Merge "Restrict access to uid_concurrent_*_time"
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index fea7387..927296d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -26,6 +26,7 @@
netd_stable_secret_prop
network_watchlist_service
package_native_service
+ property_info
slice_service
statscompanion_service
storaged_data_file
diff --git a/private/domain.te b/private/domain.te
index e181988..ff7f1b3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -35,9 +35,7 @@
# /sys
neverallow {
coredomain
- -charger
-dumpstate
- -healthd
-init
-priv_app
-storaged
diff --git a/private/file_contexts b/private/file_contexts
index ec7d246..3c6642a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -171,6 +171,7 @@
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/property_info u:object_r:property_info:s0
#############################
# System files
#
diff --git a/public/charger.te b/public/charger.te
index 4577cbc..ed69867 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -6,7 +6,7 @@
allow charger kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(charger, sysfs_type)
+allow charger sysfs_type:dir search;
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
@@ -20,7 +20,7 @@
# Read/write to /sys/power/state
allow charger sysfs_power:file rw_file_perms;
-allow charger sysfs_batteryinfo:file r_file_perms;
+r_dir_file(charger, sysfs_batteryinfo)
# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
diff --git a/public/device.te b/public/device.te
index 1d01045..43c89ab 100644
--- a/public/device.te
+++ b/public/device.te
@@ -59,6 +59,7 @@
type usb_device, dev_type, mlstrustedobject;
type properties_device, dev_type;
type properties_serial, dev_type;
+type property_info, dev_type;
type i2c_device, dev_type;
# All devices have a uart for the hci
diff --git a/public/domain.te b/public/domain.te
index eb02021..ec0532d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -81,6 +81,7 @@
allow domain proc_random:file r_file_perms;
allow domain properties_device:dir { search getattr };
allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
# For now, everyone can access core property files
# Device specific properties are not granted by default
diff --git a/public/healthd.te b/public/healthd.te
index 856a4b1..64c1723 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -6,7 +6,7 @@
allow healthd kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs_type)
+allow healthd sysfs_type:dir search;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
@@ -26,16 +26,13 @@
binder_call(healthd, system_server)
hal_client_domain(healthd, hal_health)
-# Write to state file.
-# TODO: Split into a separate type?
-allow healthd sysfs:file write;
+# Read/write to /sys/power/state
+allow healthd sysfs_power:file rw_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow healthd sysfs_usb:file write;
-allow healthd sysfs_batteryinfo:file r_file_perms;
-
-r_dir_file(healthd, sysfs_type)
+r_dir_file(healthd, sysfs_batteryinfo)
###
### healthd: charger mode
diff --git a/public/init.te b/public/init.te
index 62a6e04..3a2d667 100644
--- a/public/init.te
+++ b/public/init.te
@@ -21,6 +21,9 @@
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { create_file_perms relabelto };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
diff --git a/public/shell.te b/public/shell.te
index 1318c35..81f4bf0 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -123,6 +123,9 @@
proc_zoneinfo
}:file r_file_perms;
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };