Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a88af8557fef09672186a1fc518f2cd8e6701bfb^2..a88af8557fef09672186a1fc518f2cd8e6701bfb / .
commita88af8557fef09672186a1fc518f2cd8e6701bfb[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Feb 21 20:53:33 2014 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Feb 21 20:53:34 2014 +0000
treeef5dd20389dc97490c119ed40a48b329ce2039ed
parentd28ac521c6b3dd692c61d533f361e972e6b4ec5b [diff]
parentd823f83e5466b53521b098c0865b89c7f12025fa [diff]
Merge "Clarify meaning of untrusted_app and app domain assignment logic."
diff --git a/hostapd.te b/hostapd.te
index a5ed62a..e6e88e9 100644
--- a/hostapd.te
+++ b/hostapd.te

@@ -11,6 +11,7 @@
 
 allow hostapd wifi_data_file:file rw_file_perms;
 allow hostapd wifi_data_file:dir create_dir_perms;
+type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
 allow hostapd wpa_socket:dir create_dir_perms;
 allow hostapd wpa_socket:sock_file create_file_perms;
 allow hostapd netd:fd use;

diff --git a/init_shell.te b/init_shell.te
index 8ff5c48..e1ca03a 100644
--- a/init_shell.te
+++ b/init_shell.te

@@ -1,4 +1,6 @@
-# Restricted domain for shell processes spawned by init
+# Restricted domain for shell processes spawned by init.
+# Normally these are shell commands or scripts invoked via sh
+# from an init*.rc file.  No service should ever run in this domain.
 type init_shell, domain, shelldomain;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)

diff --git a/shell.te b/shell.te
index ad30802..b5f0377 100644
--- a/shell.te
+++ b/shell.te

@@ -1,4 +1,4 @@
-# Domain for shell processes spawned by ADB
+# Domain for shell processes spawned by ADB or console service.
 type shell, domain, shelldomain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
 

diff --git a/su.te b/su.te
index 1317fb2..5ba5776 100644
--- a/su.te
+++ b/su.te

@@ -2,6 +2,9 @@
 type su_exec, exec_type, file_type;
 
 userdebug_or_eng(`
+  # Domain used for su processes, as well as for adbd and adb shell
+  # after performing an adb root command.  The domain definition is
+  # wrapped to ensure that it does not exist at all on -user builds.
   type su, domain;
   domain_auto_trans(shell, su_exec, su)
 

diff --git a/system_server.te b/system_server.te
index 945b59b..ca95abf 100644
--- a/system_server.te
+++ b/system_server.te

@@ -255,4 +255,4 @@
 # Be consistent with DAC permissions. Allow system_server to write to
 # /sys/module/lowmemorykiller/parameters/adj
 # /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file w_file_perms;
+allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };

diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 1ebf556..fd454bf 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te

@@ -16,8 +16,8 @@
 allow wpa random_device:chr_file r_file_perms;
 
 # Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:sock_file wpa_socket;
-allow wpa wpa_socket:dir { rw_dir_perms setattr };
+type_transition wpa wifi_data_file:dir wpa_socket "sockets";
+allow wpa wpa_socket:dir create_dir_perms;
 allow wpa wpa_socket:sock_file create_file_perms;
 
 # Allow wpa_cli to work. wpa_cli creates a socket in