am f7e98fe2: Merge "recovery.te: add /data neverallow rules"
* commit 'f7e98fe2c988d88a4a98a1fdfd07561cef013e5c':
recovery.te: add /data neverallow rules
diff --git a/Android.mk b/Android.mk
index eae860b..1535b56 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,7 +11,7 @@
# is frozen, we should flip this to true. This forces any currently
# permissive domains into unconfined+enforcing.
#
-FORCE_PERMISSIVE_TO_UNCONFINED:=false
+FORCE_PERMISSIVE_TO_UNCONFINED:=true
ifeq ($(TARGET_BUILD_VARIANT),user)
# User builds are always forced unconfined+enforcing
diff --git a/app.te b/app.te
index ea74cb0..2e0a9ee 100644
--- a/app.te
+++ b/app.te
@@ -53,6 +53,12 @@
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open execmod };
+# Keychain and user-trusted credentials
+allow appdomain keychain_data_file:dir r_dir_perms;
+allow appdomain keychain_data_file:file r_file_perms;
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
diff --git a/bootanim.te b/bootanim.te
index 7592295..e0e25b9 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -11,6 +11,10 @@
# /oem access
allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
# Audited locally.
service_manager_local_audit_domain(bootanim)
diff --git a/drmserver.te b/drmserver.te
index 2a146b6..ba7e62f 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -47,6 +47,10 @@
allow drmserver drmserver_service:service_manager add;
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
# Audited locally.
service_manager_local_audit_domain(drmserver)
auditallow drmserver {
diff --git a/file.te b/file.te
index 9b7564f..e1de664 100644
--- a/file.te
+++ b/file.te
@@ -84,9 +84,11 @@
type audio_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type;
+type keychain_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type;
type media_data_file, file_type, data_file_type;
type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type;
type net_data_file, file_type, data_file_type;
type nfc_data_file, file_type, data_file_type;
type radio_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 038c8b6..2c5c265 100644
--- a/file_contexts
+++ b/file_contexts
@@ -210,12 +210,14 @@
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
diff --git a/installd.te b/installd.te
index 6257ede..6b1b2b8 100644
--- a/installd.te
+++ b/installd.te
@@ -37,6 +37,12 @@
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
allow installd install_data_file:file create_file_perms;
diff --git a/kernel.te b/kernel.te
index 89211e1..7ccbc61 100644
--- a/kernel.te
+++ b/kernel.te
@@ -48,6 +48,13 @@
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel sdcard_type:file { read write };
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel app_data_file:file read;
+
###
### neverallow rules
###
diff --git a/mediaserver.te b/mediaserver.te
index 3eb078d..711f4df 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,6 +80,10 @@
allow mediaserver mediaserver_service:service_manager add;
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
# Audited locally.
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
diff --git a/service_contexts b/service_contexts
index e96178b..8585fcf 100644
--- a/service_contexts
+++ b/service_contexts
@@ -37,6 +37,7 @@
dropbox u:object_r:system_server_service:s0
entropy u:object_r:system_server_service:s0
ethernet u:object_r:system_server_service:s0
+fingerprint u:object_r:system_server_service:s0
gfxinfo u:object_r:system_server_service:s0
hardware u:object_r:system_server_service:s0
hdmi_control u:object_r:system_server_service:s0
@@ -47,7 +48,7 @@
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
-imms u:object_r:system_app_service:s0
+imms u:object_r:system_server_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
@@ -87,6 +88,7 @@
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
restrictions u:object_r:system_server_service:s0
+rttmanager u:object_r:system_server_service:s0
samplingprofiler u:object_r:system_server_service:s0
scheduling_policy u:object_r:system_server_service:s0
search u:object_r:system_server_service:s0
@@ -100,7 +102,7 @@
statusbar u:object_r:system_server_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:system_server_service:s0
-telecomm u:object_r:radio_service:s0
+telecom u:object_r:radio_service:s0
telephony.registry u:object_r:system_server_service:s0
textservices u:object_r:system_server_service:s0
trust u:object_r:system_server_service:s0
diff --git a/system_app.te b/system_app.te
index fcf0f16..6fe8106 100644
--- a/system_app.te
+++ b/system_app.te
@@ -12,10 +12,16 @@
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:file create_file_perms;
+# Read /data/misc/keychain subdirectory.
+allow system_app keychain_data_file:dir r_dir_perms;
+allow system_app keychain_data_file:file r_file_perms;
+
# Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/keychain.
+# /data/system/cache and /data/misc/user.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
# Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
diff --git a/system_server.te b/system_server.te
index e1528f9..ae14ab3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -14,7 +14,6 @@
# For art.
allow system_server dalvikcache_data_file:file execute;
-allow system_server dex2oat_exec:file rx_file_perms;
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -71,6 +70,9 @@
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms;
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
# Kill apps.
allow system_server appdomain:process { sigkill signal };
@@ -171,6 +173,8 @@
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
@@ -395,7 +399,7 @@
allow system_server cgroup:dir { remove_name rmdir };
# /oem access
-allow system_server oemfs:dir search;
+r_dir_file(system_server, oemfs)
###
### Neverallow rules
diff --git a/zygote.te b/zygote.te
index adbea06..67660b3 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,6 +21,9 @@
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
+# Read system security data.
+allow zygote keychain_data_file:dir r_dir_perms;
+allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;