Merge "Revert "Revert "Rewrite mac_permissions.xml file."""
diff --git a/Android.mk b/Android.mk
index c3863db..3af7591 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,12 +10,11 @@
MLS_SENS=1
MLS_CATS=1024
-MAC_PERMISSION_FILE=mac_permissions.xml
-
-# Detect if someone tries to union the mac permissions policy file
-$(if $(filter $(MAC_PERMISSION_FILE), $(BOARD_SEPOLICY_UNION)), \
- $(error Cannot specify $(MAC_PERMISSION_FILE) in BOARD_SEPOLICY_UNION) \
-)
+ifeq ($(TARGET_BUILD_VARIANT),user)
+ BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te
+else
+ BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te
+endif
# Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
# Builds the singular path for each replace file.
@@ -77,10 +76,12 @@
$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
$(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
built_sepolicy := $(LOCAL_BUILT_MODULE)
sepolicy_policy.conf :=
@@ -161,7 +162,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := $(MAC_PERMISSION_FILE)
+LOCAL_MODULE := mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
@@ -174,17 +175,13 @@
@mkdir -p $(dir $@)
$(hide) m4 -s $^ > $@
-# Build mac_permissions.xml
-$(MAC_PERMISSION_FILE).tmp := $(intermediates)/$(MAC_PERMISSION_FILE).tmp
-$($(MAC_PERMISSION_FILE).tmp) : $(call build_policy, $(MAC_PERMISSION_FILE))
- @mkdir -p $(dir $@)
- $(hide) cp $^ $@
+ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
-$(LOCAL_BUILT_MODULE) : $($(MAC_PERMISSION_FILE).tmp) $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py
+$(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
@mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(ANDROID_BUILD_TOP) $(mac_perms_keys.tmp) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
-$(MAC_PERMISSION_FILE).tmp :=
+mac_perms_keys.tmp :=
##################################
build_policy :=
diff --git a/README b/README
index 135d377..debdf2e 100644
--- a/README
+++ b/README
@@ -55,7 +55,7 @@
is useful if you have numerous config directories that contain a file
and you want to NOT include a particular file in your resulting
policy file, either by UNION or REPLACE.
-Eg.) Suppose the follwoing:
+Eg.) Suppose the following:
BOARD_SEPOLICY_DIRS := X Y
BOARD_SEPOLICY_REPLACE := A
BOARD_SEPOLICY_IGNORE := X/A
@@ -87,21 +87,20 @@
that is referenced in seapp_contexts.
This file can be replaced through BOARD_SEPOLICY_REPLACE containing the
- value "mac_permissions.xml", however, appending (UNION) does NOT exist
- and will cause a build time failure. It is important to note the final
- processed version of this file is stripped of comments and whitespace.
- This is to preserve space on the system.img. If one wishes to view it in
- a more human friendly format, the "tidy" or "xmllint" command will assist
- you.
+ value "mac_permissions.xml", or appended to by using the BOARD_SEPOLICY_UNION
+ variable. It is important to note the final processed version of this file
+ is stripped of comments and whitespace. This is to preserve space on the
+ system.img. If one wishes to view it in a more human friendly format,
+ the "tidy" or "xmllint" command will assist you.
TOOLING:
insertkeys.py
Is a helper script for mapping arbitrary tags in the signature stanzas of
mac_permissions.xml to public keys found in pem files. This script takes
- a mac_permissions.xml file and configuration file in order to operate.
+ a mac_permissions.xml file(s) and configuration file in order to operate.
Details of the configuration file (keys.conf) can be found in the subsection
- keys.conf. This script is also responsible for stipping the comments and
- whitespace from the xml file.
+ keys.conf. This tool is also responsible for stripping the comments and
+ whitespace during processing.
keys.conf
The keys.conf file is used for controlling the mapping of "tags" found in
diff --git a/adbd.te b/adbd.te
index f924149..074f35b 100644
--- a/adbd.te
+++ b/adbd.te
@@ -15,6 +15,9 @@
allow adbd labeledfs:filesystem remount;
allow adbd shell_data_file:dir rw_dir_perms;
allow adbd shell_data_file:file create_file_perms;
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
allow adbd graphics_device:dir search;
allow adbd graphics_device:chr_file r_file_perms;
allow adbd log_device:chr_file r_file_perms;
diff --git a/app.te b/app.te
index 76b765d..90dfd96 100644
--- a/app.te
+++ b/app.te
@@ -120,6 +120,7 @@
if (app_bluetooth or android_cts) {
# No specific SELinux class for bluetooth sockets presently.
allow untrusted_app self:socket *;
+allow untrusted_app bluetooth:unix_stream_socket { read write shutdown };
}
# Internal SDCard rw access.
bool app_internal_sdcard_rw true;
@@ -163,7 +164,7 @@
# Communicate over a FIFO or socket created by the system_server.
allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write };
+allow appdomain system:unix_stream_socket { read write setopt };
# Communicate over a socket created by surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
diff --git a/bluetooth.te b/bluetooth.te
index cd17967..31ea064 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -26,3 +26,9 @@
# tethering
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
allow bluetooth efs_file:dir search;
+
+# Talk to init over the property socket.
+unix_socket_connect(bluetooth, property, init)
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
diff --git a/device.te b/device.te
index cdfc0d9..2aeeb16 100644
--- a/device.te
+++ b/device.te
@@ -30,20 +30,25 @@
type kmsg_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type;
+type sensors_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
+type timerirq_device, dev_type;
type tty_device, dev_type;
type urandom_device, dev_type;
type video_device, dev_type;
type vcs_device, dev_type;
type zero_device, dev_type;
type fuse_device, dev_type;
+type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
type gps_device, dev_type;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type;
+type usb_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
@@ -51,6 +56,6 @@
# is used in per device policy
type hci_attach_dev, dev_type;
-# All devices have a rpmsg device for
+# All devices have a rpmsg device for
# achieving remoteproc and rpmsg modules
type rpmsg_device, dev_type;
diff --git a/dhcp.te b/dhcp.te
index 0c533eb..10ab788 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -4,16 +4,15 @@
type dhcp_system_file, file_type, data_file_type;
init_daemon_domain(dhcp)
+net_domain(dhcp)
-allow dhcp cgroup:dir { create add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw };
-allow dhcp self:packet_socket { create setopt bind write read };
-allow dhcp self:netlink_route_socket { write nlmsg_write read create bind };
-allow dhcp self:udp_socket { create ioctl };
-allow dhcp shell_exec:file { read open execute };
-allow dhcp system_file:file execute_no_trans;
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms;
+allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
allow dhcp proc:file write;
-allow dhcp property_socket:sock_file write ;
allow dhcp system_prop:property_service set ;
allow dhcp dhcp_system_file:file rx_file_perms;
allow dhcp dhcp_system_file:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
index dcf3cc9..9ef3189 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -18,4 +18,8 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
diff --git a/file.te b/file.te
index cc196a3..a82945a 100644
--- a/file.te
+++ b/file.te
@@ -5,6 +5,7 @@
type rootfs, fs_type;
type proc, fs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
+type proc_bluetooth_writable, fs_type;
type selinuxfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 4e6db16..3fde109 100644
--- a/file_contexts
+++ b/file_contexts
@@ -41,6 +41,7 @@
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/mtdblock5 u:object_r:radio_device:s0
+/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/cam u:object_r:camera_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
@@ -50,6 +51,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/input(/.*) u:object_r:input_device:s0
+/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/kmem u:object_r:kmem_device:s0
/dev/log(/.*)? u:object_r:log_device:s0
@@ -105,6 +107,7 @@
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:input_device:s0
/dev/urandom u:object_r:urandom_device:s0
+/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -157,7 +160,7 @@
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/vmdl.*\.tmp u:object_r:apk_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/local(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
# Misc data
/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
diff --git a/keys.conf b/keys.conf
index 387b65a..c002897 100644
--- a/keys.conf
+++ b/keys.conf
@@ -1,11 +1,11 @@
#
# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARAINT. Common convention is to start TAGNAME with an @ and
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
# name it after the base file name of the pem file.
#
# Each tag (section) then allows one to specify any string found in
# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARAINT string.
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
#
[@PLATFORM]
diff --git a/mediaserver.te b/mediaserver.te
index 0696331..3e78ce2 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -17,7 +17,8 @@
allow mediaserver kernel:system module_request;
allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file r_file_perms;
+allow mediaserver app_data_file:file rw_file_perms;
+allow mediaserver platform_app_data_file:file { getattr read };
allow mediaserver sdcard_type:file write;
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver graphics_device:chr_file rw_file_perms;
@@ -49,4 +50,4 @@
allow mediaserver qtaguid_device:chr_file r_file_perms;
# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket connectto;
+allow mediaserver rild:unix_stream_socket { connectto read write setopt };
diff --git a/rild.te b/rild.te
index c331bb3..e8069bf 100644
--- a/rild.te
+++ b/rild.te
@@ -37,3 +37,5 @@
# Read/Write to uart driver (for GPS)
allow rild gps_device:chr_file rw_file_perms;
+
+allow rild tty_device:chr_file rw_file_perms;
diff --git a/shell.te b/shell.te
index bf9ee44..2f1dd43 100644
--- a/shell.te
+++ b/shell.te
@@ -5,6 +5,7 @@
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
@@ -17,7 +18,7 @@
allow shell sdcard_type:file create_file_perms;
r_dir_file(shell, apk_data_file)
-allow shell dalvikcache_data_file:file write;
+allow shell dalvikcache_data_file:file { write setattr };
# Run logcat.
allow shell log_device:chr_file r_file_perms;
diff --git a/su_user.te b/su_user.te
new file mode 100644
index 0000000..77fc535
--- /dev/null
+++ b/su_user.te
@@ -0,0 +1,4 @@
+# File types must be defined for file_contexts.
+type su_exec, file_type;
+
+# No allow rules
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 30b1816..a383ec1 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -28,3 +28,7 @@
allow surfaceflinger system_prop:property_service set;
allow surfaceflinger ctl_default_prop:property_service set;
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger platform_app_data_file:file { read write };
+allow surfaceflinger app_data_file:file { read write };
diff --git a/system.te b/system.te
index c907a79..503bd3c 100644
--- a/system.te
+++ b/system.te
@@ -66,6 +66,9 @@
# XXX See if we can remove some of these.
allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
+# Triggered by /proc/pid accesses, not allowed.
+dontaudit system self:capability sys_ptrace;
+
# Trigger module auto-load.
allow system kernel:system module_request;
@@ -144,10 +147,12 @@
allow system alarm_device:chr_file rw_file_perms;
allow system graphics_device:dir search;
allow system graphics_device:chr_file rw_file_perms;
+allow system iio_device:chr_file rw_file_perms;
allow system input_device:dir r_dir_perms;
allow system input_device:chr_file rw_file_perms;
allow system tty_device:chr_file rw_file_perms;
allow system urandom_device:chr_file rw_file_perms;
+allow system usbaccessory_device:chr_file rw_file_perms;
allow system video_device:chr_file rw_file_perms;
allow system qemu_device:chr_file rw_file_perms;
@@ -219,3 +224,10 @@
allow system cache_backup_file:file { relabelto relabelfrom };
# LocalTransport creates and relabels /cache/backup
allow system cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
+
+# Allow system to talk to usb device
+allow system usb_device:chr_file rw_file_perms;
+allow system usb_device:dir r_dir_perms;
+
+# Allow system to talk to sensors and timer irq
+allow system { sensors_device timerirq_device }:chr_file rw_file_perms;
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index e4eeb43..509c43f 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -116,12 +116,16 @@
handler.ContentHandler.__init__(self)
self._keyMap = keyMap
self._out = out
-
- def startDocument(self):
self._out.write(ReplaceTags.XML_ENCODING_TAG)
self._out.write("<!-- AUTOGENERATED FILE DO NOT MODIFY -->")
+ self._out.write("<policy>")
+
+ def __del__(self):
+ self._out.write("</policy>")
def startElement(self, tag, attrs):
+ if tag == ReplaceTags.POLICY_TAG:
+ return
self._out.write('<' + tag)
@@ -140,6 +144,9 @@
self._out.write('/>')
def endElement(self, tag):
+ if tag == ReplaceTags.POLICY_TAG:
+ return
+
if tag in ReplaceTags.TAGS_WITH_CHILDREN:
self._out.write('</%s>' % tag)
@@ -157,10 +164,11 @@
# Intentional double space to line up equls signs and opening " for
# readability.
- usage = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE\n"
- usage += "This tool allows one to configure an automatic inclusion "
- usage += "of signing keys into the mac_permision.xml file from the "
- usage += "pem files."
+ usage = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE [MAC_PERMISSIONS_FILE...]\n"
+ usage += "This tool allows one to configure an automatic inclusion\n"
+ usage += "of signing keys into the mac_permision.xml file(s) from the\n"
+ usage += "pem files. If mulitple mac_permision.xml files are included\n"
+ usage += "then they are unioned to produce a final version."
version = "%prog " + str(__VERSION)
@@ -180,11 +188,10 @@
parser.add_option("-t", "--target-build-variant", default="eng", dest="target_build_variant",
help="Specify the TARGET_BUILD_VARIANT, defaults to eng")
-
(options, args) = parser.parse_args()
- if len(args) != 2:
- parser.error("Must specify a config file (keys.conf) AND mac_permissions.xml file!")
+ if len(args) < 2:
+ parser.error("Must specify a config file (keys.conf) AND mac_permissions.xml file(s)!")
logging.basicConfig(level=logging.INFO if options.verbose == True else logging.WARN)
@@ -205,4 +212,5 @@
# Generate the XML file with markup replaced with keys
parser = make_parser()
parser.setContentHandler(ReplaceTags(key_map, output_file))
- parser.parse(args[1])
+ for f in args[1:]:
+ parser.parse(f)
diff --git a/zygote.te b/zygote.te
index 9707082..33e8fe8 100644
--- a/zygote.te
+++ b/zygote.te
@@ -37,3 +37,6 @@
dontaudit zygote self:capability fsetid;
allow zygote tmpfs:dir { write create add_name setattr mounton search };
allow zygote tmpfs:filesystem mount;
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file { execute_no_trans open };