Merge "Adjust sepolicy-analyze to reflect libsepol changes."
diff --git a/bluetooth.te b/bluetooth.te
index d6adc3b..60ce118 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -53,6 +53,11 @@
 allow bluetooth radio_service:service_manager find;
 allow bluetooth system_server_service:service_manager find;
 
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
 ###
 ### Neverallow rules
 ###
diff --git a/dumpstate.te b/dumpstate.te
index df15067..b1e746a 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -118,3 +118,5 @@
     system_app_service
     system_server_service
 }:service_manager find;
+
+allow dumpstate servicemanager:service_manager list;
diff --git a/init.te b/init.te
index b833da8..4ec07f7 100644
--- a/init.te
+++ b/init.te
@@ -34,8 +34,8 @@
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;
 
-# Create symlinks in /.
-allow init rootfs:lnk_file create;
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
 
 # Mount debugfs on /sys/kernel/debug.
 allow init sysfs:dir mounton;
@@ -212,14 +212,12 @@
 # TODO:  Move these files into their own type unless they are
 # only ever accessed by init.
 allow init device:file create_file_perms;
-auditallow init device:file create_file_perms;
 
 # Access character devices without a specific type,
 # e.g. /dev/keychord.
 # TODO: Move these devices into their own type unless they
 # are only ever accessed by init.
 allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
 
 # keychord configuration
 allow init self:capability sys_tty_config;
diff --git a/nfc.te b/nfc.te
index ad88bd9..0d1f613 100644
--- a/nfc.te
+++ b/nfc.te
@@ -18,6 +18,7 @@
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
 
+allow nfc drmserver_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 allow nfc nfc_service:service_manager add;
 allow nfc surfaceflinger_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index d34c9f1..9b9b0db 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -28,6 +28,7 @@
 allow platform_app cache_file:dir create_dir_perms;
 allow platform_app cache_file:file create_file_perms;
 
+allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
diff --git a/seapp_contexts b/seapp_contexts
index f92d118..4469b75 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -45,7 +45,7 @@
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro seinfo=platform domain=shared_relro
+user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/shared_relro.te b/shared_relro.te
index 54bdbb9..8ad53d3 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -8,3 +8,6 @@
 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;
+
+# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro system_server_service:service_manager find;
diff --git a/shell.te b/shell.te
index 77b21be..3e30adc 100644
--- a/shell.te
+++ b/shell.te
@@ -44,6 +44,8 @@
 allow shell debug_prop:property_service set;
 allow shell powerctl_prop:property_service set;
 
+allow shell system_server_service:service_manager find;
+
 # systrace support - allow atrace to run
 # debugfs doesn't support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
@@ -53,3 +55,6 @@
 
 # allow shell to run dmesg
 allow shell kernel:system syslog_read;
+
+# allow shell to list services
+allow shell servicemanager:service_manager list;
diff --git a/su.te b/su.te
index 6870684..c42e4a7 100644
--- a/su.te
+++ b/su.te
@@ -41,4 +41,8 @@
   dontaudit su domain:peer *;
   dontaudit su domain:binder *;
   dontaudit su property_type:property_service *;
+  dontaudit su service_manager_type:service_manager *;
+  dontaudit su keystore:keystore_key *;
+  dontaudit su domain:debuggerd *;
+  dontaudit su domain:drmservice *;
 ')
diff --git a/system_app.te b/system_app.te
index 9a91624..8f70185 100644
--- a/system_app.te
+++ b/system_app.te
@@ -49,6 +49,7 @@
 allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app keystore_service:service_manager find;
+allow system_app mediaserver_service:service_manager find;
 allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
 allow system_app surfaceflinger_service:service_manager find;
diff --git a/toolbox.te b/toolbox.te
index 1056756..4341102 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -3,7 +3,6 @@
 # Do NOT use this domain for toolbox when run by any other domain.
 type toolbox, domain;
 type toolbox_exec, exec_type, file_type;
-permissive_or_unconfined(toolbox)
 
 init_daemon_domain(toolbox)
 
@@ -18,6 +17,7 @@
 # Read/write block devices used for swap partitions.
 # Assign swap_block_device type any such partition in your
 # device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox block_device:dir search;
 allow toolbox swap_block_device:blk_file rw_file_perms;
 
 # Only allow entry from init via the toolbox binary.
diff --git a/uncrypt.te b/uncrypt.te
index 1c18064..743236d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -1,5 +1,5 @@
 # uncrypt
-type uncrypt, domain;
+type uncrypt, domain, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;
 
 init_daemon_domain(uncrypt)
@@ -30,5 +30,4 @@
 allow uncrypt block_device:dir r_dir_perms;
 
 # Access userdata block device.
-allow uncrypt userdata_block_device:blk_file rw_file_perms;
-auditallow uncrypt userdata_block_device:blk_file rw_file_perms;
+allow uncrypt userdata_block_device:blk_file w_file_perms;