Merge "Add audit_read permission to capability2"

commit: 331c2e9602be6039640f3a5c0138406dbf849528 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Oct 01 12:59:41 2015 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Oct 01 12:59:41 2015 +0000
tree: 50304461452f3e056248fa0b3dabc28059ecea22
parent: 226caf49e0f913a723ec6c707f9abf5516c6f906 [diff]
parent: 3198cb5100e1431808897eaa060ed8813001e2c5 [diff]
diff --git a/Android.mk b/Android.mk
index 0b9af0a..1199d14 100644
--- a/Android.mk
+++ b/Android.mk

@@ -162,16 +162,16 @@
 all_fc_files := $(call build_policy, $(all_fc_files))
 
 file_contexts.tmp := $(intermediates)/file_contexts.tmp
-$(file_contexts.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(file_contexts.tmp): PRIVATE_FC_FILES := $(all_fc_files)
 $(file_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(file_contexts.tmp): $(all_fc_files) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+$(file_contexts.tmp): $(all_fc_files)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
 
-$(LOCAL_BUILT_MODULE): $(file_contexts.tmp) $(HOST_OUT_EXECUTABLES)/sefcontext_compile
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(file_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
 	@mkdir -p $(dir $@)
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
 
 built_fc := $(LOCAL_BUILT_MODULE)
@@ -188,14 +188,14 @@
 include $(BUILD_SYSTEM)/base_rules.mk
 
 general_file_contexts.tmp := $(intermediates)/general_file_contexts.tmp
-$(general_file_contexts.tmp): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $< > $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@
 
-$(LOCAL_BUILT_MODULE): $(general_file_contexts.tmp) $(HOST_OUT_EXECUTABLES)/sefcontext_compile
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
+$(LOCAL_BUILT_MODULE): $(general_file_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
 	@mkdir -p $(dir $@)
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
 	$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
 
 general_file_contexts.tmp :=

diff --git a/mediaserver.te b/mediaserver.te
index 65438ba..d335ae8 100644
--- a/mediaserver.te
+++ b/mediaserver.te

@@ -35,8 +35,7 @@
 allow mediaserver audio_device:chr_file rw_file_perms;
 
 # XXX Label with a specific type?
-allow mediaserver sysfs:file rw_file_perms;
-auditallow mediaserver sysfs:file { write append };
+allow mediaserver sysfs:file r_file_perms;
 
 # Read resources from open apk files passed over Binder.
 allow mediaserver apk_data_file:file { read getattr };
commit	331c2e9602be6039640f3a5c0138406dbf849528	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Oct 01 12:59:41 2015 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Oct 01 12:59:41 2015 +0000
tree	50304461452f3e056248fa0b3dabc28059ecea22
parent	226caf49e0f913a723ec6c707f9abf5516c6f906 [diff]
parent	3198cb5100e1431808897eaa060ed8813001e2c5 [diff]