Merge "eliminate some anr_data_file permissions."
diff --git a/Android.mk b/Android.mk
index d16d063..bb37712 100644
--- a/Android.mk
+++ b/Android.mk
@@ -199,7 +199,6 @@
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
general_file_contexts.tmp :=
-GENERAL_FILE_CONTEXTS := $(LOCAL_BUILT_MODULE)
##################################
include $(CLEAR_VARS)
@@ -237,7 +236,6 @@
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILE)
-GENERAL_SEAPP_CONTEXTS := $(LOCAL_BUILT_MODULE)
all_sc_files :=
##################################
@@ -252,7 +250,6 @@
@mkdir -p $(dir $@)
- $(hide) grep -ie '^neverallow' $< > $@
-GENERAL_SEAPP_NEVERALLOWS := $(LOCAL_BUILT_MODULE)
##################################
include $(CLEAR_VARS)
@@ -264,16 +261,19 @@
include $(BUILD_SYSTEM)/base_rules.mk
-ALL_PC_FILES := $(call build_policy, property_contexts)
+all_pc_files := $(call build_policy, property_contexts)
+
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_PC_FILES := $(all_pc_files)
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(LOCAL_BUILT_MODULE): $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+$(LOCAL_BUILT_MODULE): $(all_pc_files) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(ALL_PC_FILES) > $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
built_pc := $(LOCAL_BUILT_MODULE)
+all_pc_files :=
##################################
include $(CLEAR_VARS)
@@ -290,7 +290,6 @@
$(hide) m4 -s $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
-GENERAL_PROPERTY_CONTEXTS := $(LOCAL_BUILT_MODULE)
##################################
include $(CLEAR_VARS)
@@ -302,16 +301,18 @@
include $(BUILD_SYSTEM)/base_rules.mk
-ALL_SVC_FILES := $(call build_policy, service_contexts)
+all_svc_files := $(call build_policy, service_contexts)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SVC_FILES := $(all_svc_files)
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+$(LOCAL_BUILT_MODULE): $(all_svc_files) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(ALL_SVC_FILES) > $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
built_svc := $(LOCAL_BUILT_MODULE)
+all_svc_files :=
##################################
include $(CLEAR_VARS)
@@ -328,7 +329,6 @@
$(hide) m4 -s $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
-GENERAL_SERVICE_CONTEXTS := $(LOCAL_BUILT_MODULE)
##################################
include $(CLEAR_VARS)
@@ -347,14 +347,17 @@
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))
+all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE))
-$(LOCAL_BUILT_MODULE): $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(all_mac_perms_files)
@mkdir -p $(dir $@)
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)
+ $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
mac_perms_keys.tmp :=
+all_mac_perms_files :=
+
##################################
include $(CLEAR_VARS)
diff --git a/domain.te b/domain.te
index 87422de..07bc0ae 100644
--- a/domain.te
+++ b/domain.te
@@ -44,7 +44,7 @@
# This is used for e.g. adb backup/restore.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
+allow domain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
userdebug_or_eng(`
# Same as adbd rules above, except allow su to do the same thing
@@ -110,8 +110,8 @@
allow domain system_file:lnk_file r_file_perms;
# Run toolbox.
-# Kernel and init never run anything without changing domains.
-allow { domain -kernel -init } toolbox_exec:file rx_file_perms;
+# Kernel, init, and mediaserver never run anything without changing domains.
+allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
diff --git a/mediaserver.te b/mediaserver.te
index af45553..f38a3ec 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -105,3 +105,11 @@
finalizeDecryptUnit
pread
};
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;