Merge "Allow NFC to read/write nfc. system properties." into lmp-dev
diff --git a/Android.mk b/Android.mk
index 62538e7..6d6aee2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -79,6 +79,23 @@
) \
)
+sepolicy_build_files := security_classes \
+ initial_sids \
+ access_vectors \
+ global_macros \
+ mls_macros \
+ mls \
+ policy_capabilities \
+ te_macros \
+ attributes \
+ *.te \
+ roles \
+ users \
+ initial_sid_contexts \
+ fs_use \
+ genfs_contexts \
+ port_contexts
+
##################################
include $(CLEAR_VARS)
@@ -92,7 +109,7 @@
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
+$(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
@@ -120,7 +137,7 @@
sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_recovery.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
+$(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
@@ -135,7 +152,33 @@
built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
sepolicy_policy_recovery.conf :=
-###################################
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := general_sepolicy.conf
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+exp_sepolicy_build_files :=\
+ $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
+ mkdir -p $(dir $@)
+ $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=user \
+ -D force_permissive_to_unconfined=true \
+ -s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE)
+
+exp_sepolicy_build_files :=
+
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts
@@ -270,6 +313,7 @@
##################################
build_policy :=
+sepolicy_build_files :=
sepolicy_replace_paths :=
built_sepolicy :=
built_sc :=
diff --git a/app.te b/app.te
index 3d19da7..f596e75 100644
--- a/app.te
+++ b/app.te
@@ -122,6 +122,10 @@
allow appdomain fuse:dir create_dir_perms;
allow appdomain fuse:file create_file_perms;
+# Access OBBs (vfat images) mounted by vold (b/17633509)
+allow appdomain vfat:dir r_dir_perms;
+allow appdomain vfat:file r_file_perms;
+
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
@@ -227,9 +231,13 @@
netlink_audit_socket
netlink_ip6fw_socket
netlink_dnrt_socket
- netlink_kobject_uevent_socket
} *;
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain self:netlink_kobject_uevent_socket { write append };
+
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
@@ -318,8 +326,8 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Access to factory files.
-neverallow appdomain
- efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
# Write to various pseudo file systems.
neverallow { appdomain -bluetooth -nfc }
diff --git a/bootanim.te b/bootanim.te
index 3a0a76f..4f23659 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -11,3 +11,4 @@
# /oem access
allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 5af4e95..2a8c170 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -68,6 +68,9 @@
### neverallow rules
###
+# Receive or send uevent messages.
+neverallow untrusted_app self:netlink_kobject_uevent_socket *;
+
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow untrusted_app debugfs:file read;