Merge "Added an auditallow rule to track vold remounting filesystems."
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index a8320b5..13b18fa 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -80,7 +80,6 @@
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
-r_dir_file(domain_deprecated, proc_net)
#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:file r_file_perms;
auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -120,19 +119,6 @@
-zygote
} cgroup:{ file lnk_file } r_file_perms;
auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -clatd
- -dumpstate
- -init
- -netd
- -system_server
- -vold
- -wpa
- -zygote
-} proc_net:{ file lnk_file } r_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 24e345e..77bb082 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -79,11 +79,6 @@
surfaceflinger
}:debuggerd dump_backtrace;
-# Vibrate the device after we're done collecting the bugreport
-# /sys/class/timed_output/vibrator/enable
-# TODO: create a new file class, instead of allowing write access to all of /sys
-allow dumpstate sysfs:file w_file_perms;
-
# TODO: added to match above sysfs rule. Remove me?
allow dumpstate sysfs_usb:file w_file_perms;
@@ -102,6 +97,13 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
+# Vibrate the device after we are done collecting the bugreport
+# For binderized mode:
+binder_call(dumpstate, hal_vibrator)
+binder_call(dumpstate, hwservicemanager)
+# For passthrough mode:
+allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
+
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
@@ -210,3 +212,7 @@
# only system_server and shell can find the dumpstate service
neverallow { domain -system_server -shell } dumpstate_service:service_manager find;
+
+# Dumpstate should not be writing to any generically labeled sysfs files.
+# Create a specific label for the file type
+neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/public/netd.te b/public/netd.te
index dc4a1b3..45a1952 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,7 @@
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
+r_dir_file(netd, proc_net)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
diff --git a/public/ppp.te b/public/ppp.te
index 5708822..9c1b707 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,6 +5,8 @@
net_domain(ppp)
+r_dir_file(ppp, proc_net)
+
allow ppp mtp:socket rw_socket_perms_no_ioctl;
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
diff --git a/public/rild.te b/public/rild.te
index 85aa044..bc6d629 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -44,6 +44,7 @@
wakelock_use(rild)
r_dir_file(rild, proc)
+r_dir_file(rild, proc_net)
r_dir_file(rild, sysfs_type)
r_dir_file(rild, system_file)