Merge "Fix bugs in *_file_contexts targets"
diff --git a/private/file_contexts b/private/file_contexts
index 0ca1c58..16ecbf0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -419,6 +419,7 @@
#############################
# sysfs files
#
+/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
diff --git a/public/adbd.te b/public/adbd.te
index d60f8f1..f0df8b1 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -84,7 +84,7 @@
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd { app_data_file ephemeral_data_file }:dir search;
allow adbd { app_data_file ephemeral_data_file }:sock_file write;
-allow adbd { appdomain ephemeral_app }:unix_stream_socket connectto;
+allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
diff --git a/public/audioserver.te b/public/audioserver.te
index 9f390e7..676b04e 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -6,7 +6,7 @@
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, { appdomain ephemeral_app })
+binder_call(audioserver, appdomain)
binder_service(audioserver)
hwbinder_use(audioserver)
diff --git a/public/domain.te b/public/domain.te
index 9151fd3..5c48384 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -297,7 +297,6 @@
neverallow {
domain
-appdomain
- -ephemeral_app
-dumpstate
-shell
userdebug_or_eng(`-su')
diff --git a/public/drmserver.te b/public/drmserver.te
index 790b283..ab42696 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -9,7 +9,7 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
-binder_call(drmserver, { appdomain ephemeral_app })
+binder_call(drmserver, appdomain)
binder_service(drmserver)
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index d64a4b4..a495211 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -49,7 +49,7 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain ephemeral_app system_server }:process signal;
+allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
@@ -85,7 +85,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
+binder_call(dumpstate, { appdomain netd wificond })
# Vibrate the device after we are done collecting the bugreport
# For binderized mode:
diff --git a/public/file.te b/public/file.te
index a113948..527e496 100644
--- a/public/file.te
+++ b/public/file.te
@@ -32,6 +32,7 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index f875935..ee12ff1 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -13,4 +13,4 @@
# Fences
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer {appdomain ephemeral_app}:fd use;
+allow hal_graphics_composer appdomain:fd use;
diff --git a/public/hal_light.te b/public/hal_light.te
index 4fb38b8..145b02e 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,2 +1,6 @@
# call into system_server process (callbacks)
binder_call(hal_light, system_server)
+
+allow hal_light sysfs_leds:lnk_file read;
+allow hal_light sysfs_leds:file rw_file_perms;
+allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/public/lmkd.te b/public/lmkd.te
index e25a77f..f4e6c2d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -14,8 +14,6 @@
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
-r_dir_file(lmkd, ephemeral_app)
-allow lmkd ephemeral_app:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 2acd629..47a7738 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -22,7 +22,7 @@
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, { appdomain ephemeral_app })
+binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
@@ -48,7 +48,7 @@
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
-allow mediaserver { appdomain ephemeral_app }:fifo_file { getattr read write };
+allow mediaserver appdomain:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
diff --git a/public/radio.te b/public/radio.te
index 1e9ac56..eb52f09 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -19,9 +19,7 @@
# Property service
set_prop(radio, radio_prop)
-set_prop(radio, system_radio_prop)
set_prop(radio, net_radio_prop)
-auditallow radio system_radio_prop:property_service set;
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
diff --git a/public/service.te b/public/service.te
index 858f0b0..1b65b5a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -133,7 +133,7 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wificond_service, service_manager_type;
+type wificond_service, system_server_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type wpa_supplicant_service, system_server_service, service_manager_type;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 699984f..2b1faec 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -12,7 +12,7 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, { appdomain ephemeral_app })
+binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger)
@@ -21,7 +21,7 @@
# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, { appdomain ephemeral_app })
+r_dir_file(surfaceflinger, appdomain)
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -42,7 +42,7 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
-allow surfaceflinger { appdomain ephemeral_app }:fd use;
+allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
# Allow a dumpstate triggered screenshot
diff --git a/public/system_server.te b/public/system_server.te
index 6c59e55..207add7 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -87,10 +87,10 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server { appdomain ephemeral_app }:process { sigkill signal };
+allow system_server appdomain:process { sigkill signal };
# Set scheduling info for apps.
-allow system_server { appdomain ephemeral_app }:process { getsched setsched };
+allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -151,7 +151,7 @@
# Perform Binder IPC.
binder_use(system_server)
-binder_call(system_server, { appdomain ephemeral_app })
+binder_call(system_server, appdomain)
binder_call(system_server, binderservicedomain)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
@@ -428,8 +428,8 @@
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
-allow system_server { appdomain ephemeral_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server { appdomain ephemeral_app }:{ fifo_file unix_stream_socket } { getattr read write };
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
diff --git a/public/zygote.te b/public/zygote.te
index 385be94..594ac57 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -13,15 +13,15 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
-allow zygote { appdomain ephemeral_app }:process dyntransition;
+allow zygote appdomain:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote { appdomain ephemeral_app }:dir { getattr search };
-allow zygote { appdomain ephemeral_app }:file { r_file_perms };
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
-allow zygote { appdomain ephemeral_app }:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
@@ -116,7 +116,7 @@
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
-neverallow zygote ~{ appdomain ephemeral_app system_server }:process dyntransition;
+neverallow zygote ~{ appdomain system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {