commit 3a2cbf9ce70026a861d56a8853e13e3ac2185a8e
author Nick Kralevich <nnk@google.com> Thu Mar 05 23:34:12 2015 +0000
committer Android Git Automerger <android-git-automerger@android.com> Thu Mar 05 23:34:12 2015 +0000
tree 7aeaa4f981984445f190d5494c339247a5f7491c
parent f3a6abbb889f567d32df41577db7760714e957ae
parent 2b8bf15531090fe56f3c545cabaf371b6e4476dc

am 2b8bf155: am 303e139a: am b76966d6: recovery: remove auditallow for exec_type:dir writes

* commit '2b8bf15531090fe56f3c545cabaf371b6e4476dc':
  recovery: remove auditallow for exec_type:dir writes

adbd.te

diff --git a/adbd.te b/adbd.te
index babbdc5..c80dba4 100644
--- a/adbd.te
+++ b/adbd.te
@@ -73,10 +73,6 @@
 allow adbd app_data_file:sock_file write;
 allow adbd appdomain:unix_stream_socket connectto;
 
-# b/18078338 - allow read access to executable types on /system
-# to assist with debugging OTA issues.
-allow adbd exec_type:file r_file_perms;
-
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;

domain.te

diff --git a/domain.te b/domain.te
index d835ee9..005b2b3 100644
--- a/domain.te
+++ b/domain.te
@@ -262,7 +262,7 @@
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
 # ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -init -ueventd } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
@@ -300,7 +300,7 @@
 neverallow domain { system_file exec_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
-neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.

system_server.te

diff --git a/system_server.te b/system_server.te
index 0fa709e..0663239 100644
--- a/system_server.te
+++ b/system_server.te
@@ -168,7 +168,9 @@
 allow system_server video_device:chr_file rw_file_perms;
 allow system_server adbd_socket:sock_file rw_file_perms;
 allow system_server audio_device:dir r_dir_perms;
-allow system_server audio_device:chr_file r_file_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
 
 # tun device used for 3rd party vpn apps
 allow system_server tun_device:chr_file rw_file_perms;