commit 9b2b447212649b867312b87e8eb6f8efdf5ae07b
author Sen Jiang <senj@google.com> Tue Nov 24 18:43:36 2015 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Nov 24 18:43:36 2015 +0000
tree 5b8d2048be0fcb47db7473d719b53af8efd7f2dc
parent cb835a2852997dde0be2941173f8c879ebbef157
parent d33155be26f401fdbc6ca824e639d33876fc8212

Merge "Add bspatch to update_engine_exec."

bluetooth.te

diff --git a/bluetooth.te b/bluetooth.te
index c05de05..826856c 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -23,23 +23,11 @@
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
 auditallow bluetooth tun_device:chr_file rw_file_perms;
 
-# Other domains that can create and use bluetooth sockets.
-# SELinux does not presently define a specific socket class for
-# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
-# TODO: This should no longer be needed with bluedroid for bluetooth
-# but may be getting used for other non-bluetooth sockets that has no
-# specific class defined.  Consider taking to specific domains.
-allow bluetoothdomain self:socket create_socket_perms;
-
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
 allow bluetooth self:capability2 wake_alarm;
 
-# Allow clients to use a socket provided by the bluetooth app.
-# TODO:  See if this is still required under bluedroid.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
-
 # tethering
 allow bluetooth self:tun_socket create_socket_perms;
 allow bluetooth efs_file:dir search;

bluetoothdomain.te

diff --git a/bluetoothdomain.te b/bluetoothdomain.te
new file mode 100644
index 0000000..a84ddf8
--- /dev/null
+++ b/bluetoothdomain.te
@@ -0,0 +1,13 @@
+# Other domains that can create and use bluetooth sockets.
+# SELinux does not presently define a specific socket class for
+# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
+# TODO: This should no longer be needed with bluedroid for bluetooth
+# but may be getting used for other non-bluetooth sockets that has no
+# specific class defined.  Consider taking to specific domains. (b/25768265)
+allow bluetoothdomain self:socket create_socket_perms;
+auditallow { bluetoothdomain -system_server } self:socket create_socket_perms;
+
+# Allow clients to use a socket provided by the bluetooth app.
+# TODO:  See if this is still required under bluedroid. (b/25767747)
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
+auditallow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };

domain.te

diff --git a/domain.te b/domain.te
index 03528a3..1050725 100644
--- a/domain.te
+++ b/domain.te
@@ -22,6 +22,7 @@
     setrlimit
 };
 allow domain self:fd use;
+allow domain proc:dir search;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
 allow domain self:{ fifo_file file } rw_file_perms;
@@ -96,6 +97,7 @@
 # toybox loads libselinux which stats /sys/fs/selinux/
 allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
 
 ###
 ### neverallow rules

service.te

diff --git a/service.te b/service.te
index 1a2978a..20d7f59 100644
--- a/service.te
+++ b/service.te
@@ -32,7 +32,7 @@
 type connectivity_service, app_api_service, system_server_service, service_manager_type;
 type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
 type content_service, app_api_service, system_server_service, service_manager_type;
-type country_detector_service, system_api_service, system_server_service, service_manager_type;
+type country_detector_service, app_api_service, system_server_service, service_manager_type;
 type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
 type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_policy_service, app_api_service, system_server_service, service_manager_type;

system_server.te

diff --git a/system_server.te b/system_server.te
index 15e847d..96d8773 100644
--- a/system_server.te
+++ b/system_server.te
@@ -65,6 +65,10 @@
 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms;
 
+# Use generic "sockets" where the address family is not known
+# to the kernel.
+allow system_server self:socket create_socket_perms;
+
 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;
 
@@ -273,6 +277,9 @@
 allow system_server wallpaper_file:file relabelto;
 allow system_server wallpaper_file:file { rw_file_perms unlink };
 
+# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
+allow system_server system_data_file:dir relabelfrom;
+
 # Property Service write
 set_prop(system_server, system_prop)
 set_prop(system_server, dhcp_prop)