Merge "Move wpa_supplicant.te to wpa.te."
diff --git a/app.te b/app.te
index 9adb86a..2589f66 100644
--- a/app.te
+++ b/app.te
@@ -42,7 +42,7 @@
allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
@@ -69,7 +69,7 @@
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
# Write to /proc/net/xt_qtaguid/ctrl file.
@@ -89,14 +89,11 @@
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
@@ -112,6 +109,10 @@
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow appdomain media_rw_data_file:file { read getattr };
+# Access SDcard.
+allow appdomain sdcard_type:dir create_dir_perms;
+allow appdomain sdcard_type:file create_file_perms;
+
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
diff --git a/bluetooth.te b/bluetooth.te
index c63dc02..75b0c97 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -43,10 +43,6 @@
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-# bluetooth file transfers
-allow bluetooth sdcard_internal:dir create_dir_perms;
-allow bluetooth sdcard_internal:file create_file_perms;
-
# Allow write access to bluetooth specific properties
allow bluetooth bluetooth_prop:property_service set;
diff --git a/dnsmasq.te b/dnsmasq.te
index fcf7c6d..61382a2 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -5,7 +5,16 @@
net_domain(dnsmasq)
-allow dnsmasq self:capability { net_bind_service setgid setuid };
+allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
+
+# Inherit and use open files from netd.
+allow dnsmasq netd:fd use;
+allow dnsmasq netd:fifo_file { read write };
+# TODO: Investigate whether these inherited sockets should be closed on exec.
+allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
+allow dnsmasq netd:netlink_nflog_socket { read write };
+allow dnsmasq netd:netlink_route_socket { read write };
+allow dnsmasq netd:unix_stream_socket { read write };
diff --git a/domain.te b/domain.te
index 34af567..e856288 100644
--- a/domain.te
+++ b/domain.te
@@ -61,7 +61,7 @@
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
allow domain device:file read;
-allow domain socket_device:dir search;
+allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file r_file_perms;
diff --git a/isolated_app.te b/isolated_app.te
index 7e51d30..4745d7e 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,12 +12,3 @@
type isolated_app, domain;
app_domain(isolated_app)
net_domain(isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-allow isolated_app dalvikcache_data_file:file execute;
-allow isolated_app apk_data_file:dir getattr;
diff --git a/media_app.te b/media_app.te
index 65f3863..099e0a6 100644
--- a/media_app.te
+++ b/media_app.te
@@ -10,20 +10,15 @@
net_domain(media_app)
# Access /dev/mtp_usb.
allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
# Stat /cache/backup
allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir (in particular, file_contexts for restorecon).
-allow media_app rootfs:file r_file_perms;
+# Create download files.
allow media_app download_file:dir rw_dir_perms;
allow media_app download_file:file create_file_perms;
# Allow platform apps to mark platform app data files as download files
relabelto_domain(media_app)
allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;
+
+# inherits from platformappdomain.te
diff --git a/mediaserver.te b/mediaserver.te
index ad291b0..1019fc7 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -69,3 +69,6 @@
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+# Connect to tee service.
+allow mediaserver tee:unix_stream_socket connectto;
diff --git a/nfc.te b/nfc.te
index 0522c52..0968c35 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,6 +13,3 @@
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
-
-allow nfc sdcard_type:dir create_dir_perms;
-allow nfc sdcard_type:file create_file_perms;
diff --git a/platform_app.te b/platform_app.te
index bbbc0f7..ea49c00 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -10,10 +10,7 @@
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
+# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app shell_data_file:lnk_file read;
@@ -26,20 +23,5 @@
allow platform_app asec_apk_file:file create_file_perms;
# Access download files.
allow platform_app download_file:file rw_file_perms;
-# Allow BackupManagerService to backup all app domains
-allow platform_app appdomain:fifo_file write;
-#
-# Rules for all platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/platformappdomain.te b/platformappdomain.te
new file mode 100644
index 0000000..701a636
--- /dev/null
+++ b/platformappdomain.te
@@ -0,0 +1,21 @@
+#
+# Rules for all platform app domains.
+# These rules are inherited by any domain that includes platform_app_domain().
+# Presently this consists of the four app domains corresponding to apps
+# signed by one of the four build keys: platform_app, shared_app, media_app,
+# release_app. These app domains use platform_app_data_file rather
+# than app_data_file for their /data/data directories (as specified via
+# type= in seapp_contexts) and have greater permissions to specific
+# directories owned by groups that are restricted to apps with
+# Android permissions that are signature|system.
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;
+# Write to /cache.
+allow platformappdomain cache_file:dir create_dir_perms;
+allow platformappdomain cache_file:file create_file_perms;
diff --git a/release_app.te b/release_app.te
index 69cff19..4dc78e7 100644
--- a/release_app.te
+++ b/release_app.te
@@ -11,6 +11,4 @@
# Access bluetooth.
bluetooth_domain(release_app)
-# Write to /cache.
-allow release_app cache_file:dir rw_dir_perms;
-allow release_app cache_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/shared_app.te b/shared_app.te
index 2223882..ef72735 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -10,3 +10,5 @@
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
+
+# inherits from platformappdomain.te
diff --git a/shelldomain.te b/shelldomain.te
index d4bb019..e894d9d 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -5,10 +5,6 @@
allow shelldomain shell_data_file:file create_file_perms;
allow shelldomain shell_data_file:file rx_file_perms;
-# Access sdcard.
-allow shelldomain sdcard_type:dir create_dir_perms;
-allow shelldomain sdcard_type:file create_file_perms;
-
# adb bugreport
unix_socket_connect(shelldomain, dumpstate, dumpstate)
@@ -29,13 +25,3 @@
allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set;
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shelldomain, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shelldomain app_data_file:dir search;
-
-# ps and ps -Z output for app processes.
-r_dir_file(shelldomain, appdomain)
-allow shelldomain appdomain:process getattr;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 7d73696..1268247 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -11,11 +11,17 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
-binder_call(surfaceflinger, system_server)
-binder_call(surfaceflinger, nfc)
-binder_call(surfaceflinger, mediaserver)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
binder_service(surfaceflinger)
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -50,3 +56,13 @@
# but seems expected and appropriate for all devices.
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+# TODO: Remove -unconfineddomain when we remove permissive_or_unconfined above.
+neverallow { surfaceflinger -unconfineddomain } sdcard_type:file rw_file_perms;
diff --git a/system_app.te b/system_app.te
index dc02118..60398a2 100644
--- a/system_app.te
+++ b/system_app.te
@@ -20,12 +20,6 @@
# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };
-# Read SELinux enforcing status.
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
diff --git a/untrusted_app.te b/untrusted_app.te
index 85cf79e..e60bfff 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,14 +32,6 @@
allow untrusted_app tun_device:chr_file rw_file_perms;
-# Internal SDCard rw access.
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-
-# External SDCard rw access.
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-
# ASEC
allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms;
diff --git a/zygote.te b/zygote.te
index c20072d..345b630 100644
--- a/zygote.te
+++ b/zygote.te
@@ -45,7 +45,7 @@
allow zygote labeledfs:filesystem remount;
# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file { execute_no_trans open };
+allow zygote zygote_exec:file rx_file_perms;
# handle bugreports b/10498304
allow zygote ashmem_device:chr_file execute;