Merge "Allow mediadrmserver to access media files" into nyc-dev
diff --git a/app.te b/app.te
index 5927eb9..9101c9b 100644
--- a/app.te
+++ b/app.te
@@ -101,6 +101,9 @@
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write };
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
diff --git a/audioserver.te b/audioserver.te
index f53b824..0865497 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -1,10 +1,7 @@
# audioserver - audio services daemon
-type audioserver, domain, domain_deprecated;
+type audioserver, domain;
type audioserver_exec, exec_type, file_type;
-typeattribute audioserver mlstrustedsubject;
-
-net_domain(audioserver)
init_daemon_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
@@ -14,108 +11,35 @@
binder_call(audioserver, { appdomain autoplay_app })
binder_service(audioserver)
-# Read access to pseudo filesystems.
r_dir_file(audioserver, proc)
+allow audioserver ion_device:chr_file r_file_perms;
+allow audioserver system_file:dir r_dir_perms;
-# Required by Widevine DRM (b/22990512)
-allow audioserver self:process execmem;
+# used for TEE sink - pcm capture for debug.
+userdebug_or_eng(`
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+')
-allow audioserver kernel:system module_request;
-allow audioserver media_data_file:dir create_dir_perms;
-allow audioserver media_data_file:file create_file_perms;
-allow audioserver app_data_file:dir search;
-allow audioserver app_data_file:file rw_file_perms;
-allow audioserver sdcard_type:file write;
-allow audioserver gpu_device:chr_file rw_file_perms;
-allow audioserver video_device:dir r_dir_perms;
-allow audioserver video_device:chr_file rw_file_perms;
allow audioserver audio_device:dir r_dir_perms;
-allow audioserver tee_device:chr_file rw_file_perms;
-
-set_prop(audioserver, audio_prop)
-
-# Access audio devices at all.
allow audioserver audio_device:chr_file rw_file_perms;
-# XXX Label with a specific type?
-allow audioserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow audioserver apk_data_file:file { read getattr };
-allow audioserver asec_apk_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow audioserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow audioserver { appdomain autoplay_app }:fifo_file { getattr read write };
-
-# Access camera device.
-allow audioserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow audioserver system_server:fifo_file r_file_perms;
-
-# Camera data
-r_dir_file(audioserver, camera_data_file)
-r_dir_file(audioserver, media_rw_data_file)
+allow audioserver audioserver_service:service_manager { add find };
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow audioserver qtaguid_proc:file rw_file_perms;
-allow audioserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow audioserver rild:unix_stream_socket { connectto read write setopt };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(audioserver, drmserver, drmserver)
-
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(audioserver, bluetooth, bluetooth)
-# Connect to tee service.
-allow audioserver tee:unix_stream_socket connectto;
-
-allow audioserver activity_service:service_manager find;
-allow audioserver appops_service:service_manager find;
-allow audioserver audioserver_service:service_manager { add find };
-allow audioserver cameraproxy_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver drmserver_service:service_manager find;
-allow audioserver mediaextractor_service:service_manager find;
-allow audioserver mediaserver_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver processinfo_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-allow audioserver surfaceflinger_service:service_manager find;
-
-# /oem access
-allow audioserver oemfs:dir search;
-allow audioserver oemfs:file r_file_perms;
-
-use_drmservice(audioserver)
-allow audioserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
###
### neverallow rules
###
@@ -124,5 +48,3 @@
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
-# do not allow privileged socket ioctl commands
-neverallowxperm audioserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/bluetooth.te b/bluetooth.te
index 6a329b7..1817820 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -24,6 +24,8 @@
allow bluetooth self:capability2 wake_alarm;
# tethering
+allow bluetooth self:packet_socket create_socket_perms;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms;
allow bluetooth efs_file:dir search;
@@ -59,6 +61,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin, wake_alarm and block_suspend
-neverallow bluetooth self:capability ~net_admin;
+# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/cameraserver.te b/cameraserver.te
index 68b1f0f..6520969 100644
--- a/cameraserver.te
+++ b/cameraserver.te
@@ -2,10 +2,6 @@
type cameraserver, domain;
type cameraserver_exec, exec_type, file_type;
-# STOPSHIP. cameraserver into permissive mode to collect denials from
-# droidfooders
-permissive cameraserver;
-
init_daemon_domain(cameraserver)
binder_use(cameraserver)
diff --git a/domain.te b/domain.te
index 9d377e5..6aa69ad 100644
--- a/domain.te
+++ b/domain.te
@@ -38,7 +38,8 @@
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
- binder_call({ domain -init }, su)
+ allow { domain -init } su:binder { call transfer };
+ allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
diff --git a/domain_deprecated.te b/domain_deprecated.te
index ed88cca..4da7a31 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -57,6 +57,7 @@
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
+r_dir_file(domain_deprecated, proc_meminfo)
r_dir_file(domain_deprecated, proc_net)
# Get SELinux enforcing status.
diff --git a/dumpstate.te b/dumpstate.te
index f7a84f6..ce09913 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -113,7 +113,7 @@
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/file.te b/file.te
index ff60c04..1efdc58 100644
--- a/file.te
+++ b/file.te
@@ -14,6 +14,7 @@
type proc_bluetooth_writable, fs_type;
type proc_cpuinfo, fs_type;
type proc_iomem, fs_type;
+type proc_meminfo, fs_type;
type proc_net, fs_type;
type proc_sysrq, fs_type;
type proc_uid_cputime_showstat, fs_type;
@@ -101,6 +102,8 @@
type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -115,6 +118,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
+type audioserver_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type bootstat_data_file, file_type, data_file_type;
type boottrace_data_file, file_type, data_file_type;
@@ -159,7 +163,7 @@
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, mlstrustedobject;
# /mnt/asec
type asec_apk_file, file_type, data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
diff --git a/file_contexts b/file_contexts
index ed8e30e..e94c95e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -260,6 +260,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
@@ -322,10 +323,15 @@
/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
#############################
# efs files
#
/efs(/.*)? u:object_r:efs_file:s0
+
#############################
# Cache files
#
diff --git a/genfs_contexts b/genfs_contexts
index 3f865c4..2700a94 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,6 +3,7 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/logd.te b/logd.te
index aa24c05..95a30ef 100644
--- a/logd.te
+++ b/logd.te
@@ -22,6 +22,10 @@
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
+# Set persist.sys. and sys.powerctl
+set_prop(logd, safemode_prop)
+set_prop(logd, powerctl_prop)
+
# Access device logging gating property
get_prop(logd, device_logging_prop)
diff --git a/mediacodec.te b/mediacodec.te
index 9958f17..b3848ca 100644
--- a/mediacodec.te
+++ b/mediacodec.te
@@ -15,7 +15,7 @@
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
-allow mediacodec ion_device:chr_file r_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
###
### neverallow rules
diff --git a/mediaserver.te b/mediaserver.te
index 7aa6ec7..8616403 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -45,6 +45,7 @@
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
diff --git a/netd.te b/netd.te
index 2c0fb15..e3df2ba 100644
--- a/netd.te
+++ b/netd.te
@@ -30,15 +30,6 @@
# XXX Split into its own type.
allow netd sysfs:file write;
-# Set dhcp lease for PAN connection
-set_prop(netd, dhcp_prop)
-set_prop(netd, system_prop)
-auditallow netd system_prop:property_service set;
-
-# Connect to PAN
-domain_auto_trans(netd, dhcp_exec, dhcp)
-allow netd dhcp:process signal;
-
# Needed to update /data/misc/wifi/hostapd.conf
# TODO: See what we can do to reduce the need for
# these capabilities
@@ -64,10 +55,18 @@
set_prop(netd, ctl_mdnsd_prop)
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+allow netd netd_service:service_manager add;
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
+
###
### Neverallow rules
###
@@ -84,3 +83,8 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server may interact with netd over binder
+neverallow { domain -system_server } netd_service:service_manager find;
+neverallow { domain -system_server } netd:binder call;
+neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/property.te b/property.te
index c649a90..26d15ff 100644
--- a/property.te
+++ b/property.te
@@ -33,5 +33,6 @@
type dalvik_prop, property_type, core_property_type;
type config_prop, property_type, core_property_type;
type device_logging_prop, property_type;
+type safemode_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/property_contexts b/property_contexts
index 9e936ca..fed44df 100644
--- a/property_contexts
+++ b/property_contexts
@@ -43,6 +43,8 @@
persist.log.tag u:object_r:logd_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
+persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
diff --git a/recovery.te b/recovery.te
index afacf40..d5767ed 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,6 +48,8 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
+ allow recovery sysfs_batteryinfo:file r_file_perms;
+
allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
diff --git a/service.te b/service.te
index 63636f6..e33fd7a 100644
--- a/service.te
+++ b/service.te
@@ -12,6 +12,7 @@
type mediaextractor_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
+type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
@@ -47,7 +48,7 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, system_api_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index e23f72b..6d8b07f 100644
--- a/service_contexts
+++ b/service_contexts
@@ -81,6 +81,7 @@
meminfo u:object_r:meminfo_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
+netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
network_management u:object_r:network_management_service:s0
diff --git a/shell.te b/shell.te
index 8076d46..d1c385b 100644
--- a/shell.te
+++ b/shell.te
@@ -83,7 +83,7 @@
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 8fb6463..2164010 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -53,7 +53,6 @@
# media.player service
-allow surfaceflinger audioserver_service:service_manager find;
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/system_app.te b/system_app.te
index 5e66acd..a07a9b9 100644
--- a/system_app.te
+++ b/system_app.te
@@ -43,7 +43,7 @@
allow system_app asec_apk_file:file r_file_perms;
allow system_app servicemanager:service_manager list;
-allow system_app service_manager_type:service_manager find;
+allow system_app { service_manager_type -netd_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/system_server.te b/system_server.te
index 2e131b3..1dd7a6e 100644
--- a/system_server.te
+++ b/system_server.te
@@ -136,6 +136,7 @@
binder_call(system_server, fingerprintd)
binder_call(system_server, { appdomain autoplay_app })
binder_call(system_server, dumpstate)
+binder_call(system_server, netd)
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
@@ -290,11 +291,16 @@
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { rw_file_perms unlink };
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, safemode_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, system_radio_prop)
@@ -396,6 +402,7 @@
allow system_server mediaextractor_service:service_manager find;
allow system_server mediacodec_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
diff --git a/untrusted_app.te b/untrusted_app.te
index 189f3c5..d5abe17 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -94,10 +94,11 @@
# for files. Suppress the denials when they occur.
dontaudit untrusted_app exec_type:file getattr;
-# TODO: access of /proc/meminfo, give specific label or switch to
-# using meminfo service
-allow untrusted_app proc:file r_file_perms;
+# TODO: switch to meminfo service
+allow untrusted_app proc_meminfo:file r_file_perms;
+
# https://code.google.com/p/chromium/issues/detail?id=586021
+allow untrusted_app proc:file r_file_perms;
auditallow untrusted_app proc:file r_file_perms;
# access /proc/net/xt_qtguid/stats
r_dir_file(untrusted_app, proc_net)