audit domain_deprecated perms for removal
Grant permissions observed.
Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
diff --git a/app.te b/app.te
index 21fdc8a..5215633 100644
--- a/app.te
+++ b/app.te
@@ -57,6 +57,7 @@
allow appdomain devpts:chr_file { getattr read write ioctl };
# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
@@ -137,6 +138,8 @@
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
+# read /proc/net/xt_qtguid/stats
+r_dir_file(appdomain, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
@@ -164,7 +167,8 @@
allow appdomain cache_backup_file:file { read write getattr };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file getattr;
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow appdomain media_rw_data_file:file { read getattr };
@@ -231,6 +235,8 @@
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# TODO is write really necessary ?
+auditallow { appdomain -isolated_app } ion_device:chr_file { write append };
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/bluetooth.te b/bluetooth.te
index 4b20a58..2723df2 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -19,6 +19,7 @@
allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
# sysfs access.
+r_dir_file(bluetooth, sysfs_type)
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
allow bluetooth self:capability2 wake_alarm;
diff --git a/clatd.te b/clatd.te
index 3cda6a2..fd6be00 100644
--- a/clatd.te
+++ b/clatd.te
@@ -4,6 +4,8 @@
net_domain(clatd)
+r_dir_file(clatd, proc_net)
+
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
diff --git a/debuggerd.te b/debuggerd.te
index 2b8d229..1e84e8d 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -58,3 +58,7 @@
# Check SELinux permissions.
selinux_check_access(debuggerd)
+
+# Read /data/dalvik-cache.
+allow debuggerd dalvikcache_data_file:dir { search getattr };
+allow debuggerd dalvikcache_data_file:file r_file_perms;
diff --git a/dex2oat.te b/dex2oat.te
index 48daac3..c18f496 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -2,6 +2,11 @@
type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
+r_dir_file(dex2oat, apk_data_file)
+
+allow dex2oat tmpfs:file { read getattr };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
# the oat file is symlinked to the original file in /system.
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 22bac86..b0a6add 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -4,52 +4,82 @@
allow domain_deprecated kernel:fd use;
allow domain_deprecated tmpfs:file { read getattr };
allow domain_deprecated tmpfs:lnk_file { read getattr };
+auditallow { domain_deprecated -init } kernel:fd use;
+auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
+auditallow domain_deprecated tmpfs:lnk_file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
+auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
+auditallow { domain_deprecated -appdomain -mediaextractor -mediaserver -netd -surfaceflinger } system_server:fd use;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:unix_stream_socket connectto;
allow domain_deprecated adbd:fd use;
allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket connectto;
+auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
+auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
# Device accesses.
allow domain_deprecated device:file read;
+auditallow domain_deprecated device:file read;
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
allow domain_deprecated system_file:lnk_file r_file_perms;
+auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
+auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
+auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
+auditallow { domain_deprecated -appdomain -init -logd -sdcardd -system_server -tee } system_data_file:file { getattr read };
+auditallow { domain_deprecated -appdomain -init -logd -system_server -tee } system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
+auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:dir { getattr search };
+auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
+auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
# Read /data/dalvik-cache.
allow domain_deprecated dalvikcache_data_file:dir { search getattr };
allow domain_deprecated dalvikcache_data_file:file r_file_perms;
+auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -init -installd -system_server -zygote } dalvikcache_data_file:dir { search getattr };
+auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -installd -system_server -zygote } dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
+auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:dir { open read search ioctl lock };
+auditallow { domain_deprecated -appdomain -init -priv_app -system_server -vold } cache_file:dir getattr;
+auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:file { getattr read };
+auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file r_file_perms;
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
+# split this auditallow into read and write perms since most domains seem to
+# only require read
+auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -mediaserver -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+auditallow domain_deprecated ion_device:chr_file { write append };
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
@@ -58,11 +88,28 @@
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
r_dir_file(domain_deprecated, proc_net)
+#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
+auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:file r_file_perms;
+auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
+auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow domain_deprecated inotify:dir r_dir_perms;
+auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
+auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
+auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow { domain_deprecated -appdomain -init -logd -mediaextractor -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
+auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
# World readable asec image contents
allow domain_deprecated asec_public_file:file r_file_perms;
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
+auditallow domain_deprecated asec_public_file:file r_file_perms;
+auditallow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
index 9a9cfc0..b385e49 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -53,3 +53,6 @@
allow drmserver permission_service:service_manager find;
selinux_check_access(drmserver)
+
+r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, system_file)
diff --git a/fingerprintd.te b/fingerprintd.te
index 1c0ab1c..09d39b1 100644
--- a/fingerprintd.te
+++ b/fingerprintd.te
@@ -21,3 +21,7 @@
# For permissions checking
binder_call(fingerprintd, system_server);
allow fingerprintd permission_service:service_manager find;
+
+r_dir_file(fingerprintd, cgroup)
+r_dir_file(fingerprintd, sysfs_type)
+allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/fsck.te b/fsck.te
index d5a6db1..9f372ce 100644
--- a/fsck.te
+++ b/fsck.te
@@ -25,6 +25,8 @@
# swap device before setting the EXT2_MF_SWAP mount flag.
allow fsck swap_block_device:blk_file getattr;
+r_dir_file(fsck, proc)
+
###
### neverallow rules
###
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 00faa20..98806dd 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -12,6 +12,8 @@
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
+r_dir_file(fsck_untrusted, proc)
+
###
### neverallow rules
###
diff --git a/gatekeeperd.te b/gatekeeperd.te
index e394af3..3d9b60c 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -6,6 +6,7 @@
binder_service(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
+allow gatekeeperd ion_device:chr_file r_file_perms;
# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };
@@ -27,4 +28,6 @@
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
+r_dir_file(gatekeeperd, cgroup)
+
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/healthd.te b/healthd.te
index 2658ef8..0c31091 100644
--- a/healthd.te
+++ b/healthd.te
@@ -6,7 +6,8 @@
allow healthd kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs)
+r_dir_file(healthd, sysfs_type)
+r_dir_file(healthd, rootfs)
allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
@@ -24,6 +25,9 @@
allow healthd sysfs_batteryinfo:file r_file_perms;
+r_dir_file(healthd, cgroup)
+r_dir_file(healthd, sysfs_type)
+
###
### healthd: charger mode
###
diff --git a/init.te b/init.te
index eb15d28..e2f30a0 100644
--- a/init.te
+++ b/init.te
@@ -28,6 +28,7 @@
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
+allow init kernel:fd use;
# setrlimit
allow init self:capability sys_resource;
@@ -70,6 +71,7 @@
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
+r_dir_file(init, cgroup)
allow init cpuctl_device:dir { create mounton };
# /config
@@ -200,9 +202,11 @@
allow init proc_security:file rw_file_perms;
# Write to /proc/sys/kernel/panic_on_oops.
+r_dir_file(init, proc)
allow init proc:file w_file_perms;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(init, proc_net)
allow init proc_net:file w_file_perms;
allow init self:capability net_admin;
@@ -218,10 +222,7 @@
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file w_file_perms;
-
-# disksize
-allow init sysfs_zram:file getattr;
+allow init sysfs_type:file rw_file_perms;
# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, adbd)
@@ -350,6 +351,15 @@
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
+allow init apk_data_file:dir { getattr search };
+allow init dalvikcache_data_file:dir { search getattr };
+r_dir_file(init, system_file)
+allow init proc_meminfo:file r_file_perms;
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+
###
### neverallow rules
###
diff --git a/inputflinger.te b/inputflinger.te
index 324f3f6..b6a5f0b 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -13,3 +13,5 @@
allow inputflinger inputflinger_service:service_manager { add find };
allow inputflinger input_device:dir r_dir_perms;
allow inputflinger input_device:chr_file rw_file_perms;
+
+r_dir_file(inputflinger, cgroup)
diff --git a/installd.te b/installd.te
index e832e92..c198e2a 100644
--- a/installd.te
+++ b/installd.te
@@ -13,7 +13,7 @@
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create read unlink };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
@@ -21,10 +21,13 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
+allow installd cgroup:{ file lnk_file } create_file_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
+r_dir_file(installd, rootfs)
+
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
diff --git a/kernel.te b/kernel.te
index bcd0935..3b77947 100644
--- a/kernel.te
+++ b/kernel.te
@@ -4,9 +4,8 @@
allow kernel self:capability sys_nice;
# Root fs.
-allow kernel rootfs:dir r_dir_perms;
-allow kernel rootfs:file r_file_perms;
-allow kernel rootfs:lnk_file r_file_perms;
+r_dir_file(kernel, rootfs)
+r_dir_file(kernel, proc)
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/keystore.te b/keystore.te
index 9dca43c..bb2e9d8 100644
--- a/keystore.te
+++ b/keystore.te
@@ -17,6 +17,9 @@
# Check SELinux permissions.
selinux_check_access(keystore)
+allow keystore ion_device:chr_file r_file_perms;
+r_dir_file(keystore, cgroup)
+
###
### Neverallow rules
###
diff --git a/logd.te b/logd.te
index 7665385..99d13e6 100644
--- a/logd.te
+++ b/logd.te
@@ -5,7 +5,9 @@
init_daemon_domain(logd)
# Read access to pseudo filesystems.
+r_dir_file(logd, cgroup)
r_dir_file(logd, proc)
+r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)
allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
@@ -13,7 +15,7 @@
allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:file r_file_perms;
+allow logd system_data_file:{ file lnk_file } r_file_perms;
# logpersist is only allowed on userdebug and eng builds
userdebug_or_eng(`
allow logd misc_logd_file:file create_file_perms;
diff --git a/mediaextractor.te b/mediaextractor.te
index 3ebb5b7..7b873d6 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -13,6 +13,11 @@
allow mediaextractor mediaextractor_service:service_manager add;
+allow mediaextractor system_server:fd use;
+
+r_dir_file(mediaextractor, cgroup)
+allow mediaextractor proc_meminfo:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/mediaserver.te b/mediaserver.te
index 5fbaa30..d6b68d2 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -8,6 +8,7 @@
init_daemon_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaextractor, cgroup)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
@@ -123,6 +124,9 @@
# Access to /data/preloads
allow mediaserver preloads_data_file:file { getattr read ioctl };
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver system_server:fd use;
+
###
### neverallow rules
###
diff --git a/netd.te b/netd.te
index c411f67..515ad4f 100644
--- a/netd.te
+++ b/netd.te
@@ -5,6 +5,9 @@
init_daemon_domain(netd)
net_domain(netd)
+r_dir_file(netd, cgroup)
+allow netd system_server:fd use;
+
allow netd self:capability { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
@@ -26,7 +29,7 @@
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file write;
+allow netd proc_net:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
r_dir_file(netd, sysfs_type)
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index dbc76df..3d00c31 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -39,8 +39,6 @@
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-allow postinstall_dexopt selinuxfs:dir r_dir_perms;
-
# Check validity of SELinux context before use.
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
diff --git a/priv_app.te b/priv_app.te
index d380a67..d5de58b 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -78,9 +78,10 @@
allow priv_app app_fuse_file:dir rw_dir_perms;
allow priv_app app_fuse_file:file rw_file_perms;
-# /sys access
-allow priv_app sysfs_zram:dir search;
-allow priv_app sysfs_zram:file r_file_perms;
+# /sys and /proc access
+r_dir_file(priv_app, sysfs_type)
+r_dir_file(priv_app, proc)
+r_dir_file(priv_app, rootfs)
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
diff --git a/rild.te b/rild.te
index c63f2e7..e721c90 100644
--- a/rild.te
+++ b/rild.te
@@ -9,6 +9,7 @@
allow rild self:capability { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
+allow rild cgroup:{ file lnk_file } r_file_perms;
allow rild radio_device:chr_file rw_file_perms;
allow rild radio_device:blk_file r_file_perms;
allow rild mtd_device:dir search;
@@ -42,3 +43,7 @@
wakelock_use(rild)
allow rild self:socket create_socket_perms;
+
+r_dir_file(rild, proc)
+r_dir_file(rild, sysfs_type)
+r_dir_file(rild, system_file)
diff --git a/servicemanager.te b/servicemanager.te
index 84605d1..4f07a55 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -13,5 +13,7 @@
allow servicemanager self:binder set_context_mgr;
allow servicemanager { domain -init }:binder transfer;
+r_dir_file(servicemanager, rootfs)
+
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 7364e5f..cc07e5b 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -62,6 +62,13 @@
# allow self to set SCHED_FIFO
allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger proc_meminfo:file r_file_perms;
+r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, sysfs_type)
+r_dir_file(surfaceflinger, system_file)
+allow surfaceflinger tmpfs:dir r_dir_perms;
+allow surfaceflinger system_server:fd use;
+allow surfaceflinger ion_device:chr_file r_file_perms;
###
### Neverallow rules
diff --git a/system_app.te b/system_app.te
index 3db5f21..b05bcb9 100644
--- a/system_app.te
+++ b/system_app.te
@@ -72,7 +72,6 @@
};
# /sys access
-allow system_app sysfs_zram:dir search;
-allow system_app sysfs_zram:file r_file_perms;
+r_dir_file(system_app, sysfs_type)
control_logd(system_app)
diff --git a/system_server.te b/system_server.te
index a2be421..795e255 100644
--- a/system_server.te
+++ b/system_server.te
@@ -8,8 +8,8 @@
tmpfs_domain(system_server)
# For art.
-allow system_server dalvikcache_data_file:file execute;
allow system_server dalvikcache_data_file:dir r_dir_perms;
+allow system_server dalvikcache_data_file:file { r_file_perms execute };
# Enable system server to check the foreign dex usage markers.
# We need search on top level directories so that we can get to the files
@@ -228,7 +228,7 @@
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:file { create_file_perms link };
+allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
@@ -368,7 +368,9 @@
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
# Run system programs, e.g. dexopt. Needed? (b/28035297)
-allow system_server system_file:file x_file_perms;
+allow system_server system_file:file rx_file_perms;
+allow system_server system_file:dir r_dir_perms;
+allow system_server system_file:lnk_file r_file_perms;
auditallow system_server system_file:file execute_no_trans;
# LocationManager(e.g, GPS) needs to read and write
@@ -538,6 +540,16 @@
allow system_server preloads_data_file:file { r_file_perms unlink };
allow system_server preloads_data_file:dir { r_dir_perms write remove_name };
+r_dir_file(system_server, cgroup)
+allow system_server ion_device:chr_file r_file_perms;
+
+r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_meminfo)
+r_dir_file(system_server, proc_net)
+r_dir_file(system_server, rootfs)
+r_dir_file(system_server, sysfs_type)
+
+
###
### Neverallow rules
###
diff --git a/te_macros b/te_macros
index eb1b921..1e70c4c 100644
--- a/te_macros
+++ b/te_macros
@@ -78,6 +78,7 @@
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write };
+allow $1 tmpfs:dir { getattr search };
')
#####################################
@@ -219,7 +220,8 @@
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
-allow $1 selinuxfs:file rw_file_perms;
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
')
@@ -228,7 +230,8 @@
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
-allow $1 selinuxfs:file rw_file_perms;
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security check_context;
')
diff --git a/tee.te b/tee.te
index 8ea6b95..d0b7391 100644
--- a/tee.te
+++ b/tee.te
@@ -13,3 +13,7 @@
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket create_socket_perms;
allow tee self:netlink_generic_socket create_socket_perms;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;
diff --git a/ueventd.te b/ueventd.te
index 6a44367..657c25b 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -9,8 +9,10 @@
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
-allow ueventd sysfs:file rw_file_perms;
-allow ueventd sysfs_usb:file rw_file_perms;
+r_dir_file(ueventd, sysfs_type)
+r_dir_file(ueventd, rootfs)
+allow ueventd sysfs:file w_file_perms;
+allow ueventd sysfs_usb:file w_file_perms;
allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
@@ -25,6 +27,9 @@
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
diff --git a/uncrypt.te b/uncrypt.te
index 2ebde86..d1dea78 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -32,3 +32,5 @@
# Access userdata block device.
allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
diff --git a/untrusted_app.te b/untrusted_app.te
index 6b24a62..310f1f3 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,9 +90,6 @@
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app self:process ptrace;
-# access /proc/net/xt_qtguid/stats
-r_dir_file(untrusted_app, proc_net)
-
# Cts: HwRngTest
allow untrusted_app sysfs_hwrandom:dir search;
allow untrusted_app sysfs_hwrandom:file r_file_perms;
diff --git a/vold.te b/vold.te
index 75b6f36..98ccab4 100644
--- a/vold.te
+++ b/vold.te
@@ -16,8 +16,14 @@
# Read access to pseudo filesystems.
r_dir_file(vold, proc)
r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs)
+r_dir_file(vold, sysfs_type)
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file w_file_perms;
+allow vold sysfs_usb:file w_file_perms;
+allow vold sysfs_zram_uevent:file w_file_perms;
+
r_dir_file(vold, rootfs)
+allow vold proc_meminfo:file r_file_perms;
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
@@ -99,6 +105,8 @@
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
+allow vold ion_device:chr_file r_file_perms;
+
#
# Rules to support encrypted fs support.
#
@@ -177,10 +185,6 @@
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
-# coldboot of /sys/block
-allow vold sysfs_zram:dir r_dir_perms;
-allow vold sysfs_zram_uevent:file rw_file_perms;
-
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
diff --git a/wpa.te b/wpa.te
index a49e041..3a2450f 100644
--- a/wpa.te
+++ b/wpa.te
@@ -6,6 +6,9 @@
net_domain(wpa)
+r_dir_file(wpa, sysfs_type)
+r_dir_file(wpa, proc_net)
+
allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
diff --git a/zygote.te b/zygote.te
index 9e155ef..4708c3b 100644
--- a/zygote.te
+++ b/zygote.te
@@ -38,6 +38,7 @@
allow zygote dex2oat_exec:file rx_file_perms;
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
+allow zygote cgroup:{ file lnk_file } r_file_perms;
allow zygote self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
@@ -67,11 +68,10 @@
r_dir_file(zygote, proc_net)
# Root fs.
-allow zygote rootfs:file r_file_perms;
+r_dir_file(zygote, rootfs)
# System file accesses.
-allow zygote system_file:dir r_dir_perms;
-allow zygote system_file:file r_file_perms;
+r_dir_file(zygote, system_file)
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
@@ -79,6 +79,9 @@
allow zygote method_trace_data_file:file { create w_file_perms };
')
+allow zygote ion_device:chr_file r_file_perms;
+allow zygote tmpfs:dir r_dir_perms;
+
###
### A/B OTA
###