Merge "Give healthd permission to write sys properties to allow quick boot from charger mode."
diff --git a/app.te b/app.te
index df8ff81..63e61e0 100644
--- a/app.te
+++ b/app.te
@@ -115,9 +115,9 @@
# cropping or taking user photos.
allow untrusted_app system_app_data_file:file { read write getattr };
-# Access SDcard.
-allow appdomain sdcard_type:dir create_dir_perms;
-allow appdomain sdcard_type:file create_file_perms;
+# Access SDcard via the fuse mount.
+allow appdomain sdcard_internal:dir create_dir_perms;
+allow appdomain sdcard_internal:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/binderservicedomain.te b/binderservicedomain.te
index db2f93f..2533fbe 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -5,8 +5,9 @@
allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
allow binderservicedomain shell_data_file:file { getattr write };
-# Allow dumpsys to work from adb shell
+# Allow dumpsys to work from adb shell or the serial console
allow binderservicedomain devpts:chr_file rw_file_perms;
+allow binderservicedomain console_device:chr_file rw_file_perms;
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
diff --git a/dhcp.te b/dhcp.te
index 2e5b3d4..32a6ccc 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,7 @@
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
-allow dhcp system_prop:property_service set ;
+allow dhcp dhcp_prop:property_service set;
allow dhcp pan_result_prop:property_service set;
unix_socket_connect(dhcp, property, init)
diff --git a/domain.te b/domain.te
index 787ce36..1a3feb4 100644
--- a/domain.te
+++ b/domain.te
@@ -278,7 +278,7 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
diff --git a/file_contexts b/file_contexts
index dd09c1f..85a1b04 100644
--- a/file_contexts
+++ b/file_contexts
@@ -158,6 +158,7 @@
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
+/system/bin/vdc u:object_r:vdc_exec:s0
#############################
# Vendor files
#
diff --git a/init.te b/init.te
index 069f041..191c570 100644
--- a/init.te
+++ b/init.te
@@ -28,6 +28,9 @@
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
+# restorecon /adb_keys or any other rootfs files to a more specific type.
+allow init rootfs:file relabelfrom;
+
# restorecon and restorecon_recursive calls from init.rc files.
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
@@ -83,6 +86,12 @@
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
+# Set any property.
+allow init property_type:property_service set;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+
###
### neverallow rules
###
diff --git a/netd.te b/netd.te
index 6fe1ad3..b7c30eb 100644
--- a/netd.te
+++ b/netd.te
@@ -31,7 +31,9 @@
# Set dhcp lease for PAN connection
unix_socket_connect(netd, property, init)
+allow netd dhcp_prop:property_service set;
allow netd system_prop:property_service set;
+auditallow netd system_prop:property_service set;
# Connect to PAN
domain_auto_trans(netd, dhcp_exec, dhcp)
diff --git a/property.te b/property.te
index aa1c9a8..9d6f106 100644
--- a/property.te
+++ b/property.te
@@ -2,10 +2,12 @@
type shell_prop, property_type;
type debug_prop, property_type;
type debuggerd_prop, property_type;
+type dhcp_prop, property_type;
type radio_prop, property_type;
+type net_radio_prop, property_type;
+type system_radio_prop, property_type;
type system_prop, property_type;
type vold_prop, property_type;
-type rild_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dhcp_pan_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 76dcbc4..48f7fae 100644
--- a/property_contexts
+++ b/property_contexts
@@ -2,19 +2,17 @@
# property service keys
#
#
-net.rmnet u:object_r:radio_prop:s0
-net.gprs u:object_r:radio_prop:s0
-net.ppp u:object_r:radio_prop:s0
-net.qmi u:object_r:radio_prop:s0
-net.lte u:object_r:radio_prop:s0
-net.cdma u:object_r:radio_prop:s0
+net.rmnet u:object_r:net_radio_prop:s0
+net.gprs u:object_r:net_radio_prop:s0
+net.ppp u:object_r:net_radio_prop:s0
+net.qmi u:object_r:net_radio_prop:s0
+net.lte u:object_r:net_radio_prop:s0
+net.cdma u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_radio_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
+ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
persist.radio u:object_r:radio_prop:s0
-net.dns u:object_r:radio_prop:s0
-sys.usb.config u:object_r:radio_prop:s0
-
-ril. u:object_r:rild_prop:s0
-ril.cdma u:object_r:radio_prop:s0
net. u:object_r:system_prop:s0
dev. u:object_r:system_prop:s0
@@ -24,7 +22,7 @@
sys.powerctl u:object_r:powerctl_prop:s0
service. u:object_r:system_prop:s0
wlan. u:object_r:system_prop:s0
-dhcp. u:object_r:system_prop:s0
+dhcp. u:object_r:dhcp_prop:s0
dhcp.bt-pan.result u:object_r:pan_result_prop:s0
bluetooth. u:object_r:bluetooth_prop:s0
diff --git a/radio.te b/radio.te
index 4f1df1f..d0018ea 100644
--- a/radio.te
+++ b/radio.te
@@ -19,6 +19,10 @@
# Property service
allow radio radio_prop:property_service set;
+allow radio net_radio_prop:property_service set;
+allow radio system_radio_prop:property_service set;
+auditallow radio net_radio_prop:property_service set;
+auditallow radio system_radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
diff --git a/recovery.te b/recovery.te
index 13c21c2..9ee3a04 100644
--- a/recovery.te
+++ b/recovery.te
@@ -77,6 +77,9 @@
allow recovery powerctl_prop:property_service set;
unix_socket_connect(recovery, property, init)
+ # Start/stop adbd via ctl.start adbd
+ allow recovery ctl_default_prop:property_service set;
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/rild.te b/rild.te
index f272862..d8e48d5 100644
--- a/rild.te
+++ b/rild.te
@@ -26,8 +26,11 @@
allow rild system_file:file x_file_perms;
# property service
-allow rild rild_prop:property_service set;
allow rild radio_prop:property_service set;
+allow rild net_radio_prop:property_service set;
+allow rild system_radio_prop:property_service set;
+auditallow rild net_radio_prop:property_service set;
+auditallow rild system_radio_prop:property_service set;
# Read/Write to uart driver (for GPS)
allow rild gps_device:chr_file rw_file_perms;
diff --git a/system_app.te b/system_app.te
index 5b9f8a0..eb5fa9f 100644
--- a/system_app.te
+++ b/system_app.te
@@ -30,7 +30,10 @@
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
-allow system_app radio_prop:property_service set;
+allow system_app net_radio_prop:property_service set;
+allow system_app system_radio_prop:property_service set;
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
allow system_app system_prop:property_service set;
allow system_app ctl_bugreport_prop:property_service set;
allow system_app logd_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index 236f4c4..619e5f9 100644
--- a/system_server.te
+++ b/system_server.te
@@ -271,7 +271,9 @@
# Property Service write
allow system_server system_prop:property_service set;
-allow system_server radio_prop:property_service set;
+allow system_server dhcp_prop:property_service set;
+allow system_server net_radio_prop:property_service set;
+allow system_server system_radio_prop:property_service set;
allow system_server debug_prop:property_service set;
allow system_server powerctl_prop:property_service set;
diff --git a/unconfined.te b/unconfined.te
index f3c88a0..6b64fb9 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -45,10 +45,27 @@
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
-allow unconfineddomain domain:socket_class_set *;
+allow unconfineddomain domain:{
+ socket
+ netlink_socket
+ key_socket
+ unix_stream_socket
+ unix_dgram_socket
+ netlink_route_socket
+ netlink_firewall_socket
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_selinux_socket
+ netlink_audit_socket
+ netlink_ip6fw_socket
+ netlink_dnrt_socket
+ netlink_kobject_uevent_socket
+ tun_socket
+} *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {
file_type
@@ -58,12 +75,13 @@
-exec_type
-security_file
-shell_data_file
+ -app_data_file
}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain exec_type:file { r_file_perms execute execmod };
+allow unconfineddomain exec_type:file { r_file_perms execute };
allow unconfineddomain exec_type:lnk_file r_file_perms;
allow unconfineddomain system_file:dir r_dir_perms;
-allow unconfineddomain system_file:file { r_file_perms execute execmod };
+allow unconfineddomain system_file:file { r_file_perms execute };
allow unconfineddomain system_file:lnk_file r_file_perms;
allow unconfineddomain {
fs_type
@@ -71,6 +89,7 @@
-proc_security
-contextmount_type
-rootfs
+ -sdcard_type
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
allow unconfineddomain {
@@ -81,15 +100,12 @@
-exec_type
-security_file
-shell_data_file
+ -app_data_file
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
allow unconfineddomain rootfs:file execute;
allow unconfineddomain contextmount_type:dir r_dir_perms;
allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
allow unconfineddomain node_type:node *;
-allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
-allow unconfineddomain port_type:socket_class_set name_bind;
-allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain { property_type -security_prop }:property_service set;
diff --git a/vdc.te b/vdc.te
new file mode 100644
index 0000000..a5ca2f2
--- /dev/null
+++ b/vdc.te
@@ -0,0 +1,10 @@
+# vdc spawned from init for the following services:
+# defaultcrypto
+# encrypt
+
+type vdc, domain;
+type vdc_exec, exec_type, file_type;
+
+init_daemon_domain(vdc)
+
+unix_socket_connect(vdc, vold, vold)