Merge "Allow vendor domains to use the untrusted_app_all attribute"
diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
index 5d76233..874f710 100644
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ b/prebuilts/api/26.0/26.0.ignore.cil
@@ -9,7 +9,6 @@
hal_cas_hwservice
hal_tetheroffload_hwservice
kmsg_debug_device
- memcg_device
netd_stable_secret_prop
sysfs_fs_ext4_features
timezone_service
diff --git a/private/system_server.te b/private/system_server.te
index 84b9e18..fddfe2d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -114,6 +114,9 @@
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
+# Allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns
+allow system_server cameraserver:file w_file_perms;
+
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
# all processes on the device. In addition, /proc/pid files access is needed
diff --git a/public/attributes b/public/attributes
index 6c450b1..cd4b820 100644
--- a/public/attributes
+++ b/public/attributes
@@ -176,9 +176,9 @@
attribute hal_allocator_server;
expandattribute hal_allocator_server false;
attribute hal_audio;
-expandattribute hal_audio true;
+expandattribute hal_audio false;
attribute hal_audio_client;
-expandattribute hal_audio_client false;
+expandattribute hal_audio_client true;
attribute hal_audio_server;
expandattribute hal_audio_server false;
attribute hal_bluetooth;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 66a168e..795592f 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -7,3 +7,51 @@
# As opposed to the rules of most other HALs, the different services exposed by
# this HAL should be restricted to different clients. Thus, the allow rules for
# clients are defined in the .te files of the clients.
+
+###
+### neverallow rules
+###
+
+# Should never execute an executable without a domain transition
+neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access. Disallow sockets except for
+# for unix stream/dgram sockets used for logging/debugging.
+neverallow hal_configstore_server domain:{
+ rawip_socket tcp_socket udp_socket
+ netlink_route_socket netlink_selinux_socket
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+neverallow hal_configstore_server {
+ domain
+ -hal_configstore_server
+ -logd
+ userdebug_or_eng(`-su')
+}:{ unix_dgram_socket unix_stream_socket } *;
+
+# Should never need access to anything on /data
+neverallow hal_configstore_server {
+ data_file_type
+ -zoneinfo_data_file # granted to domain
+}:{ file fifo_file sock_file } *;
+
+# Should never need sdcard access
+neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+
+# Do not permit access to service_manager and vndservice_manager
+neverallow hal_configstore_server *:service_manager *;
+
+# No privileged capabilities
+neverallow hal_configstore_server self:capability_class_set *;
+
+# No ptracing other processes
+neverallow hal_configstore_server *:process ptrace;
+
+# no relabeling
+neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 775bb1e..e9bf24f 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -19,7 +19,7 @@
# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir mounton;
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
allow update_engine_common labeledfs:filesystem relabelfrom;