Merge "Grant vdc access to kmsg"

commit: 6b92e26aec41087e32335996d31e13f06ef14607 [log] [tgz]
author: Tom Cherry <tomcherry@google.com> Fri Mar 31 16:41:00 2017 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Mar 31 16:41:02 2017 +0000
tree: 0a13508ebdb65a070e47e8a978d0d28c4a9001bf
parent: a2e9664cef64db948396ed5035318fb96dfbaa6b [diff]
parent: bc4d36305dce85a8fd83aec87496e1010c11f56b [diff]
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 5813d32..5e756fc 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan

@@ -1,4 +1,4 @@
-/data/lib(/.*)?                u:object_r:system_file:s0
-/data/lib64(/.*)?              u:object_r:system_file:s0
-/data/vendor/lib(/.*)?         u:object_r:system_file:s0
-/data/vendor/lib64(/.*)?       u:object_r:system_file:s0
+/data/asan/system/lib(/.*)?                u:object_r:system_file:s0
+/data/asan/system/lib64(/.*)?              u:object_r:system_file:s0
+/data/asan/vendor/lib(/.*)?                u:object_r:system_file:s0
+/data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0

diff --git a/private/service_contexts b/private/service_contexts
index 5fd87dc..8be98e9 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -66,6 +66,7 @@
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
+ipsec                                     u:object_r:ipsec_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0

diff --git a/private/shell.te b/private/shell.te
index aab0a15..c24bfd3 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -10,3 +10,6 @@
 # Run app_process.
 # XXX Transition into its own domain?
 app_domain(shell)
+
+# allow shell to call dumpsys storaged
+binder_call(shell, storaged)

diff --git a/private/storaged.te b/private/storaged.te
index 3dbabf6..698999f 100644
--- a/private/storaged.te
+++ b/private/storaged.te

@@ -21,6 +21,10 @@
   allow storaged debugfs_mmc:file r_file_perms;
 ')
 
+# Needed to provide debug dump output via dumpsys pipes.
+allow storaged shell:fd use;
+allow storaged shell:fifo_file write;
+
 # Binder permissions
 add_service(storaged, storaged_service)
 

diff --git a/public/file.te b/public/file.te
index a13f396..2abfe70 100644
--- a/public/file.te
+++ b/public/file.te

@@ -242,7 +242,7 @@
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
 type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type;
+type system_ndebug_socket, file_type, mlstrustedobject;
 type tombstoned_crash_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type;
 type uncrypt_socket, file_type;

diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index e9679de..46fd9d7 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te

@@ -12,9 +12,6 @@
 
 allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
 
-# Access to config files to look for a Bluetooth address
-r_dir_file(hal_bluetooth, bluetooth_data_file)
-
 # sysfs access.
 r_dir_file(hal_bluetooth, sysfs_type)
 allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;

diff --git a/public/netd.te b/public/netd.te
index 81f4af4..35d9b7c 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -80,6 +80,9 @@
 } { read write getattr setattr getopt setopt };
 allow netd netdomain:fd use;
 
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 ###
 ### Neverallow rules
 ###

diff --git a/public/service.te b/public/service.te
index 478b00e..909b96a 100644
--- a/public/service.te
+++ b/public/service.te

@@ -79,6 +79,7 @@
 type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index d22015b..e32770d 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te

@@ -3,7 +3,3 @@
 
 type hal_bluetooth_default_exec, exec_type, file_type;
 init_daemon_domain(hal_bluetooth_default)
-
-# Logging for backward compatibility
-allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
-allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
commit	6b92e26aec41087e32335996d31e13f06ef14607	[log] [tgz]
author	Tom Cherry <tomcherry@google.com>	Fri Mar 31 16:41:00 2017 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Mar 31 16:41:02 2017 +0000
tree	0a13508ebdb65a070e47e8a978d0d28c4a9001bf
parent	a2e9664cef64db948396ed5035318fb96dfbaa6b [diff]
parent	bc4d36305dce85a8fd83aec87496e1010c11f56b [diff]