Merge "configstore: add selinux policy for configstore@1.0 hal"
diff --git a/private/logd.te b/private/logd.te
index 35117d0..aea6654 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -9,7 +9,7 @@
file_type
-logd_tmpfs
-runtime_event_log_tags_file
- userdebug_or_eng(`-coredump_file')
+ userdebug_or_eng(`-coredump_file -misc_logd_file')
}:file { create write append };
# protect the event-log-tags file
@@ -18,6 +18,7 @@
-appdomain # covered below
-bootstat
-dumpstate
+ -init
-logd
userdebug_or_eng(`-logpersist')
-servicemanager
diff --git a/private/logpersist.te b/private/logpersist.te
index 5f4da0e..dbace69 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -18,5 +18,5 @@
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain userdebug_or_eng(`-logpersist -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain userdebug_or_eng(`-logpersist') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/private/service_contexts b/private/service_contexts
index ebb3265..dffdbd9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -22,6 +22,7 @@
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
+companion_device u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connectivity_metrics_logger u:object_r:connectivity_metrics_logger_service:s0
connmetrics u:object_r:connmetrics_service:s0
diff --git a/public/domain.te b/public/domain.te
index 5df7a43..8689017 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -271,9 +271,7 @@
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
-# init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+neverallow domain device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
diff --git a/public/init.te b/public/init.te
index 4b29891..1bc2dc6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -17,6 +17,9 @@
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { create_file_perms relabelto };
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto };
# /dev/socket
allow init { device socket_device }:dir relabelto;
# /dev/random, /dev/urandom
@@ -192,8 +195,13 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+
# chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
@@ -233,8 +241,8 @@
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { open create read getattr setattr search };
-allow init misc_logd_file:file { getattr };
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
allow init self:capability kill;
@@ -315,11 +323,6 @@
# only ever accessed by init.
allow init device:file create_file_perms;
-# Access character devices without a specific type,
-# TODO: Remove this access and auditallow (b/33347297)
-allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
-
# keychord configuration
allow init self:capability sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
diff --git a/public/logd.te b/public/logd.te
index 5defed5..62bff97 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -14,6 +14,14 @@
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+ # Access to /data/misc/logd/event-log-tags
+ allow logd misc_logd_file:dir r_dir_perms;
+ allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
# Access device logging gating property
get_prop(logd, device_logging_prop)
@@ -58,4 +66,8 @@
neverallow * logd:process dyntransition;
# protect the event-log-tags file
-neverallow * runtime_event_log_tags_file:file no_w_file_perms;
+neverallow {
+ domain
+ -init
+ -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/public/service.te b/public/service.te
index adcb177..c0cf256 100644
--- a/public/service.te
+++ b/public/service.te
@@ -44,6 +44,7 @@
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
+type companion_device_service, app_api_service, system_server_service, service_manager_type;
type connectivity_metrics_logger_service, app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/ueventd.te b/public/ueventd.te
index 11235ed..b0706c8 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,8 +7,6 @@
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-auditallow ueventd device:chr_file rw_file_perms;
r_dir_file(ueventd, sysfs_type)
r_dir_file(ueventd, rootfs)