Merge "Trim media related nfc permissions"
diff --git a/app.te b/app.te
index 9f68327..8bc138d 100644
--- a/app.te
+++ b/app.te
@@ -212,6 +212,9 @@
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
###
### CTS-specific rules
###
diff --git a/blkid.te b/blkid.te
index 23ce3a9..43bc944 100644
--- a/blkid.te
+++ b/blkid.te
@@ -16,5 +16,5 @@
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
-neverallow domain blkid:process dyntransition;
+neverallow * blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index 7e53de7..da3bdac 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -32,5 +32,5 @@
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow domain blkid_untrusted:process dyntransition;
+neverallow * blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/domain.te b/domain.te
index e8d15fe..e24036b 100644
--- a/domain.te
+++ b/domain.te
@@ -22,7 +22,7 @@
setrlimit
};
allow domain self:fd use;
-allow domain proc:dir search;
+allow domain proc:dir r_dir_perms;
allow domain proc_net:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
@@ -167,10 +167,10 @@
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow domain self:memprotect mmap_zero;
+neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
-neverallow domain self:capability2 mac_override;
+neverallow * self:capability2 mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
@@ -202,11 +202,11 @@
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
-neverallow domain kernel:security setenforce;
+neverallow * kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
-neverallow domain kernel:security setbool;
+neverallow * kernel:security setbool;
# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
@@ -217,11 +217,11 @@
neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type.
-neverallow domain { file_type -exec_type }:file entrypoint;
+neverallow * { file_type -exec_type }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
@@ -229,11 +229,11 @@
neverallow { domain -init } proc_security:file { append write };
# No domain should be allowed to ptrace init.
-neverallow domain init:process ptrace;
+neverallow * init:process ptrace;
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
-neverallow domain init:binder *;
+neverallow * init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
@@ -297,15 +297,15 @@
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
-neverallow domain exec_type:dir_file_class_set mounton;
+neverallow * exec_type:dir_file_class_set mounton;
neverallow { domain -init } system_file:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
-neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
@@ -318,7 +318,7 @@
# system_app_service rather than the generic type.
# New service_types are defined in service.te and new mappings
# from service name to service_type are defined in service_contexts.
-neverallow domain default_android_service:service_manager add;
+neverallow * default_android_service:service_manager add;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
@@ -375,11 +375,11 @@
# that, even assuming only non-buggy and non-malicious code, it is very likely
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
-neverallow domain domain:{ shm sem msg msgq } *;
+neverallow * *:{ shm sem msg msgq } *;
# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
-neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
@@ -391,7 +391,7 @@
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
-neverallow domain {
+neverallow * {
file_type
-system_data_file
-apk_data_file
@@ -402,7 +402,7 @@
# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
-neverallow domain self:process { execstack execheap };
+neverallow * self:process { execstack execheap };
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
@@ -503,16 +503,16 @@
} shell_data_file:file open;
# servicemanager is the only process which handles list request
-neverallow domain ~servicemanager:service_manager list;
+neverallow * ~servicemanager:service_manager list;
# only service_manager_types can be added to service_manager
-neverallow domain ~service_manager_type:service_manager { add find };
+neverallow * ~service_manager_type:service_manager { add find };
# logpersist is only allowed on userdebug/eng builds
neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_file_perms;
# Prevent assigning non property types to properties
-neverallow domain ~property_type:property_service set;
+neverallow * ~property_type:property_service set;
# Domain types should never be assigned to any files other
# than the /proc/pid files associated with a process. The
@@ -525,7 +525,7 @@
# init_daemon_domain(mydaemon)
# $ grep mydaemon file_contexts
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow domain domain:file { execute execute_no_trans entrypoint };
+neverallow * domain:file { execute execute_no_trans entrypoint };
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
diff --git a/file.te b/file.te
index 88d997c..685cfe0 100644
--- a/file.te
+++ b/file.te
@@ -50,6 +50,7 @@
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
# File types
type unlabeled, file_type;
@@ -173,6 +174,8 @@
type bluetooth_efs_file, file_type;
# Type for fingerprint template file.
type fingerprintd_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type;
# Socket types
type adbd_socket, file_type;
@@ -215,6 +218,7 @@
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
diff --git a/fsck.te b/fsck.te
index cdf1188..d5a6db1 100644
--- a/fsck.te
+++ b/fsck.te
@@ -43,5 +43,5 @@
# Only allow entry from init or vold via fsck binaries
neverallow { domain -init -vold } fsck:process transition;
-neverallow domain fsck:process dyntransition;
+neverallow * fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 4f01db2..00faa20 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -32,5 +32,5 @@
# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow domain fsck_untrusted:process dyntransition;
+neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/kernel.te b/kernel.te
index 67edc10..20b0c0a 100644
--- a/kernel.te
+++ b/kernel.te
@@ -71,7 +71,7 @@
# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
-neverallow domain kernel:process { transition dyntransition };
+neverallow * kernel:process { transition dyntransition };
# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
diff --git a/keystore.te b/keystore.te
index e2338db..9dca43c 100644
--- a/keystore.te
+++ b/keystore.te
@@ -29,4 +29,4 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-neverallow domain keystore:process ptrace;
+neverallow * keystore:process ptrace;
diff --git a/lmkd.te b/lmkd.te
index a3b8bfc..7920aee 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -36,4 +36,4 @@
### neverallow rules
# never honor LD_PRELOAD
-neverallow domain lmkd:process noatsecure;
+neverallow * lmkd:process noatsecure;
diff --git a/mediaserver.te b/mediaserver.te
index a54e198..38c0af2 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -66,6 +66,9 @@
allow mediaserver audio_data_file:dir ra_dir_perms;
allow mediaserver audio_data_file:file create_file_perms;
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
diff --git a/priv_app.te b/priv_app.te
index 9c43ec2..59c599c 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -71,6 +71,8 @@
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
+allow priv_app app_fuse_file:dir rw_dir_perms;
+allow priv_app app_fuse_file:file rw_file_perms;
# /sys access
allow priv_app sysfs_zram:dir search;
diff --git a/sgdisk.te b/sgdisk.te
index b8d6b3f..43636d4 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -18,5 +18,5 @@
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
-neverallow domain sgdisk:process dyntransition;
+neverallow * sgdisk:process dyntransition;
neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/toolbox.te b/toolbox.te
index d2f969f..55de7eb 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -22,5 +22,5 @@
# Only allow entry from init via the toolbox binary.
neverallow { domain -init } toolbox:process transition;
-neverallow domain toolbox:process dyntransition;
+neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/vold.te b/vold.te
index 67e461a..9a1ccfe 100644
--- a/vold.te
+++ b/vold.te
@@ -174,6 +174,9 @@
# For AppFuse.
allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
# coldboot of /sys/block
allow vold sysfs_zram:dir r_dir_perms;