Merge "Allow apps to read preloaded photos"
diff --git a/app.te b/app.te
index 5215633..1afa4b5 100644
--- a/app.te
+++ b/app.te
@@ -437,6 +437,21 @@
tmpfs
}:lnk_file no_w_file_perms;
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
diff --git a/bootanim.te b/bootanim.te
index 91a50d5..e18654c 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -6,6 +6,7 @@
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
allow bootanim gpu_device:chr_file rw_file_perms;
@@ -16,6 +17,7 @@
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
+allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
# Allow access to ion memory allocation device
diff --git a/cppreopts.te b/cppreopts.te
new file mode 100644
index 0000000..66df7ee
--- /dev/null
+++ b/cppreopts.te
@@ -0,0 +1,28 @@
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject;
+type cppreopts_exec, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/dex2oat.te b/dex2oat.te
index c18f496..8c80a32 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -29,7 +29,7 @@
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
-allow dex2oat postinstall_file:dir getattr;
+allow dex2oat postinstall_file:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/domain.te b/domain.te
index 38a6db8..78f1dea 100644
--- a/domain.te
+++ b/domain.te
@@ -305,9 +305,7 @@
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
- -untrusted_app
- -priv_app
- -shell
+ -appdomain
} {
data_file_type
-dalvikcache_data_file
@@ -398,6 +396,7 @@
-zygote
-installd
-postinstall_dexopt
+ -cppreopts
-dex2oat
} dalvikcache_data_file:file no_w_file_perms;
@@ -406,6 +405,7 @@
-init
-installd
-postinstall_dexopt
+ -cppreopts
-dex2oat
-zygote
} dalvikcache_data_file:dir no_w_dir_perms;
@@ -519,6 +519,11 @@
-zygote
} shell:process { transition dyntransition };
+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -zygote } {
+ appdomain -shell userdebug_or_eng(`-su') -bluetooth
+}:process { transition dyntransition };
+
# Minimize read access to shell- or app-writable symlinks.
# This is to prevent malicious symlink attacks.
neverallow {
diff --git a/domain_deprecated.te b/domain_deprecated.te
index b0a6add..6943ffd 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -29,9 +29,9 @@
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow { domain_deprecated -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
+auditallow { domain_deprecated -appdomain -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
# Device accesses.
allow domain_deprecated device:file read;
@@ -89,8 +89,8 @@
allow domain_deprecated proc_meminfo:file r_file_perms;
r_dir_file(domain_deprecated, proc_net)
#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:file r_file_perms;
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow { domain_deprecated -fsck -fsck_untrusted -init -logd -priv_app -rild -system_server -vold } proc:file r_file_perms;
+auditallow { domain_deprecated -fsck -fsck_untrusted -init -logd -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
@@ -105,8 +105,8 @@
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
# World readable asec image contents
allow domain_deprecated asec_public_file:file r_file_perms;
diff --git a/drmserver.te b/drmserver.te
index b385e49..06f1865 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -41,6 +41,7 @@
# Read resources from open apk files passed over Binder.
allow drmserver apk_data_file:file { read getattr };
allow drmserver asec_apk_file:file { read getattr };
+allow drmserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
diff --git a/dumpstate.te b/dumpstate.te
index 80c1563..5e45fc3 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -147,6 +147,14 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+ allow dumpstate user_profile_foreign_dex_data_file:dir r_dir_perms;
+ allow dumpstate user_profile_foreign_dex_data_file:file r_file_perms;
+')
+
# Access /data/misc/logd
userdebug_or_eng(`
allow dumpstate misc_logd_file:dir r_dir_perms;
diff --git a/file_contexts b/file_contexts
index 8106bd2..e92aec8 100644
--- a/file_contexts
+++ b/file_contexts
@@ -199,6 +199,8 @@
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
diff --git a/init.te b/init.te
index 0a96314..1512d0b 100644
--- a/init.te
+++ b/init.te
@@ -56,7 +56,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
diff --git a/installd.te b/installd.te
index c198e2a..317ae7c 100644
--- a/installd.te
+++ b/installd.te
@@ -73,11 +73,6 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
-# Run otapreopt in its own sandbox.
-domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
-# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
-allow installd postinstall_dexopt:process sigchld;
-
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/kernel.te b/kernel.te
index 3b77947..3608a10 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,5 +1,5 @@
# Life begins with the kernel.
-type kernel, domain, domain_deprecated, mlstrustedsubject;
+type kernel, domain, mlstrustedsubject;
allow kernel self:capability sys_nice;
diff --git a/netd.te b/netd.te
index 976c43d..f360531 100644
--- a/netd.te
+++ b/netd.te
@@ -49,6 +49,7 @@
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
+allow netd self:capability fowner;
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index b3f8807..3f42670 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -10,5 +10,8 @@
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
-# Allow otapreopt to use file descriptors from installd.
-allow otapreopt_chroot installd:fd use;
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/postinstall.te b/postinstall.te
index 7fd4dc6..0f6bb74 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -30,6 +30,8 @@
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index 3d00c31..e0cc257 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -8,7 +8,7 @@
# init_daemon_domain(otapreopt)
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
-allow postinstall_dexopt postinstall_file:dir getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt proc:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
@@ -47,9 +47,11 @@
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
-# installd wants to know about our child.
-allow postinstall_dexopt installd:process sigchld;
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
+
+allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/preopt2cachename.te b/preopt2cachename.te
new file mode 100644
index 0000000..49df647
--- /dev/null
+++ b/preopt2cachename.te
@@ -0,0 +1,13 @@
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+type preopt2cachename, domain;
+type preopt2cachename_exec, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net:file r_file_perms;
diff --git a/property.te b/property.te
index 90c2912..2802c0d 100644
--- a/property.te
+++ b/property.te
@@ -33,6 +33,7 @@
type bluetooth_prop, property_type, core_property_type;
type pan_result_prop, property_type, core_property_type;
type powerctl_prop, property_type, core_property_type;
+type cppreopt_prop, property_type, core_property_type;
type nfc_prop, property_type, core_property_type;
type dalvik_prop, property_type, core_property_type;
type config_prop, property_type, core_property_type;
diff --git a/property_contexts b/property_contexts
index 9190831..2ae1bb0 100644
--- a/property_contexts
+++ b/property_contexts
@@ -21,6 +21,7 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.cppreopt u:object_r:cppreopt_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
service. u:object_r:system_prop:s0
diff --git a/slideshow.te b/slideshow.te
index 3165a65..86d4bff 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -1,6 +1,6 @@
# slideshow seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type slideshow, domain, domain_deprecated;
+type slideshow, domain;
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
diff --git a/system_server.te b/system_server.te
index 05e929e..4b7067b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -354,6 +354,9 @@
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
type_transition system_server wpa_socket:sock_file system_wpa_socket;