commit 745d3839e4bf4ca01601c5c2c63a4a80830d816c
author Hongyi Zhang <hongyiz@google.com> Mon Nov 19 17:48:55 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Nov 19 17:48:55 2018 +0000
tree 295afe216e24f860ba0b150b7897ed13f5fbd3ad
parent b1f6942c79373e954c3b96c39e0a607b8d72811f
parent da492f4fca2d1c74afd5d65c7a9ca8a2676f24fa

Merge "sepolicies for sys prop enabling flag health check"

apex/apex.test-file_contexts

diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index bd71a2a..3dffd86 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,2 +1,3 @@
 /manifest\.json   u:object_r:system_file:s0
 (/.*)?            u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0

private/compat/28.0/28.0.cil

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 4e653b2..f7a0c37 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -2,6 +2,7 @@
 (type audio_seq_device)
 (type audio_timer_device)
 (type commontime_management_service)
+(type cpuctl_device)
 (type fingerprint_vendor_data_file)
 (type full_device)
 (type i2c_device)

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index cf3930b..2fbbbfd 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -105,3 +105,14 @@
     -init
   }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
+
+# Audit coredomain access to /dev nodes that might no longer be needed after
+# Treble.
+userdebug_or_eng(`
+    auditallow coredomain {
+        audio_device
+        iio_device
+        radio_device
+        tee_device
+    }:chr_file { open read append write ioctl };
+')

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 7127745..dd957a7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -82,10 +82,7 @@
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/block/zram[0-9]*	u:object_r:ram_device:s0
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
-/dev/cam		u:object_r:camera_device:s0
 /dev/console		u:object_r:console_device:s0
-/dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
-/dev/memcg(/.*)?        u:object_r:cgroup:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8652ee8..c50faef 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -89,6 +89,7 @@
 allow surfaceflinger power_service:service_manager find;
 allow surfaceflinger vr_manager_service:service_manager find;
 allow surfaceflinger window_service:service_manager find;
+allow surfaceflinger inputflinger_service:service_manager find;
 
 
 # allow self to set SCHED_FIFO
@@ -98,6 +99,7 @@
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;
+allow surfaceflinger system_server:unix_stream_socket { read write };
 allow surfaceflinger ion_device:chr_file r_file_perms;
 
 # pdx IPC

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index 491f079..d1e0f55 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -48,6 +48,9 @@
 # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
 allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
 
+# Allow zygote to create JIT memory.
+allow zygote self:process execmem;
+
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?

public/device.te

diff --git a/public/device.te b/public/device.te
index a4f7f01..e55c86d 100644
--- a/public/device.te
+++ b/public/device.te
@@ -18,7 +18,6 @@
 type rtc_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
-type cpuctl_device, dev_type;
 type fscklogs, dev_type;
 # GPU (used by most UI apps)
 type gpu_device, dev_type, mlstrustedobject;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 20ae4a9..b788f0d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -328,7 +328,7 @@
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
 # read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
 ###

public/init.te

diff --git a/public/init.te b/public/init.te
index 770922a..2a8036a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -94,7 +94,6 @@
 allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 allow init cgroup:file rw_file_perms;
-allow init cpuctl_device:dir { create mounton };
 
 # /config
 allow init configfs:dir mounton;

public/inputflinger.te

diff --git a/public/inputflinger.te b/public/inputflinger.te
index f206c05..c3f4da8 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -9,7 +9,6 @@
 
 wakelock_use(inputflinger)
 
-add_service(inputflinger, inputflinger_service)
 allow inputflinger input_device:dir r_dir_perms;
 allow inputflinger input_device:chr_file rw_file_perms;
 

public/mediaextractor.te

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 8f58868..e86becf 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,7 +23,7 @@
 crash_dump_fallback(mediaextractor)
 
 # allow mediaextractor read permissions for file sources
-allow mediaextractor sdcardfs:file { getattr read };
+allow mediaextractor sdcard_type:file { getattr read };
 allow mediaextractor media_rw_data_file:file { getattr read };
 allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
 

public/postinstall_dexopt.te

diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8b6d6cc..0ccd168 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -55,5 +55,3 @@
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...
 allow postinstall_dexopt otapreopt_chroot:fd use;
-
-allow postinstall_dexopt cpuctl_device:dir search;

public/service.te

diff --git a/public/service.te b/public/service.te
index f674180..55f8d75 100644
--- a/public/service.te
+++ b/public/service.te
@@ -12,7 +12,6 @@
 type gpu_service,               service_manager_type;
 type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
-type inputflinger_service,      service_manager_type;
 type incident_service,          service_manager_type;
 type installd_service,          service_manager_type;
 type keystore_service,          service_manager_type;
@@ -174,4 +173,5 @@
 type wificond_service, service_manager_type;
 type wifiaware_service, app_api_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
+type inputflinger_service, system_api_service, system_server_service, service_manager_type;
 type wpantund_service, system_api_service, service_manager_type;

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 3848c35..d26c836 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -7,12 +7,6 @@
 allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;
 
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc_net_type)
-userdebug_or_eng(`
-  auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
 r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.