Merge "Allow reading of radio data files passed over binder."
diff --git a/file_contexts b/file_contexts
index cdacd37..dc91481 100644
--- a/file_contexts
+++ b/file_contexts
@@ -122,6 +122,7 @@
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
/system/bin/app_process u:object_r:zygote_exec:s0
+/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
diff --git a/installd.te b/installd.te
index abf0b16..3f5e9a1 100644
--- a/installd.te
+++ b/installd.te
@@ -16,7 +16,6 @@
allow installd apk_tmp_file:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
-dontaudit installd self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(installd)
# Read /seapp_contexts and /data/security/seapp_contexts
diff --git a/logd.te b/logd.te
index 796f7bb..782d58e 100644
--- a/logd.te
+++ b/logd.te
@@ -4,7 +4,10 @@
init_daemon_domain(logd)
-allow logd self:capability { setuid setgid sys_nice };
+allow logd self:capability { setuid setgid sys_nice audit_control };
+allow logd self:capability2 syslog;
+allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
+allow logd kernel:system syslog_read;
r_dir_file(logd, domain)
diff --git a/rild.te b/rild.te
index 424a61d..6d2cd38 100644
--- a/rild.te
+++ b/rild.te
@@ -24,7 +24,6 @@
allow rild system_data_file:dir r_dir_perms;
allow rild system_data_file:file r_file_perms;
allow rild system_file:file x_file_perms;
-dontaudit rild self:capability sys_admin;
# property service
allow rild rild_prop:property_service set;
diff --git a/seapp_contexts b/seapp_contexts
index eaa0c16..ff0964a 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,10 +39,10 @@
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
+user=shell domain=shell type=shell_data_file
user=_app domain=untrusted_app type=app_data_file
user=_app seinfo=platform domain=platform_app type=app_data_file
user=_app seinfo=shared domain=shared_app type=app_data_file
user=_app seinfo=media domain=media_app type=app_data_file
user=_app seinfo=release domain=release_app type=app_data_file
user=_isolated domain=isolated_app
-user=shell domain=shell type=shell_data_file
diff --git a/tools/post_process_mac_perms b/tools/post_process_mac_perms
index 47f43a0..25893ed 100755
--- a/tools/post_process_mac_perms
+++ b/tools/post_process_mac_perms
@@ -86,7 +86,7 @@
# Inline replace with new policy stanzas
for line in fileinput.input(args.policy, inplace=True):
- print line.replace('</policy>', mac_perms_string)
+ sys.stdout.write(line.replace('</policy>', mac_perms_string))
def main(argv):
parser = argparse.ArgumentParser(description=__doc__)
diff --git a/unconfined.te b/unconfined.te
index c3355c7..9b5f8c9 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,7 @@
# The use of this template is discouraged.
######################################################
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system *;