Merge "Added an auditallow rule to track vold remounting filesystems."
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index a8320b5..13b18fa 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -80,7 +80,6 @@
 r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
-r_dir_file(domain_deprecated, proc_net)
 #auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
 auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:file r_file_perms;
 auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -120,19 +119,6 @@
   -zygote
 } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -clatd
-  -dumpstate
-  -init
-  -netd
-  -system_server
-  -vold
-  -wpa
-  -zygote
-} proc_net:{ file lnk_file } r_file_perms;
 
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 24e345e..77bb082 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -79,11 +79,6 @@
   surfaceflinger
 }:debuggerd dump_backtrace;
 
-# Vibrate the device after we're done collecting the bugreport
-# /sys/class/timed_output/vibrator/enable
-# TODO: create a new file class, instead of allowing write access to all of /sys
-allow dumpstate sysfs:file w_file_perms;
-
 # TODO: added to match above sysfs rule. Remove me?
 allow dumpstate sysfs_usb:file w_file_perms;
 
@@ -102,6 +97,13 @@
 binder_call(dumpstate, binderservicedomain)
 binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
 
+# Vibrate the device after we are done collecting the bugreport
+# For binderized mode:
+binder_call(dumpstate, hal_vibrator)
+binder_call(dumpstate, hwservicemanager)
+# For passthrough mode:
+allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
+
 # Reading /proc/PID/maps of other processes
 allow dumpstate self:capability sys_ptrace;
 
@@ -210,3 +212,7 @@
 
 # only system_server and shell can find the dumpstate service
 neverallow { domain -system_server -shell } dumpstate_service:service_manager find;
+
+# Dumpstate should not be writing to any generically labeled sysfs files.
+# Create a specific label for the file type
+neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/public/netd.te b/public/netd.te
index dc4a1b3..45a1952 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,7 @@
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
+r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;
 
diff --git a/public/ppp.te b/public/ppp.te
index 5708822..9c1b707 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,6 +5,8 @@
 
 net_domain(ppp)
 
+r_dir_file(ppp, proc_net)
+
 allow ppp mtp:socket rw_socket_perms_no_ioctl;
 allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
diff --git a/public/rild.te b/public/rild.te
index 85aa044..bc6d629 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -44,6 +44,7 @@
 wakelock_use(rild)
 
 r_dir_file(rild, proc)
+r_dir_file(rild, proc_net)
 r_dir_file(rild, sysfs_type)
 r_dir_file(rild, system_file)