Merge "selinux: Update policies for cameraserver"
diff --git a/healthd.te b/healthd.te
index d09eab4..4f2a2ea 100644
--- a/healthd.te
+++ b/healthd.te
@@ -5,6 +5,9 @@
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(healthd, sysfs)
+
allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/priv_app.te b/priv_app.te
index 0c35140..9a3d0ac 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -31,6 +31,7 @@
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app voiceinteraction_service:service_manager find;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
diff --git a/recovery.te b/recovery.te
index d2cc90e..afacf40 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,7 +48,7 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
- access_kmsg(recovery)
+ allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
diff --git a/service.te b/service.te
index 1c8f440..7c771d2 100644
--- a/service.te
+++ b/service.te
@@ -100,7 +100,7 @@
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
diff --git a/te_macros b/te_macros
index 6d91835..4d18973 100644
--- a/te_macros
+++ b/te_macros
@@ -270,16 +270,6 @@
')
#####################################
-# access_kmsg(domain)
-# Ability to read from kernel logs
-# and execute the klogctl syscall
-# in a non destructive manner. See
-# man 2 klogctl
-define(`access_kmsg', `
-allow $1 kernel:system syslog_read;
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/vold.te b/vold.te
index e16ec73..67e461a 100644
--- a/vold.te
+++ b/vold.te
@@ -8,6 +8,17 @@
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(vold, proc)
+r_dir_file(vold, proc_net)
+r_dir_file(vold, sysfs)
+r_dir_file(vold, rootfs)
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, shell_exec, blkid);
diff --git a/zygote.te b/zygote.te
index f3a8853..67fd621 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,6 +64,16 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+allow zygote rootfs:file r_file_perms;
+
+# System file accesses.
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
+
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;