Merge "Add system_api_service and app_api_service attributes."
diff --git a/adbd.te b/adbd.te
index babbdc5..ba673f4 100644
--- a/adbd.te
+++ b/adbd.te
@@ -86,3 +86,10 @@
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir r_dir_perms;
+allow adbd mnt_user_file:lnk_file r_file_perms;
diff --git a/app.te b/app.te
index 4aad958..5917f7c 100644
--- a/app.te
+++ b/app.te
@@ -124,11 +124,11 @@
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow appdomain radio_data_file:file { read write getattr };
-# See visible storage
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:file r_file_perms;
+allow appdomain storage_file:lnk_file r_file_perms;
allow appdomain mnt_user_file:dir r_dir_perms;
-# Follow the /storage/self/primary symlink
allow appdomain mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
diff --git a/dex2oat.te b/dex2oat.te
index f7de25d..0eb3881 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -13,3 +13,4 @@
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
+allow dex2oat apk_tmp_file:file read;
diff --git a/file_contexts b/file_contexts
index e20638e..45a3549 100644
--- a/file_contexts
+++ b/file_contexts
@@ -204,7 +204,9 @@
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
-/data/app/vmdl.*\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
diff --git a/installd.te b/installd.te
index 46e6b81..2187a15 100644
--- a/installd.te
+++ b/installd.te
@@ -5,11 +5,13 @@
init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd apk_data_file:file rename;
-allow installd apk_data_file:dir create_dir_perms;
+allow installd apk_data_file:file { rename unlink };
+allow installd dalvikcache_data_file:dir relabelto;
+allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:lnk_file { create read unlink };
allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file r_file_perms;
+allow installd apk_tmp_file:file { r_file_perms unlink };
+allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd system_file:file x_file_perms;
diff --git a/netd.te b/netd.te
index 5f4f38c..f84b452 100644
--- a/netd.te
+++ b/netd.te
@@ -11,9 +11,8 @@
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
-# for netd to operate. Uncomment the dontaudit rule below after
-# sufficient testing of the fsetid removal.
-# dontaudit netd self:capability fsetid;
+# for netd to operate.
+dontaudit netd self:capability fsetid;
allow netd self:netlink_kobject_uevent_socket create_socket_perms;
allow netd self:netlink_route_socket nlmsg_write;
diff --git a/shell.te b/shell.te
index a58fc5d..cfadf77 100644
--- a/shell.te
+++ b/shell.te
@@ -74,6 +74,3 @@
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;
-
-# Follow the /storage/self/primary symlink
-allow shell storage_file:lnk_file r_file_perms;