Merge "bootstat: Implement the SELinux policy to allow reading/writing to /data/misc/bootstat."
diff --git a/app.te b/app.te
index 3240392..01de57f 100644
--- a/app.te
+++ b/app.te
@@ -204,6 +204,8 @@
allow appdomain console_device:chr_file { read write };
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+
###
### CTS-specific rules
###
@@ -321,9 +323,7 @@
# This is the default type for anything under /data not otherwise
# specified in file_contexts. Define a different type for portions
# that should be writable by apps.
-# Exception for system_app for Settings.
-neverallow { appdomain -system_app }
- system_data_file:dir_file_class_set
+neverallow appdomain system_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to various other parts of /data.
diff --git a/domain.te b/domain.te
index fb672ad..c5296c4 100644
--- a/domain.te
+++ b/domain.te
@@ -23,6 +23,7 @@
};
allow domain self:fd use;
allow domain proc:dir search;
+allow domain proc_net:dir search;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
@@ -127,6 +128,10 @@
allow domain debugfs_tracing:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
###
### neverallow rules
###
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 7be9a3e..0db79da 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -25,10 +25,6 @@
# Device accesses.
allow domain_deprecated device:file read;
-# Filesystem accesses.
-allow domain_deprecated fs_type:filesystem getattr;
-allow domain_deprecated fs_type:dir getattr;
-
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
diff --git a/fsck.te b/fsck.te
index e90a49e..cdf1188 100644
--- a/fsck.te
+++ b/fsck.te
@@ -21,6 +21,10 @@
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
+# fsck performs a stat() on swap to verify that it is a valid
+# swap device before setting the EXT2_MF_SWAP mount flag.
+allow fsck swap_block_device:blk_file getattr;
+
###
### neverallow rules
###
diff --git a/gpsd.te b/gpsd.te
index 07e0feb..4b22223 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,5 +1,5 @@
# gpsd - GPS daemon
-type gpsd, domain, domain_deprecated;
+type gpsd, domain;
type gpsd_exec, exec_type, file_type;
init_daemon_domain(gpsd)
diff --git a/system_app.te b/system_app.te
index 36c5cfc..8589a9d 100644
--- a/system_app.te
+++ b/system_app.te
@@ -16,16 +16,9 @@
allow system_app keychain_data_file:dir r_dir_perms;
allow system_app keychain_data_file:file r_file_perms;
-# Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/user.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
-# Audit writes to these directories and files so we can identify
-# and possibly move these directories into their own type in the future.
-auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
-auditallow system_app system_data_file:file { create setattr append write link unlink rename };
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
diff --git a/vold.te b/vold.te
index e7996e1..e16ec73 100644
--- a/vold.te
+++ b/vold.te
@@ -81,8 +81,8 @@
allow vold kmsg_device:chr_file rw_file_perms;
-# Run fsck.
-allow vold fsck_exec:file rx_file_perms;
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
# Log fsck results
allow vold fscklogs:dir rw_dir_perms;
@@ -168,8 +168,13 @@
allow vold sysfs_zram:dir r_dir_perms;
allow vold sysfs_zram_uevent:file rw_file_perms;
+# MoveTask.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold fsck_exec:file execute_no_trans;