commit 541e9d50d1ee071895b5e33c519018e5ce3635a1
author Yabin Cui <yabinc@google.com> Fri Apr 08 21:03:42 2016 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Fri Apr 08 21:03:42 2016 +0000
tree 00d03482211e4854b40bcd742ddd219b5bbcf3ae
parent 3e8d1bf8c5ba6dc65f67d655dadb881d724b629e
parent c1a23d04977ed2f073eaf25a86f739ab1d3ce9de

Merge "Allow init and vold writing misc block device." into nyc-dev

access_vectors

diff --git a/access_vectors b/access_vectors
index c38aa7b..26286b2 100644
--- a/access_vectors
+++ b/access_vectors
@@ -352,6 +352,7 @@
 	syslog_mod
 	syslog_console
 	module_request
+	module_load
 }
 
 #

domain.te

diff --git a/domain.te b/domain.te
index d7333c5..5171fb3 100644
--- a/domain.te
+++ b/domain.te
@@ -560,3 +560,8 @@
   -installd
   -profman
 } profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;

platform_app.te

diff --git a/platform_app.te b/platform_app.te
index 3e6cd1a..8ac7932 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -50,3 +50,4 @@
 allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
+allow platform_app vr_manager_service:service_manager find;

property_contexts

diff --git a/property_contexts b/property_contexts
index 504e1a0..1329854 100644
--- a/property_contexts
+++ b/property_contexts
@@ -44,6 +44,7 @@
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
+ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0

service.te

diff --git a/service.te b/service.te
index 71f8f3b..bd6ab38 100644
--- a/service.te
+++ b/service.te
@@ -110,6 +110,7 @@
 type user_service, app_api_service, system_server_service, service_manager_type;
 type vibrator_service, app_api_service, system_server_service, service_manager_type;
 type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type vr_manager_service, system_server_service, service_manager_type;
 type wallpaper_service, app_api_service, system_server_service, service_manager_type;
 type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
 type wifip2p_service, app_api_service, system_server_service, service_manager_type;

service_contexts

diff --git a/service_contexts b/service_contexts
index c1fe961..288ff90 100644
--- a/service_contexts
+++ b/service_contexts
@@ -135,6 +135,7 @@
 user                                      u:object_r:user_service:s0
 vibrator                                  u:object_r:vibrator_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
+vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0
 wifip2p                                   u:object_r:wifip2p_service:s0