Merge "Adjust sepolicy-analyze to reflect libsepol changes."
diff --git a/bluetooth.te b/bluetooth.te
index d6adc3b..60ce118 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -53,6 +53,11 @@
allow bluetooth radio_service:service_manager find;
allow bluetooth system_server_service:service_manager find;
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
###
### Neverallow rules
###
diff --git a/dumpstate.te b/dumpstate.te
index df15067..b1e746a 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -118,3 +118,5 @@
system_app_service
system_server_service
}:service_manager find;
+
+allow dumpstate servicemanager:service_manager list;
diff --git a/init.te b/init.te
index b833da8..4ec07f7 100644
--- a/init.te
+++ b/init.te
@@ -34,8 +34,8 @@
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
-# Create symlinks in /.
-allow init rootfs:lnk_file create;
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;
@@ -212,14 +212,12 @@
# TODO: Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file create_file_perms;
-auditallow init device:file create_file_perms;
# Access character devices without a specific type,
# e.g. /dev/keychord.
# TODO: Move these devices into their own type unless they
# are only ever accessed by init.
allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
# keychord configuration
allow init self:capability sys_tty_config;
diff --git a/nfc.te b/nfc.te
index ad88bd9..0d1f613 100644
--- a/nfc.te
+++ b/nfc.te
@@ -18,6 +18,7 @@
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
+allow nfc drmserver_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager add;
allow nfc surfaceflinger_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index d34c9f1..9b9b0db 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -28,6 +28,7 @@
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
+allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
diff --git a/seapp_contexts b/seapp_contexts
index f92d118..4469b75 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -45,7 +45,7 @@
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro seinfo=platform domain=shared_relro
+user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/shared_relro.te b/shared_relro.te
index 54bdbb9..8ad53d3 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -8,3 +8,6 @@
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
allow shared_relro shared_relro_file:file create_file_perms;
+
+# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro system_server_service:service_manager find;
diff --git a/shell.te b/shell.te
index 77b21be..3e30adc 100644
--- a/shell.te
+++ b/shell.te
@@ -44,6 +44,8 @@
allow shell debug_prop:property_service set;
allow shell powerctl_prop:property_service set;
+allow shell system_server_service:service_manager find;
+
# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
# to grant read access to all of /sys/kernel/debug.
@@ -53,3 +55,6 @@
# allow shell to run dmesg
allow shell kernel:system syslog_read;
+
+# allow shell to list services
+allow shell servicemanager:service_manager list;
diff --git a/su.te b/su.te
index 6870684..c42e4a7 100644
--- a/su.te
+++ b/su.te
@@ -41,4 +41,8 @@
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su keystore:keystore_key *;
+ dontaudit su domain:debuggerd *;
+ dontaudit su domain:drmservice *;
')
diff --git a/system_app.te b/system_app.te
index 9a91624..8f70185 100644
--- a/system_app.te
+++ b/system_app.te
@@ -49,6 +49,7 @@
allow system_app asec_apk_file:file r_file_perms;
allow system_app keystore_service:service_manager find;
+allow system_app mediaserver_service:service_manager find;
allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
diff --git a/toolbox.te b/toolbox.te
index 1056756..4341102 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -3,7 +3,6 @@
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
type toolbox_exec, exec_type, file_type;
-permissive_or_unconfined(toolbox)
init_daemon_domain(toolbox)
@@ -18,6 +17,7 @@
# Read/write block devices used for swap partitions.
# Assign swap_block_device type any such partition in your
# device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox block_device:dir search;
allow toolbox swap_block_device:blk_file rw_file_perms;
# Only allow entry from init via the toolbox binary.
diff --git a/uncrypt.te b/uncrypt.te
index 1c18064..743236d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -1,5 +1,5 @@
# uncrypt
-type uncrypt, domain;
+type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
init_daemon_domain(uncrypt)
@@ -30,5 +30,4 @@
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file rw_file_perms;
-auditallow uncrypt userdata_block_device:blk_file rw_file_perms;
+allow uncrypt userdata_block_device:blk_file w_file_perms;