Merge "Adding a neverallow rule to prevent renaming of device and char files"
diff --git a/private/file_contexts b/private/file_contexts
index 7ec8d22..ae910de 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -436,12 +436,12 @@
# debugfs files
#
/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0
-/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-/sys/kernel/debug/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
-/sys/kernel/debug/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel/debug/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel/debug/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing(/.*)? u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
#############################
# asec containers
diff --git a/private/priv_app.te b/private/priv_app.te
index dc1690c..95ef3e8 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -38,6 +38,8 @@
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow priv_app cache_file:lnk_file r_file_perms;
# Write to /data/ota_package for OTA packages.
allow priv_app ota_package_file:dir rw_dir_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 23b2e28..de0caa9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -47,6 +47,7 @@
dumpstate u:object_r:dumpstate_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
+font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index 6b7fa50..c6276a3 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -12,6 +12,9 @@
# Read /proc/uid_io/stats
allow storaged proc_uid_io_stats:file r_file_perms;
+# Read /data/system/packages.list
+allow storaged system_data_file:file r_file_perms;
+
allow storaged self:capability { setgid setuid sys_nice sys_ptrace };
userdebug_or_eng(`
@@ -22,7 +25,6 @@
# Binder permissions
allow storaged storaged_service:service_manager add;
-allow storaged permission_service:service_manager find;
binder_use(storaged)
binder_call(storaged, system_server)
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 3831dff..88a2e00 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,5 +1,6 @@
+type gatekeeperd, domain;
# normally uses HAL; implements HAL in pass-through mode only
-type gatekeeperd, hal_gatekeeper, domain;
+hal_impl_domain(gatekeeperd, hal_gatekeeper)
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
diff --git a/public/rild.te b/public/rild.te
index 4d9cb21..1ce19e3 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,5 +1,6 @@
# rild - radio interface layer daemon
-type rild, domain, domain_deprecated, hal_telephony;
+type rild, domain, domain_deprecated;
+hal_impl_domain(rild, hal_telephony)
type rild_exec, exec_type, file_type;
net_domain(rild)
diff --git a/public/service.te b/public/service.te
index 1b65b5a..d8da930 100644
--- a/public/service.te
+++ b/public/service.te
@@ -61,6 +61,7 @@
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
+type font_service, app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, system_server_service, service_manager_type;
@@ -133,7 +134,7 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wificond_service, system_server_service, service_manager_type;
+type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type wpa_supplicant_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 5f7af0b..d643b7e 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -83,6 +83,10 @@
allow shell { service_manager_type -gatekeeper_service -netd_service -installd_service}:service_manager find;
allow shell dumpstate:binder call;
+# allow shell to get information from hwservicemanager
+# for instance, listing hardware services with dumpsys
+hwbinder_use(shell)
+
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
diff --git a/public/system_server.te b/public/system_server.te
index 207add7..e11476c 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -4,6 +4,9 @@
#
type system_server, domain, domain_deprecated, mlstrustedsubject;
+# Attributes for passthrough hals
+typeattribute system_server hal_light;
+
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -498,6 +501,7 @@
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
+allow system_server wificond_service:service_manager find;
allow system_server keystore:keystore_key {
get_state
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 840c026..37243bb 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -11,3 +11,7 @@
allow tombstoned tombstone_data_file:dir rw_dir_perms;
allow tombstoned tombstone_data_file:file create_file_perms;
allow tombstoned anr_data_file:file { getattr append };
+
+# TODO: Find out why this is happening.
+allow tombstoned anr_data_file:file write;
+auditallow tombstoned anr_data_file:file write;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index abbc766..5ee5258 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -3,6 +3,9 @@
type update_verifier, domain, boot_control_hal;
type update_verifier_exec, exec_type, file_type;
+# find the boot_control_hal
+allow update_verifier system_file:dir r_dir_perms;
+
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;