Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 715c3a78d29c9b2c026e77f82f9895d87e8801a8^2..715c3a78d29c9b2c026e77f82f9895d87e8801a8 / .
commit715c3a78d29c9b2c026e77f82f9895d87e8801a8[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Thu Jan 25 06:32:33 2018 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Jan 25 06:32:33 2018 +0000
treefcc0826fae30c8d469e7a9aa7753d2090aabe7c3
parent2638cd2c965dd5f4b762b0c4d3717aa71de2c280 [diff]
parent53164f40de857bb9243de9957be34e2ba9cb1137 [diff]
Merge "Allow binder call between statsd and healthd. Also allow statsd to find health hal service for battery metrics."
diff --git a/private/bug_map b/private/bug_map
index 2b970dd..6bc55e5 100644
--- a/private/bug_map
+++ b/private/bug_map

@@ -9,3 +9,4 @@
 surfaceflinger unlabeled dir 68864350
 hal_graphics_composer_default unlabeled dir 68864350
 bootanim unlabeled dir 68864350
+idmap installd file 72444813

diff --git a/private/file_contexts b/private/file_contexts
index b2a22a2..0afca24 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -325,6 +325,11 @@
 
 
 #############################
+# Product files
+#
+/(product|system/product)(/.*)?               u:object_r:system_file:s0
+
+#############################
 # Data files
 #
 # NOTE: When modifying existing label rules, changes may also need to

diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 38a9af2..5a65580 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts

@@ -33,6 +33,7 @@
 android.hardware.nfc::INfc                                      u:object_r:hal_nfc_hwservice:s0
 android.hardware.oemlock::IOemLock                              u:object_r:hal_oemlock_hwservice:s0
 android.hardware.power::IPower                                  u:object_r:hal_power_hwservice:s0
+android.hardware.radio.config::IRadioConfig                     u:object_r:hal_telephony_hwservice:s0
 android.hardware.radio.deprecated::IOemHook                     u:object_r:hal_telephony_hwservice:s0
 android.hardware.radio::IRadio                                  u:object_r:hal_telephony_hwservice:s0
 android.hardware.radio::ISap                                    u:object_r:hal_telephony_hwservice:s0

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index a43f04c..5918f63 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -41,6 +41,15 @@
 allow untrusted_app_all shell_data_file:file r_file_perms;
 allow untrusted_app_all shell_data_file:dir r_dir_perms;
 
+# Allow traceur to pass file descriptors through a content provider to untrusted apps
+# for the purpose of sharing files through e.g. gmail
+allow untrusted_app_all trace_data_file:file { getattr read };
+
+# untrusted apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor
+neverallow untrusted_app_all trace_data_file:dir *;
+neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+
 # Allow to read staged apks.
 allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
 

diff --git a/public/vold.te b/public/vold.te
index f754db7..a490e06 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -11,7 +11,7 @@
 r_dir_file(vold, proc_net)
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
 allow vold sysfs_dm:file w_file_perms;
 allow vold sysfs_usb:file w_file_perms;
 allow vold sysfs_zram_uevent:file w_file_perms;
@@ -89,9 +89,6 @@
 allow vold domain:process { signal sigkill };
 allow vold self:global_capability_class_set { sys_ptrace kill };
 
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
 allow vold kmsg_device:chr_file rw_file_perms;
 
 # Run fsck in the fsck domain.

diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2d3ef7..5be6424 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -29,6 +29,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service            u:object_r:mediacodec_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service          u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service  u:object_r:hal_radio_config_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service        u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0

diff --git a/vendor/hal_radio_config_default.te b/vendor/hal_radio_config_default.te
new file mode 100644
index 0000000..ccbe5bf
--- /dev/null
+++ b/vendor/hal_radio_config_default.te

@@ -0,0 +1,6 @@
+type hal_radio_config_default, domain;
+hal_server_domain(hal_radio_config_default, hal_telephony)
+
+type hal_radio_config_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_config_default)
+