Merge "allow init to run fsck for early mount partitions"
diff --git a/public/app.te b/public/app.te
index 411ce59..169e619 100644
--- a/public/app.te
+++ b/public/app.te
@@ -405,6 +405,14 @@
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+
+neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
+
# Read or write access to /proc/pid entries for any non-app domain.
# A different form of hidepid=2 like protections
neverallow appdomain { domain -appdomain }:file no_w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index c6fc9f8..5dcfdf8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1391,6 +1391,7 @@
coredomain
-init
-ueventd
+ -vold
} mnt_vendor_file:dir *;
# Only apps are allowed access to vendor public libraries.
diff --git a/public/te_macros b/public/te_macros
index cdfdc89..a9814ff 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -178,6 +178,12 @@
allow $1 $1_tmpfs:file execute;
neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+neverallow { domain -$1 -crash_dump } $1:process ptrace;
')
#####################################
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9b537c1..941303c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,7 +57,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
@@ -104,7 +104,7 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
-}:file { open read setattr };
+}:file { open read setattr map };
allow vendor_init {
fs_type
@@ -146,7 +146,7 @@
r_dir_file(vendor_init, vendor_file_type)
# Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read };
+allow vendor_init serialno_prop:file { getattr open read map };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
diff --git a/public/vold.te b/public/vold.te
index 481f48c..1aa616b 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -213,6 +213,9 @@
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
+
neverallow {
domain
-vold