Merge "Define gpu_service and allow surfaceflinger to provide it" into nyc-dev
diff --git a/adbd.te b/adbd.te
index 27ffdd8..cd5df2a 100644
--- a/adbd.te
+++ b/adbd.te
@@ -102,5 +102,7 @@
allow adbd mnt_user_file:lnk_file r_file_perms;
# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;
diff --git a/bootanim.te b/bootanim.te
index fa0e4dc..91a50d5 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -23,6 +23,7 @@
# Read access to pseudo filesystems.
r_dir_file(bootanim, proc)
+allow bootanim proc_meminfo:file r_file_perms;
r_dir_file(bootanim, sysfs)
r_dir_file(bootanim, cgroup)
diff --git a/domain.te b/domain.te
index 2f6b435..d7333c5 100644
--- a/domain.te
+++ b/domain.te
@@ -512,9 +512,6 @@
# only service_manager_types can be added to service_manager
neverallow * ~service_manager_type:service_manager { add find };
-# logpersist is only allowed on userdebug/eng builds
-neverallow { domain userdebug_or_eng(`-logd -shell -init') } misc_logd_file:file rw_file_perms;
-
# Prevent assigning non property types to properties
neverallow * ~property_type:property_service set;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 4da7a31..e5bfb1c 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -57,7 +57,7 @@
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
-r_dir_file(domain_deprecated, proc_meminfo)
+allow domain_deprecated proc_meminfo:file r_file_perms;
r_dir_file(domain_deprecated, proc_net)
# Get SELinux enforcing status.
diff --git a/dumpstate.te b/dumpstate.te
index 688a918..19b8adf 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -117,6 +117,12 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
+# Access /data/misc/logd
+userdebug_or_eng(`
+ allow dumpstate misc_logd_file:dir r_dir_perms;
+ allow dumpstate misc_logd_file:file r_file_perms;
+')
+
allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
diff --git a/init.te b/init.te
index eb3dc88..c8b39eb 100644
--- a/init.te
+++ b/init.te
@@ -103,10 +103,10 @@
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file not_userdebug_nor_eng(`-misc_logd_file') }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -180,6 +180,11 @@
domain_auto_trans(init, logcat_exec, logd)
')
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { open create read getattr setattr search };
+allow init misc_logd_file:file { getattr };
+
# Support "adb shell stop"
allow init self:capability kill;
allow init domain:process { sigkill signal };
diff --git a/kernel.te b/kernel.te
index 20b0c0a..1ca5673 100644
--- a/kernel.te
+++ b/kernel.te
@@ -65,6 +65,12 @@
domain_auto_trans(kernel, init_exec, init)
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/logd.te b/logd.te
index 95a30ef..97bbd8b 100644
--- a/logd.te
+++ b/logd.te
@@ -57,6 +57,11 @@
# Write to files in /data/data or system files on /data
neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
-# logd is not allowed to write anywhere other than /misc/data/logd, and then
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
-neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file write;
+neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file { create write append };
+
+# logpersist is only allowed on userdebug/eng builds
+neverallow { domain userdebug_or_eng(`-logd -shell -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain userdebug_or_eng(`-logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init } misc_logd_file:dir create;
diff --git a/mediadrmserver.te b/mediadrmserver.te
index 8b4f073..cfa4b28 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -48,6 +48,7 @@
allow mediadrmserver mediadrmserver_service:service_manager { add find };
allow mediadrmserver mediaserver_service:service_manager { add find };
+allow mediadrmserver processinfo_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
diff --git a/mediaserver.te b/mediaserver.te
index 8616403..c6ec3ff 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -124,6 +124,12 @@
allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/shell.te b/shell.te
index fc5c276..a304673 100644
--- a/shell.te
+++ b/shell.te
@@ -123,6 +123,8 @@
allow shell ion_device:chr_file rw_file_perms;
# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
allow shell media_rw_data_file:dir create_dir_perms;
allow shell media_rw_data_file:file create_file_perms;
diff --git a/te_macros b/te_macros
index c97cd2d..4d18973 100644
--- a/te_macros
+++ b/te_macros
@@ -299,7 +299,6 @@
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-define(`not_userdebug_nor_eng', ifelse(target_build_variant, `eng', , ifelse(target_build_variant, `userdebug', , $1)))
define(`eng', ifelse(target_build_variant, `eng', $1))
#####################################