commit abd977a79ec0a1f90cf236339e080775491b9919
author rpcraig <rpcraig@tycho.ncsc.mil> Fri Aug 10 06:25:52 2012 -0400
committer rpcraig <rpcraig@tycho.ncsc.mil> Fri Aug 10 06:25:52 2012 -0400
tree b00434c3a9c40e601e9d060eec88ec1202025589
parent fed246510c971d09a170a8de7a73bf24885c49a9

Additions for grouper/JB

app.te

diff --git a/app.te b/app.te
index f844221..028bf45 100644
--- a/app.te
+++ b/app.te
@@ -24,6 +24,9 @@
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
+# Read/[open] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow platform_app qtaguid_proc:file { open };
+allow platform_app qtaguid_device:chr_file r_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;

debuggerd.te

diff --git a/debuggerd.te b/debuggerd.te
index 8ff3747..653d003 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -5,6 +5,7 @@
 init_daemon_domain(debuggerd)
 typeattribute debuggerd mlstrustedsubject;
 allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;

drmserver.te

diff --git a/drmserver.te b/drmserver.te
index 624ae13..f30033a 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -11,6 +11,10 @@
 binder_call(drmserver, appdomain)
 binder_service(drmserver)
 
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
 allow drmserver sdcard:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;

keystore.te

diff --git a/keystore.te b/keystore.te
index 43c913a..6c4d610 100644
--- a/keystore.te
+++ b/keystore.te
@@ -5,3 +5,4 @@
 init_daemon_domain(keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };

mediaserver.te

diff --git a/mediaserver.te b/mediaserver.te
index 1b97eed..c8adf3a 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -9,6 +9,7 @@
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
+binder_transfer(mediaserver, surfaceflinger)
 binder_service(mediaserver)
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file r_file_perms;

wpa_supplicant.te

diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 8860ef9..be1bf25 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -14,3 +14,7 @@
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system)
 allow wpa random_device:chr_file r_file_perms;
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:sock_file wpa_socket;
+allow wpa wpa_socket:sock_file create_file_perms;