c91543e
--- /dev/null
+++ b/untrusted_app.te
@@ -0,0 +1,48 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps. An "untrusted
+### app" is an APP with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000).
+###
+### untrusted_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type untrusted_app, domain;
+permissive untrusted_app;
+app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
+
+allow untrusted_app tun_device:chr_file rw_file_perms;
+
+# Internal SDCard rw access.
+allow untrusted_app sdcard_internal:dir create_dir_perms;
+allow untrusted_app sdcard_internal:file create_file_perms;
+
+# External SDCard rw access.
+allow untrusted_app sdcard_external:dir create_dir_perms;
+allow untrusted_app sdcard_external:file create_file_perms;
+
+# ASEC
+allow untrusted_app asec_apk_file:dir { getattr };
+allow untrusted_app asec_apk_file:file r_file_perms;
+
+# Create tcp/udp sockets
+allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
+allow untrusted_app self:{ tcp_socket udp_socket } { create_socket_perms accept listen };
+# Bind to a particular hostname/address/interface (e.g., localhost) instead of
+# ANY. Normally, apps should not be listening on all interfaces.
+allow untrusted_app port:{ tcp_socket udp_socket } name_bind;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+allow untrusted_app devpts:chr_file rw_file_perms;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app shell_data_file:file r_file_perms;
+allow untrusted_app shell_data_file:dir r_dir_perms;
diff --git a/vold.te b/vold.te
index e91d6c3..c41cc72 100644
--- a/vold.te
+++ b/vold.te
@@ -1,7 +1,66 @@
# volume manager
type vold, domain;
-permissive vold;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
-unconfined_domain(vold)
+
+typeattribute vold mlstrustedsubject;
+allow vold system_file:file x_file_perms;
+allow vold block_device:dir create_dir_perms;
+allow vold block_device:blk_file create_file_perms;
+allow vold device:dir write;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold sdcard_type:dir mounton;
+allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_type:dir create_dir_perms;
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket *;
+allow vold app_data_file:dir search;
+allow vold app_data_file:file rw_file_perms;
+allow vold loop_device:blk_file rw_file_perms;
+allow vold dm_device:chr_file rw_file_perms;
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:capability { sys_ptrace };
+
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file rw_file_perms;
+
+write_klog(vold)
+
+#
+# Rules to support encrypted fs support.
+#
+
+# Set property.
+unix_socket_connect(vold, property, init)
+
+# Unmount and mount the fs.
+allow vold labeledfs:filesystem { mount unmount remount };
+
+# Access /efs/userdata_footer.
+# XXX Split into a separate type?
+allow vold efs_file:file rw_file_perms;
+
+# Create and mount on /data/tmp_mnt.
+allow vold system_data_file:dir { create rw_dir_perms mounton };
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# Property Service
+allow vold vold_prop:property_service set;
+allow vold powerctl_prop:property_service set;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+security_access_policy(vold)
+allow vold asec_apk_file:dir { rw_dir_perms setattr };
+allow vold asec_apk_file:file { r_file_perms setattr };
diff --git a/zygote.te b/zygote.te
index 4603d75..6fb1725 100644
--- a/zygote.te
+++ b/zygote.te
@@ -2,6 +2,42 @@
type zygote, domain;
type zygote_exec, exec_type, file_type;
-permissive zygote;
init_daemon_domain(zygote)
-unconfined_domain(zygote)
+typeattribute zygote mlstrustedsubject;
+# Override DAC on files and switch uid/gid.
+allow zygote self:capability { dac_override setgid setuid };
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow zygote system:process dyntransition;
+allow zygote appdomain:process dyntransition;
+# Move children into the peer process group.
+allow zygote system:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+# Write to system data.
+allow zygote system_data_file:dir rw_dir_perms;
+allow zygote system_data_file:file create_file_perms;
+allow zygote dalvikcache_data_file:dir rw_dir_perms;
+allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };
+# Execute dexopt.
+allow zygote system_file:file x_file_perms;
+# Control cgroups.
+allow zygote cgroup:dir create_dir_perms;
+allow zygote self:capability sys_admin;
+# Check validity of SELinux context before use.
+selinux_check_context(zygote)
+# Check SELinux permissions.
+selinux_check_access(zygote)
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(zygote)
+
+# Setting up /storage/emulated.
+allow zygote rootfs:dir mounton;
+allow zygote sdcard_type:dir { write search setattr create add_name mounton };
+dontaudit zygote self:capability fsetid;
+allow zygote tmpfs:dir { write create add_name setattr mounton search };
+allow zygote tmpfs:filesystem mount;
+allow zygote labeledfs:filesystem remount;
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file { execute_no_trans open };