Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4eb10d809ab4294da21e41199df3eb943fc1bd75^2..4eb10d809ab4294da21e41199df3eb943fc1bd75 / .
commit4eb10d809ab4294da21e41199df3eb943fc1bd75[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Fri Mar 16 01:31:47 2018 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Mar 16 01:31:47 2018 +0000
tree2e3ea7b029f2b9d4eea47e389024da4956416621
parentb4090d79a880c7e8796f5bb89d8fc3845732eea6 [diff]
parenta47a1c25af8d9646754b1af334da7478d1faa3f1 [diff]
Merge "Mark some odm properties as vendor-init-settable"
diff --git a/private/priv_app.te b/private/priv_app.te
index 565aa4a..80425dd 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -58,6 +58,9 @@
 allow priv_app shell_data_file:file r_file_perms;
 allow priv_app shell_data_file:dir r_dir_perms;
 
+# Allow traceur to pass file descriptors through a content provider to betterbug
+allow priv_app trace_data_file:file { getattr read };
+
 # Allow verifier to access staged apks.
 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -191,3 +194,8 @@
 # bugs, so we want to ensure priv_app never has this
 # capability.
 neverallow priv_app file_type:file link;
+
+# priv apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor which they can then read
+neverallow priv_app trace_data_file:dir *;
+neverallow priv_app trace_data_file:file { no_w_file_perms open };

diff --git a/public/hal_camera.te b/public/hal_camera.te
index 8fe7442..43f74b4 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te

@@ -18,6 +18,10 @@
 allow hal_camera surfaceflinger:fd use;
 allow hal_camera hal_allocator_server:fd use;
 
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_camera shell:fd use;
+allow hal_camera shell:fifo_file write;
+
 ###
 ### neverallow rules
 ###

diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index 16f4f08..e412758 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te

@@ -8,7 +8,7 @@
 # Configuring usb gadget functions
 allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
 allow hal_usb_gadget_server configfs:dir rw_dir_perms;
-allow hal_usb_gadget_server configfs:file rw_file_perms;
+allow hal_usb_gadget_server configfs:file create_file_perms;
 allow hal_usb_gadget_server functionfs:dir { read search };
 allow hal_usb_gadget_server functionfs:file read;
 

diff --git a/public/init.te b/public/init.te
index 0b1e86c..1d04f84 100644
--- a/public/init.te
+++ b/public/init.te

@@ -39,8 +39,11 @@
 allow init kernel:fd use;
 # restorecon for early mount device symlinks
 allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init system_block_device:{ blk_file lnk_file } relabelto;
-allow init misc_block_device:{ blk_file lnk_file } relabelto;
+allow init {
+  misc_block_device
+  recovery_block_device
+  system_block_device
+}:{ blk_file lnk_file } relabelto;
 
 # setrlimit
 allow init self:global_capability_class_set sys_resource;