Merge "Force expand all hal_* attributes"
diff --git a/private/app.te b/private/app.te
index 1bda9f4..0bc5fdd 100644
--- a/private/app.te
+++ b/private/app.te
@@ -478,7 +478,6 @@
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
-neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
neverallow { appdomain -shell } *:security { compute_av check_context };
neverallow { appdomain -shell } *:netlink_selinux_socket *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c762a1..9277d41 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -166,6 +166,9 @@
-hidl_token_hwservice # Designed for use by any domain
}:hwservice_manager find;
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
+
# Restrict *Binder access from apps to HAL domains. We can only do this on full
# Treble devices where *Binder communications between apps and HALs are tightly
# restricted.
diff --git a/private/file_contexts b/private/file_contexts
index 0546f84..73f4a7f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -109,7 +109,6 @@
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
-/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
diff --git a/private/init.te b/private/init.te
index 49da9d3..afbd878 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,8 +14,7 @@
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
-domain_trans(init, rootfs, modprobe)
-domain_trans(init, toolbox_exec, modprobe)
+domain_trans(init, { rootfs toolbox_exec vendor_toolbox_exec }, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/priv_app.te b/private/priv_app.te
index 109c869..9603180 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -108,6 +108,9 @@
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
allow priv_app keystore:keystore_key gen_unique_id;
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
+
read_runtime_log_tags(priv_app)
###
diff --git a/public/crash_dump.te b/public/crash_dump.te
index c101b34..ee617a1 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -15,9 +15,6 @@
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
')
# Use inherited file descriptors
diff --git a/public/device.te b/public/device.te
index 0f64bfa..4a3bec9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -36,7 +36,6 @@
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type;
-type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
type sensors_device, dev_type;
diff --git a/public/init.te b/public/init.te
index b2fc484..8abad58 100644
--- a/public/init.te
+++ b/public/init.te
@@ -13,10 +13,6 @@
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { write relabelto };
-')
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index e1b460d..94824b7 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -22,6 +22,7 @@
# allow mediaextractor read permissions for file sources
allow mediaextractor media_rw_data_file:file { getattr read };
+allow mediaextractor app_data_file:file { getattr read };
# Read resources from open apk files passed over Binder
allow mediaextractor apk_data_file:file { read getattr };
diff --git a/public/recovery.te b/public/recovery.te
index 6e211ac..99d792c 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -75,6 +75,9 @@
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
+ # Access to /sys/fs/selinux/policyvers for compatibility check
+ allow recovery selinuxfs:file r_file_perms;
+
# Required to e.g. wipe userdata/cache.
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
index 39462f8..eb292ca 100644
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
@@ -7,6 +7,10 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox
- neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+ # to vendor toolbox except for the whitelisted domains.
+ neverallow {
+ coredomain
+ -init
+ -modprobe
+ } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
')