Merge "Allow access to IProxyService to untrusted apps." into nyc-dev
diff --git a/app.te b/app.te
index 29f0eeb..c9c5ca2 100644
--- a/app.te
+++ b/app.te
@@ -182,6 +182,8 @@
# Read/write visible storage
allow appdomain fuse:dir create_dir_perms;
allow appdomain fuse:file create_file_perms;
+allow appdomain sdcardfs:dir create_dir_perms;
+allow appdomain sdcardfs:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
diff --git a/dumpstate.te b/dumpstate.te
index ce09913..817883f 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -121,3 +121,9 @@
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
+
+# systrace support - allow atrace to run
+allow dumpstate debugfs_tracing:dir r_dir_perms;
+allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_trace_marker:file getattr;
+allow dumpstate atrace_exec:file rx_file_perms;
diff --git a/file.te b/file.te
index 43cacbb..53fac04 100644
--- a/file.te
+++ b/file.te
@@ -29,6 +29,7 @@
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
+type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
@@ -41,6 +42,7 @@
type shm, fs_type;
type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index 2700a94..d3d8bfb 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -35,6 +35,8 @@
genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
diff --git a/init.te b/init.te
index 047ea73..efe3911 100644
--- a/init.te
+++ b/init.te
@@ -61,6 +61,10 @@
allow init cgroup:dir create_dir_perms;
allow init cpuctl_device:dir { create mounton };
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
diff --git a/system_server.te b/system_server.te
index 11c40ed..0e4ac39 100644
--- a/system_server.te
+++ b/system_server.te
@@ -481,6 +481,10 @@
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open unlink write };
+
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
allow system_server adbd:unix_stream_socket connectto;
diff --git a/untrusted_app.te b/untrusted_app.te
index 07b754f..d4d90cc 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -170,6 +170,7 @@
neverallow untrusted_app {
fs_type
-fuse # sdcard
+ -sdcardfs # sdcard
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
diff --git a/zygote.te b/zygote.te
index 013d8c6..89dccfc 100644
--- a/zygote.te
+++ b/zygote.te
@@ -54,6 +54,7 @@
allow zygote rootfs:dir mounton;
allow zygote tmpfs:filesystem { mount unmount };
allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
# Allowed to create user-specific storage source if started before vold
allow zygote mnt_user_file:dir create_dir_perms;