Merge "sepolicy: Define and allow map permission"
diff --git a/private/app.te b/private/app.te
index 79adee0..28895a3 100644
--- a/private/app.te
+++ b/private/app.te
@@ -41,10 +41,10 @@
# Search /storage/emulated tmpfs mount.
allow appdomain tmpfs:dir r_dir_perms;
-userdebug_or_eng(`
- # Notify zygote of the wrapped process PID when using --invoke-with.
- allow appdomain zygote:fifo_file write;
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+userdebug_or_eng(`
# Allow apps to create and write method traces in /data/misc/trace.
allow appdomain method_trace_data_file:dir w_dir_perms;
allow appdomain method_trace_data_file:file { create w_file_perms };
diff --git a/private/file_contexts b/private/file_contexts
index fa27bd1..a6851b7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -76,6 +76,7 @@
/dev/cam u:object_r:camera_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)? u:object_r:cgroup:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 42534bd..047cca4 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -38,6 +38,9 @@
allow platform_app vfat:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 606c4a0..80afcb9 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -11,6 +11,9 @@
net_domain(system_app)
binder_service(system_app)
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index e5feb9a..5c8c07e 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,77 +1,5 @@
# rules removed from the domain attribute
-# Root fs.
-allow domain_deprecated rootfs:dir r_dir_perms;
-allow domain_deprecated rootfs:file r_file_perms;
-allow domain_deprecated rootfs:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -healthd
- -installd
- -recovery
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -healthd
- -installd
- -recovery
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -healthd
- -installd
- -recovery
- -servicemanager
- -system_server
- -ueventd
- -uncrypt
- -vold
- -zygote
-} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
-
-# System file accesses.
-allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -installd
- -keystore
- -rild
- -surfaceflinger
- -system_server
- -update_engine
- -vold
- -zygote
-} system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow {
- domain_deprecated
- -appdomain
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} system_file:file { ioctl lock }; # read open getattr in domain
-')
-
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
@@ -119,42 +47,9 @@
} apk_data_file:lnk_file r_file_perms;
')
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -recovery
- -system_server
- -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
- domain_deprecated
- -appdomain
- -recovery
- -system_server
- -vold
-} cache_file:dir getattr;
-auditallow {
- domain_deprecated
- -recovery
- -system_server
- -vold
-} cache_file:file { getattr read };
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:lnk_file r_file_perms;
-')
-
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
-allow domain_deprecated proc_meminfo:file r_file_perms;
userdebug_or_eng(`
auditallow {
@@ -217,39 +112,4 @@
-ueventd
-vold
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:dir r_dir_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:{ file lnk_file } r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -surfaceflinger
- -system_server
- -vold
-} proc_meminfo:file r_file_perms;
')
diff --git a/public/uncrypt.te b/public/uncrypt.te
index ef1289c..6d3ee10 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -14,6 +14,7 @@
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 8e454cc..775bb1e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -13,6 +13,10 @@
# requires it.
allow update_engine_common misc_block_device:blk_file rw_file_perms;
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir mounton;
@@ -24,6 +28,8 @@
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.