Merge "Move pf_key socket creation permission to netd"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index fcdd653..8c91561 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -343,3 +343,11 @@
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
+
+# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
+# must not use it.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} mnt_sdcard_file:lnk_file *;
diff --git a/private/bug_map b/private/bug_map
index 7d932db..a69fc52 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -30,5 +30,4 @@
usbd usbd capability 72472544
vold system_data_file file 124108085
vrcore_app mnt_user_file dir 118185801
-webview_zygote system_data_file lnk_file 123246126
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index a102ab0..e34cdb8 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1617,7 +1617,9 @@
(typeattributeset thermalserviced_28_0 (thermalserviced))
(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
(typeattributeset timezone_service_28_0 (timezone_service))
-(typeattributeset tmpfs_28_0 (tmpfs))
+(typeattributeset tmpfs_28_0
+ ( mnt_sdcard_file
+ tmpfs))
(typeattributeset tombstoned_28_0 (tombstoned))
(typeattributeset tombstone_data_file_28_0 (tombstone_data_file))
(typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket))
diff --git a/private/file_contexts b/private/file_contexts
index 7cbb623..9785ffb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -637,6 +637,7 @@
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/sdcard u:object_r:mnt_sdcard_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 656c2e3..af3d8b9 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -123,6 +123,7 @@
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
@@ -139,6 +140,7 @@
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 5bad58f..45aeddc 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -60,3 +60,6 @@
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_25 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index eaa1791..03b3013 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -45,3 +45,6 @@
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_27 ashmem_device:chr_file open;
+
+# Read /mnt/sdcard symlink.
+allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 4630c35..2f5007a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -75,6 +75,8 @@
allow webview_zygote same_process_hal_file:file { execute read open getattr map };
+allow webview_zygote system_data_file:lnk_file r_file_perms;
+
#####
##### Neverallow
#####
diff --git a/public/file.te b/public/file.te
index 7d48fb4..c8953de 100644
--- a/public/file.te
+++ b/public/file.te
@@ -291,6 +291,7 @@
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
type mnt_expand_file, file_type;
+type mnt_sdcard_file, file_type;
type storage_file, file_type;
# Label for storage dirs which are just mount stubs
diff --git a/public/hal_audio.te b/public/hal_audio.te
index a1c098f..bb9eec4 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -32,7 +32,7 @@
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
+neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
get_prop(hal_audio, bluetooth_a2dp_offload_prop)
get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/public/init.te b/public/init.te
index 06af302..bde7ac6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -46,6 +46,9 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+# Create /mnt/sdcard -> /storage/self/primary symlink.
+allow init mnt_sdcard_file:lnk_file create;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;