Merge "Allow adbd to use graphics fds"

commit: 6f94c1d5844bbd2ecea014f9a4ec34a4382f4c26 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Fri Feb 24 18:46:00 2017 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Feb 24 18:46:00 2017 +0000
tree: 957f6f78d08e5e6c33f2038ef91205486bf9987b
parent: 8d48aa798887b26e802cfe8c5a6c064c50bb637d [diff]
parent: 8585788d9f2ab5cd1af4feee2cba036e2a0ee910 [diff]
diff --git a/public/kernel.te b/public/kernel.te
index c404fc0..d1463dc 100644
--- a/public/kernel.te
+++ b/public/kernel.te

@@ -90,3 +90,8 @@
 # - You are running an exploit which switched to the init task credentials
 #   and is then trying to exec a shell or other program.  You lose!
 neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:capability { dac_override dac_read_search };

diff --git a/public/update_engine.te b/public/update_engine.te
index 3a33407..31ba14f 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te

@@ -6,6 +6,11 @@
 
 net_domain(update_engine);
 
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
+# sockets.
+allow update_engine qtaguid_proc:file rw_file_perms;
+allow update_engine qtaguid_device:chr_file r_file_perms;
+
 # Following permissions are needed for update_engine.
 allow update_engine self:process { setsched };
 allow update_engine self:capability { fowner sys_admin };
commit	6f94c1d5844bbd2ecea014f9a4ec34a4382f4c26	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Fri Feb 24 18:46:00 2017 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Feb 24 18:46:00 2017 +0000
tree	957f6f78d08e5e6c33f2038ef91205486bf9987b
parent	8d48aa798887b26e802cfe8c5a6c064c50bb637d [diff]
parent	8585788d9f2ab5cd1af4feee2cba036e2a0ee910 [diff]