Merge "Allow system_app to start bugreport and to create /data/anr/traces.txt."
diff --git a/bluetooth.te b/bluetooth.te
index 75b0c97..8869ce6 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -31,7 +31,7 @@
# Allow clients to use a socket provided by the bluetooth app.
# TODO: See if this is still required under bluedroid.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt getattr read write shutdown };
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt getattr read write ioctl shutdown };
# tethering
allow bluetooth self:tun_socket create_socket_perms;
diff --git a/clatd.te b/clatd.te
index 4971102..be0314d 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,6 +1,5 @@
# 464xlat daemon
type clatd, domain;
-permissive_or_unconfined(clatd)
type clatd_exec, exec_type, file_type;
net_domain(clatd)
diff --git a/dhcp.te b/dhcp.te
index 89346d5..81f6db4 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,5 +1,4 @@
type dhcp, domain;
-permissive_or_unconfined(dhcp)
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
diff --git a/healthd.te b/healthd.te
index 63efd05..62a20e8 100644
--- a/healthd.te
+++ b/healthd.te
@@ -15,6 +15,10 @@
binder_service(healthd)
binder_call(healthd, system_server)
+# Write to state file.
+# TODO: Split into a separate type?
+allow healthd sysfs:file write;
+
###
### healthd: charger mode
###
@@ -23,5 +27,6 @@
allow healthd graphics_device:chr_file rw_file_perms;
allow healthd input_device:dir r_dir_perms;
allow healthd input_device:chr_file r_file_perms;
+allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
diff --git a/system_server.te b/system_server.te
index 9b7b85a..b59f5a3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -74,9 +74,11 @@
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
-# Read /proc data for apps.
-allow system_server appdomain:dir r_dir_perms;
-allow system_server appdomain:{ file lnk_file } rw_file_perms;
+# Read /proc/pid data for apps.
+r_dir_file(system_server, appdomain)
+
+# Write to /proc/pid/oom_adj_score for apps.
+allow system_server appdomain:file write;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
@@ -119,11 +121,10 @@
binder_call(system_server, dumpstate)
binder_service(system_server)
-# Read /proc/pid files for Binder clients.
-r_dir_file(system_server, appdomain)
+# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, mediaserver)
-allow system_server appdomain:process getattr;
-allow system_server mediaserver:process getattr;
+r_dir_file(system_server, sdcardd)
+r_dir_file(system_server, surfaceflinger)
# Use sockets received over binder from various services.
allow system_server mediaserver:tcp_socket rw_socket_perms;
@@ -210,11 +211,6 @@
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
-# Allow reading of /proc/pid data for other domains.
-# XXX dontaudit candidate
-allow system_server domain:dir r_dir_perms;
-allow system_server domain:file r_file_perms;
-
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_device:chr_file rw_file_perms;