Merge "Allow tty and wireless extensions ioctls" into mnc-dev
diff --git a/file.te b/file.te
index 815c892..5e8687a 100644
--- a/file.te
+++ b/file.te
@@ -6,6 +6,8 @@
type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type;
+# Type for /proc/sys/vm/drop_caches
+type proc_drop_caches, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
@@ -13,6 +15,8 @@
type proc_cpuinfo, fs_type;
type proc_net, fs_type;
type proc_sysrq, fs_type;
+type proc_uid_cputime_showstat, fs_type;
+type proc_uid_cputime_removeuid, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 1c6b56c..9f895da 100644
--- a/file_contexts
+++ b/file_contexts
@@ -267,6 +267,7 @@
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index 4b16ffc..cdf65bc 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -20,6 +20,10 @@
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/install_recovery.te b/install_recovery.te
index 1385220..2d80b08 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -23,6 +23,4 @@
allow install_recovery cache_file:file create_file_perms;
# Write to /proc/sys/vm/drop_caches
-# TODO: create a specific label for this file instead of allowing
-# write for all /proc files.
-allow install_recovery proc:file w_file_perms;
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/perfprofd.te b/perfprofd.te
index c9f7f35..03e55f5 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -47,4 +47,7 @@
# simpleperf is going to execute "sleep"
allow perfprofd toolbox_exec:file x_file_perms;
+ # needed for simpleperf on some kernels
+ allow perfprofd self:capability ipc_lock;
+
')
diff --git a/recovery.te b/recovery.te
index 29f1a50..2aad68b 100644
--- a/recovery.te
+++ b/recovery.te
@@ -41,8 +41,7 @@
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
# Write to /proc/sys/vm/drop_caches
- # TODO: create more specific label?
- allow recovery proc:file w_file_perms;
+ allow recovery proc_drop_caches:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
diff --git a/system_server.te b/system_server.te
index 5e0982e..fb16397 100644
--- a/system_server.te
+++ b/system_server.te
@@ -89,6 +89,12 @@
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
+# Read /proc/uid_cputime/show_uid_stat.
+allow system_server proc_uid_cputime_showstat:file r_file_perms;
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
diff --git a/tools/Android.mk b/tools/Android.mk
index d749dd6..b9e3533 100644
--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -8,6 +8,7 @@
LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
LOCAL_SRC_FILES := check_seapp.c
LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
@@ -21,6 +22,7 @@
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := checkfc.c
LOCAL_STATIC_LIBRARIES := libsepol libselinux
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
@@ -43,7 +45,8 @@
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-check.c
LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
-include $(call all-makefiles-under,$(LOCAL_PATH))
\ No newline at end of file
+include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index e65efe9..b9ce0f4 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -9,5 +9,6 @@
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
diff --git a/untrusted_app.te b/untrusted_app.te
index b0adf10..79eb752 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -112,6 +112,11 @@
allow untrusted_app perfprofd_data_file:file r_file_perms;
allow untrusted_app perfprofd_data_file:dir r_dir_perms;
')
+
+# Programs routinely attempt to scan through /system, looking
+# for files. Suppress the denials when they occur.
+dontaudit untrusted_app exec_type:file getattr;
+
###
### neverallow rules
###
diff --git a/vold.te b/vold.te
index 191b63c..1a1913e 100644
--- a/vold.te
+++ b/vold.te
@@ -144,8 +144,11 @@
allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms;
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };