Merge "init: restrict setattr perms to /proc."
diff --git a/private/adbd.te b/private/adbd.te
index 77c0d73..bde6864 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -22,6 +22,9 @@
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
+# ignore spurious denials for adbd when disk space is low.
+dontaudit adbd self:global_capability_class_set sys_resource;
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 94a37d6..42071c9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -90,6 +90,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 31d08e9..d74139a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -77,6 +77,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
storaged_data_file
system_boot_reason_prop
system_update_service
diff --git a/private/file.te b/private/file.te
index fda972b..58ee0de 100644
--- a/private/file.te
+++ b/private/file.te
@@ -4,6 +4,8 @@
# /data/misc/stats-data, /data/misc/stats-service
type stats_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 31cc59d..3488787 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -133,6 +133,7 @@
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
diff --git a/private/statsd.te b/private/statsd.te
index 06d6e01..769b4e0 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,4 +1,4 @@
-type statsd, domain;
+type statsd, domain, mlstrustedsubject;
typeattribute statsd coredomain;
init_daemon_domain(statsd)
@@ -82,6 +82,13 @@
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read };
+unix_socket_send(bluetooth, statsdw, statsd)
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(platform_app, statsdw, statsd)
+unix_socket_send(radio, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
###
### neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index da06de0..bdf0f24 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -137,6 +137,7 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+auditallow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
diff --git a/public/domain.te b/public/domain.te
index 1dc2a41..2f3d8f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1187,6 +1187,12 @@
-installd # creation of sandbox
} app_data_file:dir_file_class_set { create unlink };
+neverallow {
+ domain
+ -init
+ -installd
+} app_data_file:dir_file_class_set { relabelfrom relabelto };
+
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2602552..2857cae 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -93,6 +93,7 @@
# Other random bits of data we want to collect
allow dumpstate debugfs:file r_file_perms;
+auditallow dumpstate debugfs:file r_file_perms;
# df for
allow dumpstate {
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8221530..ffd8bc5 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -26,6 +26,8 @@
# Read profile data.
allow postinstall_dexopt user_profile_data_file:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
diff --git a/public/profman.te b/public/profman.te
index a5c18b5..4296d1b 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -6,7 +6,9 @@
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
allow profman oemfs:file { read };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
###
### neverallow rules
diff --git a/public/property_contexts b/public/property_contexts
index 3f029bc..53c786f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,6 +61,7 @@
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
@@ -69,6 +70,8 @@
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
@@ -95,10 +98,13 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/te_macros b/public/te_macros
index 4d5f84b..e5c476a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,9 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
#####################################