Merge "init: allow to access console-ramoops with newer kernels"
diff --git a/app.te b/app.te
index 60fb0a2..6ad58a6 100644
--- a/app.te
+++ b/app.te
@@ -237,6 +237,8 @@
allow appdomain adbd:fd use;
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow appdomain cache_file:dir getattr;
+
###
### Neverallow rules
###
diff --git a/blkid.te b/blkid.te
index 7a7e024..23ce3a9 100644
--- a/blkid.te
+++ b/blkid.te
@@ -1,5 +1,5 @@
# blkid called from vold
-type blkid, domain;
+type blkid, domain, domain_deprecated;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
@@ -14,9 +14,6 @@
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
-# access to /proc/filesystems
-allow blkid proc:file r_file_perms;
-
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow domain blkid:process dyntransition;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index df8e447..7e53de7 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -1,5 +1,5 @@
# blkid for untrusted block devices
-type blkid_untrusted, domain;
+type blkid_untrusted, domain, domain_deprecated;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
diff --git a/fsck.te b/fsck.te
index ebff968..cdf1188 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain;
+type fsck, domain, domain_deprecated;
type fsck_exec, exec_type, file_type;
init_daemon_domain(fsck)
@@ -24,8 +24,6 @@
# fsck performs a stat() on swap to verify that it is a valid
# swap device before setting the EXT2_MF_SWAP mount flag.
allow fsck swap_block_device:blk_file getattr;
-# access to /proc/swaps
-allow fsck proc:file r_file_perms;
###
### neverallow rules
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 67c67b7..4f01db2 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
+type fsck_untrusted, domain, domain_deprecated;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/healthd.te b/healthd.te
index d09eab4..4f2a2ea 100644
--- a/healthd.te
+++ b/healthd.te
@@ -5,6 +5,9 @@
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(healthd, sysfs)
+
allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/kernel.te b/kernel.te
index 05838af..67edc10 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,6 +3,15 @@
allow kernel self:capability sys_nice;
+# Root fs.
+allow kernel rootfs:dir r_dir_perms;
+allow kernel rootfs:file r_file_perms;
+allow kernel rootfs:lnk_file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
diff --git a/logd.te b/logd.te
index 9b1fdd3..aa24c05 100644
--- a/logd.te
+++ b/logd.te
@@ -4,6 +4,10 @@
init_daemon_domain(logd)
+# Read access to pseudo filesystems.
+r_dir_file(logd, proc)
+r_dir_file(logd, proc_net)
+
allow logd self:capability { setuid setgid sys_nice audit_control };
allow logd self:capability2 syslog;
allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
diff --git a/mediaserver.te b/mediaserver.te
index 84ceec8..6006f02 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -9,6 +9,12 @@
r_dir_file(mediaserver, sdcard_type)
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
diff --git a/recovery.te b/recovery.te
index d2cc90e..afacf40 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,7 +48,7 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
- access_kmsg(recovery)
+ allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
index a664820..846c59b 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,9 +1,10 @@
-type sdcardd, domain;
+type sdcardd, domain, domain_deprecated;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd tmpfs:dir r_dir_perms;
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
diff --git a/sgdisk.te b/sgdisk.te
index 8a689a1..b8d6b3f 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -1,5 +1,5 @@
# sgdisk called from vold
-type sgdisk, domain;
+type sgdisk, domain, domain_deprecated;
type sgdisk_exec, exec_type, file_type;
# Allowed to read/write low-level partition tables
diff --git a/te_macros b/te_macros
index 6d91835..4d18973 100644
--- a/te_macros
+++ b/te_macros
@@ -270,16 +270,6 @@
')
#####################################
-# access_kmsg(domain)
-# Ability to read from kernel logs
-# and execute the klogctl syscall
-# in a non destructive manner. See
-# man 2 klogctl
-define(`access_kmsg', `
-allow $1 kernel:system syslog_read;
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/vold.te b/vold.te
index e16ec73..67e461a 100644
--- a/vold.te
+++ b/vold.te
@@ -8,6 +8,17 @@
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(vold, proc)
+r_dir_file(vold, proc_net)
+r_dir_file(vold, sysfs)
+r_dir_file(vold, rootfs)
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, shell_exec, blkid);
diff --git a/zygote.te b/zygote.te
index 30ac4ed..421a54b 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,6 +64,16 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+allow zygote rootfs:file r_file_perms;
+
+# System file accesses.
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
+
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;