Merge "All hal policies expressed as attributes."
diff --git a/private/property_contexts b/private/property_contexts
index 2e0b2dd..3407560 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -58,6 +58,7 @@
persist.security. u:object_r:system_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boottime. u:object_r:boottime_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/public/app.te b/public/app.te
index 064b25f..77af57c 100644
--- a/public/app.te
+++ b/public/app.te
@@ -154,6 +154,8 @@
binder_call(appdomain, binderservicedomain)
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
diff --git a/public/bootstat.te b/public/bootstat.te
index 98b2565..7fc5892 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -8,3 +8,6 @@
# Read access to pseudo filesystems (for /proc/uptime).
r_dir_file(bootstat, proc)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 0f5b4b1..bef5472 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -54,6 +54,8 @@
# Perform binder IPC to binder services.
binder_call(ephemeral_app, surfaceflinger)
binder_call(ephemeral_app, system_server)
+# Perform binder IPC to apps.
+binder_call(ephemeral_app, appdomain)
# Allow read access to ion memory allocation device
allow ephemeral_app ion_device:chr_file { read open };
diff --git a/public/property.te b/public/property.te
index e4b8d6e..731eee5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,4 +1,5 @@
type audio_prop, property_type, core_property_type;
+type boottime_prop, property_type;
type bluetooth_prop, property_type, core_property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
@@ -43,3 +44,42 @@
type wifi_prop, property_type;
allow property_type tmpfs:filesystem associate;
+
+###
+### Neverallow rules
+###
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -bluetooth_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -default_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -ffs_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_radio_prop
+ -vold_prop
+}:file no_rw_file_perms;
diff --git a/public/system_server.te b/public/system_server.te
index f7f87f8..c0802e8 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -384,6 +384,9 @@
# cppreopt property
set_prop(system_server, cppreopt_prop)
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
# Create a socket for receiving info from wpa.
allow system_server wpa_socket:dir rw_dir_perms;
allow system_server system_wpa_socket:sock_file create_file_perms;
diff --git a/public/vold.te b/public/vold.te
index fe3ab71..6baba08 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -93,10 +93,7 @@
#
# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
-# audit any attempts of vold to remount a filesystem, monitor in a few weeks
-# then remove
-auditallow vold labeledfs:filesystem { remount };
+allow vold labeledfs:filesystem { mount unmount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?