Merge "Allow untrusted apps to access VrManager."
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a400913..5f7549d 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -71,8 +71,10 @@
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger vr_manager_service:service_manager find;
allow surfaceflinger window_service:service_manager find;
+
# allow self to set SCHED_FIFO
allow surfaceflinger self:capability sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index a732332..66acfd6 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -2,97 +2,270 @@
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -surfaceflinger
+ -system_server
+ -vold
+ -zygote
+} tmpfs:dir r_dir_perms;
+')
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
+userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
+')
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
+userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+')
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+')
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-fingerprintd
- -init
-installd
+ -keystore
-rild
-surfaceflinger
-system_server
+ -update_engine
+ -vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
auditallow {
domain_deprecated
-appdomain
- -init
-rild
-surfaceflinger
-system_server
-zygote
} system_file:file { ioctl lock }; # read open getattr in domain
+')
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -system_server -tee } system_data_file:file { getattr read };
-auditallow { domain_deprecated -appdomain -init -system_server -tee } system_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -system_server
+ -tee
+} system_data_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -tee
+} system_data_file:lnk_file r_file_perms;
+')
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:dir { getattr search };
-auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:dir { getattr search };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:lnk_file r_file_perms;
+')
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -init -system_server -vold } cache_file:dir { open read search ioctl lock };
-auditallow { domain_deprecated -appdomain -init -system_server -vold } cache_file:dir getattr;
-auditallow { domain_deprecated -init -system_server -vold } cache_file:file { getattr read };
-auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:dir { open read search ioctl lock };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -vold
+} cache_file:dir getattr;
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:lnk_file r_file_perms;
+')
-#Allow access to ion memory allocation device
+# Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
# split this auditallow into read and write perms since most domains seem to
# only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -fingerprintd
+ -keystore
+ -surfaceflinger
+ -system_server
+ -tee
+ -vold
+ -zygote
+} ion_device:chr_file r_file_perms;
auditallow domain_deprecated ion_device:chr_file { write append };
+')
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
-#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:file r_file_perms;
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -rild
+ -sdcardd
+ -system_server
+ -update_engine
+ -vold
+} proc:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -rild
+ -system_server
+ -vold
+} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
- -init
-inputflinger
-installd
-keystore
@@ -108,7 +281,6 @@
-dumpstate
-fingerprintd
-healthd
- -init
-inputflinger
-installd
-keystore
@@ -118,10 +290,41 @@
-system_server
-zygote
} cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -surfaceflinger
+ -system_server
+ -vold
+} proc_meminfo:file r_file_perms;
+')
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+')
diff --git a/public/fsck.te b/public/fsck.te
index bdbbd33..2f0a838 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -24,6 +24,7 @@
allow fsck swap_block_device:blk_file getattr;
r_dir_file(fsck, proc)
+allow fsck rootfs:dir r_dir_perms;
###
### neverallow rules
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index aa5bf2b..8405a7e 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -19,3 +19,4 @@
binder_use(hal_fingerprint);
r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/init.te b/public/init.te
index 4d64aad..fe72894 100644
--- a/public/init.te
+++ b/public/init.te
@@ -1,5 +1,5 @@
# init is its own domain.
-type init, domain, domain_deprecated, mlstrustedsubject;
+type init, domain, mlstrustedsubject;
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
@@ -175,6 +175,8 @@
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init cache_file:lnk_file r_file_perms;
+
allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
diff --git a/public/keystore.te b/public/keystore.te
index 4dd65eb..ec6d192 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -25,6 +25,7 @@
allow keystore ion_device:chr_file r_file_perms;
r_dir_file(keystore, cgroup)
+allow keystore system_file:dir r_dir_perms;
###
### Neverallow rules
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 6813aa6..3cb69be 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -31,6 +31,9 @@
# Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search;
+# access /proc/filesystems
+allow sdcardd proc:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 29581dd..9409947 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -32,3 +32,8 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop };
+# access /proc/misc
+allow update_engine proc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index dc8ca41..0e4eddc 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -27,6 +27,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
+allow vold system_file:dir r_dir_perms;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;