commit 4fa9b85632bfc92878f30150d1d8a3af73e692c1
author Treehugger Robot <treehugger-gerrit@google.com> Thu Dec 20 02:27:32 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Dec 20 02:27:32 2018 +0000
tree 44417bd7c51715f37dd84fb71d08ec85a0f09ea8
parent f21085ca298df27b22b76f238a31e5962d0f0b08
parent ebf3eacafeb1948af546bfb75436e99d7260270f

Merge "sepolicy: fix mac build"

private/rs.te

diff --git a/private/rs.te b/private/rs.te
index 94cf6b4..9229ed9 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -7,6 +7,9 @@
 allow rs rs_data_file:file create_file_perms;
 type_transition rs app_data_file:file rs_data_file;
 
+# Follow /data/user/0 symlink
+allow rs system_data_file:lnk_file read;
+
 # Read files from the app home directory.
 allow rs app_data_file:file r_file_perms;
 allow rs app_data_file:dir r_dir_perms;

public/hwservice.te

diff --git a/public/hwservice.te b/public/hwservice.te
index fa83862..09808b3 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -66,3 +66,12 @@
 type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
 type thermalcallback_hwservice, hwservice_manager_type;
+
+###
+### Neverallow rules
+###
+
+# hwservicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a
+# hwservice. Trigger a compile error if this occurs.
+neverallow domain ~hwservice_manager_type:hwservice_manager { add find };

public/service.te

diff --git a/public/service.te b/public/service.te
index cf98261..606602d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -180,3 +180,12 @@
 type window_service, system_api_service, system_server_service, service_manager_type;
 type inputflinger_service, system_api_service, system_server_service, service_manager_type;
 type wpantund_service, system_api_service, service_manager_type;
+
+###
+### Neverallow rules
+###
+
+# servicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a service.
+# Trigger a compile error if this occurs.
+neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };