commit 7d755eb290494655dc477ff5a5b7bb8958c5ce8c
author Elliott Hughes <enh@google.com> Sat May 17 02:45:43 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sat May 17 02:45:43 2014 +0000
tree 4c8e2459a1d25e2c8256682e5ffc8ea21ee25281
parent ef28e767036baac3228cdb5060a36a9ff27468d6
parent 38138c245a35d398a2261a14dba82e64605cf17c

Merge "Allow readlink(2) of /proc from debuggerd."

app.te

diff --git a/app.te b/app.te
index ecdea85..3615306 100644
--- a/app.te
+++ b/app.te
@@ -241,10 +241,6 @@
 neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
     { transition dyntransition };
 
-# Map low memory.
-# Note: Take to domain.te and apply to all domains in the future.
-neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
-
 # Write to rootfs.
 neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };

file_contexts

diff --git a/file_contexts b/file_contexts
index 74c6db3..67b5021 100644
--- a/file_contexts
+++ b/file_contexts
@@ -125,7 +125,7 @@
 /system/bin/sh		--	u:object_r:shell_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0
 /system/bin/bootanimation u:object_r:bootanim_exec:s0
-/system/bin/app_process	u:object_r:zygote_exec:s0
+/system/bin/app_process32	u:object_r:zygote_exec:s0
 /system/bin/app_process64	u:object_r:zygote_exec:s0
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
 /system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0

mediaserver.te

diff --git a/mediaserver.te b/mediaserver.te
index 6fdc080..439315f 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -23,8 +23,7 @@
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver sdcard_type:file write;
-allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
-auditallow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;

recovery.te

diff --git a/recovery.te b/recovery.te
index 5c510e4..cfec161 100644
--- a/recovery.te
+++ b/recovery.te
@@ -15,7 +15,3 @@
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
 allow recovery tmpfs:file rx_file_perms;
-
-## TODO: Investigate whether it is safe to remove these
-allow recovery self:capability { sys_rawio mknod };
-auditallow recovery self:capability { sys_rawio mknod };

surfaceflinger.te

diff --git a/surfaceflinger.te b/surfaceflinger.te
index 3be2c1b..cea5e71 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,6 +1,5 @@
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
-permissive_or_unconfined(surfaceflinger)
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)

system_app.te

diff --git a/system_app.te b/system_app.te
index b03ccb4..5d0eca7 100644
--- a/system_app.te
+++ b/system_app.te
@@ -29,3 +29,5 @@
 # Create /data/anr/traces.txt.
 allow system_app anr_data_file:dir ra_dir_perms;
 allow system_app anr_data_file:file create_file_perms;
+
+control_logd(system_app)

system_server.te

diff --git a/system_server.te b/system_server.te
index e6fe653..81e31fc 100644
--- a/system_server.te
+++ b/system_server.te
@@ -150,9 +150,6 @@
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server alarm_device:chr_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server graphics_device:dir search;
-allow system_server graphics_device:chr_file rw_file_perms;
-auditallow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;