Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 38c47f1bc09d1093157e15fb411477b0fe275bdc^2..38c47f1bc09d1093157e15fb411477b0fe275bdc / .
commit38c47f1bc09d1093157e15fb411477b0fe275bdc[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Fri Nov 01 01:34:48 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Nov 01 01:34:48 2019 +0000
tree2062d687fd844055e9c3e89766544124f3c81bbf
parent69e3af2d70d5f05e335ad2a7229783134b21fd3b [diff]
parent91709db3136746ececfcb3740368106e0b68c274 [diff]
Merge "dumpstate: reads ota_metadata_file"
diff --git a/private/domain.te b/private/domain.te
index 3fc55a2..5851d75 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -321,4 +321,5 @@
   -uncrypt
   -tee
   -hal_bootctl_server
+  -fastbootd
 } self:global_capability_class_set sys_rawio;

diff --git a/private/keys.conf b/private/keys.conf
index 362e73d..8c899b6 100644
--- a/private/keys.conf
+++ b/private/keys.conf

@@ -17,6 +17,9 @@
 [@NETWORK_STACK]
 ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
 
+[@PERMISSION_CONTROLLER]
+ALL: $DEFAULT_SYSTEM_DEV_CERTIFICATE/com_google_android_permissioncontroller-container.x509.pem
+
 [@SHARED]
 ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
 

diff --git a/private/keystore.te b/private/keystore.te
index 7f71028..ee6dbdf 100644
--- a/private/keystore.te
+++ b/private/keystore.te

@@ -11,9 +11,5 @@
 # This is used for the ConfirmationUI async callback.
 allow keystore platform_app:binder call;
 
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
-
 # Allow to check whether security logging is enabled.
 get_prop(keystore, device_logging_prop)

diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 7fc37c1..5095a2a 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml

@@ -59,4 +59,10 @@
     <signer signature="@NETWORK_STACK" >
       <seinfo value="network_stack" />
     </signer>
+
+    <signer signature="@PERMISSION_CONTROLLER" >
+        <package name="com.google.android.permissioncontroller">
+            <seinfo value="permission_controller" />
+        </package>
+    </signer>
 </policy>

diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
new file mode 100644
index 0000000..32fa9bd
--- /dev/null
+++ b/private/permissioncontroller_app.te

@@ -0,0 +1,27 @@
+###
+### A domain for further sandboxing the GooglePermissionController app.
+###
+type permissioncontroller_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `permissioncontroller_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive permissioncontroller_app;')
+
+app_domain(permissioncontroller_app)
+
+# Allow interaction with gpuservice
+binder_call(permissioncontroller_app, gpuservice)
+allow permissioncontroller_app gpu_service:service_manager find;
+
+# Allow interaction with role_service
+allow permissioncontroller_app role_service:service_manager find;
+
+# Allow interaction with usagestats_service
+allow permissioncontroller_app usagestats_service:service_manager find;
+
+# Allow interaction with activity_service
+allow permissioncontroller_app activity_service:service_manager find;

diff --git a/private/seapp_contexts b/private/seapp_contexts
index c74bd2c..3651389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -156,6 +156,7 @@
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app seinfo=permission_controller isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user

diff --git a/public/logpersist.te b/public/logpersist.te
index c7cab80..c8e6af4 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te

@@ -1,6 +1,10 @@
 # android debug logging, logpersist domains
 type logpersist, domain;
 
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
 ###
 ### Neverallow rules
 ###

diff --git a/public/wificond.te b/public/wificond.te
index e11d45d..a55872a 100644
--- a/public/wificond.te
+++ b/public/wificond.te

@@ -30,3 +30,14 @@
 # dumpstate support
 allow wificond dumpstate:fd use;
 allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+get_prop(wificond, hwservicemanager_prop)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond keystore:binder call;
+allow wificond keystore:keystore_key get;