Merge changes from topic "cki_proc_init"
* changes:
init: label /proc dependencies and remove access to proc
init: refactor access to proc_* labels.
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 451d27a..41867ae 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -47,7 +47,6 @@
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 1693736..eeb022b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -28,7 +28,6 @@
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app drmserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 63f56c8..2c4a809 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -14,12 +14,16 @@
allow mediaprovider cache_file:file create_file_perms;
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
+
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
-allow mediaprovider surfaceflinger_service:service_manager find;
# Allow MediaProvider to read/write cached ringtones (opened by system).
allow mediaprovider ringtone_file:file { getattr read write };
diff --git a/private/nfc.te b/private/nfc.te
index b41558c..56446f4 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -21,7 +21,6 @@
allow nfc mediaserver_service:service_manager find;
allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index 884c436..ee0590c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -53,7 +53,6 @@
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
allow platform_app thermal_service:service_manager find;
allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index f4cfc17..fce2c90 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -32,7 +32,6 @@
allow priv_app nfc_service:service_manager find;
allow priv_app oem_lock_service:service_manager find;
allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index cce589e..f96cae0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -75,7 +75,6 @@
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index 7ed3881..60634ae 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -34,7 +34,6 @@
allow untrusted_v2_app mediadrmserver_service:service_manager find;
allow untrusted_v2_app nfc_service:service_manager find;
allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
# TODO: potentially provide a tighter list of services here
allow untrusted_v2_app app_api_service:service_manager find;
diff --git a/public/charger.te b/public/charger.te
index 4b20d1d..5a5b653 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -18,8 +18,7 @@
allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Write to /sys/power/state
-# TODO: Split into a separate type?
-allow charger sysfs:file write;
+allow charger sysfs_power:file write;
allow charger sysfs_batteryinfo:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 914ef97..d283006 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -33,10 +33,9 @@
allow domain init:fd use;
userdebug_or_eng(`
- # Same as adbd rules above, except allow su to do the same thing
- allow domain su:unix_stream_socket connectto;
allow domain su:fd use;
- allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+ allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+ allow domain su:unix_dgram_socket sendto;
allow { domain -init } su:binder { call transfer };
@@ -552,7 +551,6 @@
-mediaserver_service
-nfc_service
-radio_service
- -surfaceflinger_service
-virtual_touchpad_service
-vr_hwc_service
-vr_manager_service
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 0f2540e..82c9e7d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -26,12 +26,6 @@
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
-userdebug_or_eng(`
- unix_socket_send(hal_wifi_supplicant, wpa, su)
-')
-
###
### neverallow rules
###
diff --git a/public/radio.te b/public/radio.te
index 6f29a70..094d39b 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -30,7 +30,6 @@
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index 3b9d60b..bc1244a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -23,7 +23,7 @@
type radio_service, service_manager_type;
type statscompanion_service, service_manager_type;
type storaged_service, service_manager_type;
-type surfaceflinger_service, service_manager_type;
+type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;