Merge "Add sepolicy-analyze tool."
diff --git a/README b/README
index b1e979c..627d75d 100644
--- a/README
+++ b/README
@@ -118,5 +118,16 @@
via the familiar $VARIABLE syntax. This is often useful for setting a location
to ones release keys.
+ Often times, one will need to integrate an application that was signed by a separate
+ organization and may need to extract the pem file for the insertkeys/keys.conf tools.
+ Extraction of the public key in the pem format is possible via openssl. First you need
+ to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
+ openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
+ On some occasions CERT.RSA has a different name, and you will need to adjust for that.
+ After extracting the pem, you can rename it, and configure keys.conf and
+ mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
+ editor and strip out anything outside the opening and closing scissor lines. Failure to do
+ so WILL cause a compile time issue thrown by insertkeys.py
+
NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
and setool all use base16 encodings.
diff --git a/bluetooth.te b/bluetooth.te
index 32ee842..a6e0c4e 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -11,7 +11,7 @@
r_dir_file(bluetooth, bluetooth_efs_file)
# Device accesses.
-allow bluetooth { tun_device uhid_device hci_attach_dev input_device }:chr_file rw_file_perms;
+allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
diff --git a/domain.te b/domain.te
index 6e5e83c..f90d802 100644
--- a/domain.te
+++ b/domain.te
@@ -106,6 +106,7 @@
# Read access to pseudo filesystems.
r_dir_file(domain, proc)
r_dir_file(domain, sysfs)
+r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
diff --git a/drmserver.te b/drmserver.te
index 8727bc1..b465430 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,6 +1,36 @@
# drmserver - DRM service
type drmserver, domain;
+permissive drmserver;
type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
-unconfined_domain(drmserver)
+typeattribute drmserver mlstrustedsubject;
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
+allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver { app_data_file asec_apk_file }:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
+allow drmserver efs_file:file { open read getattr };
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+allow drmserver drmserver_socket:sock_file create_file_perms;
+allow drmserver tee:unix_stream_socket connectto;
diff --git a/file_contexts b/file_contexts
index be61f9c..89a8cf7 100644
--- a/file_contexts
+++ b/file_contexts
@@ -100,7 +100,7 @@
/dev/ttyS[0-9]* u:object_r:serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:input_device:s0
+/dev/uinput u:object_r:uhid_device:s0
/dev/urandom u:object_r:urandom_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
@@ -204,6 +204,7 @@
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
/sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
/sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
#############################
diff --git a/keystore.te b/keystore.te
index a7f4b4d..a3aa4c8 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,6 +1,13 @@
type keystore, domain;
+permissive keystore;
type keystore_exec, exec_type, file_type;
# keystore daemon
init_daemon_domain(keystore)
-unconfined_domain(keystore)
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+allow keystore tee_device:chr_file rw_file_perms;
diff --git a/servicemanager.te b/servicemanager.te
index dc0f15e..a78a485 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,6 +1,5 @@
# servicemanager - the Binder context manager
type servicemanager, domain;
-permissive servicemanager;
type servicemanager_exec, exec_type, file_type;
init_daemon_domain(servicemanager)
diff --git a/ueventd.te b/ueventd.te
index 1562c0e..275286b 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -14,6 +14,7 @@
allow ueventd sysfs:file rw_file_perms;
allow ueventd sysfs:file setattr;
allow ueventd sysfs_type:file { relabelfrom relabelto };
+allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };