Merge "DO NOT MERGE. Update readme to reflect addition of SEPOLICY_IGNORE." into lmp-dev
diff --git a/attributes b/attributes
index d40217a..613ed8f 100644
--- a/attributes
+++ b/attributes
@@ -67,6 +67,3 @@
# All domains used for binder service domains.
attribute binderservicedomain;
-
-# All domains that are excluded from the domain.te auditallow.
-attribute service_manager_local_audit;
diff --git a/bluetooth.te b/bluetooth.te
index 8ba56b0..2b108a9 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,14 +49,6 @@
allow bluetooth pan_result_prop:property_service set;
allow bluetooth ctl_dhcp_pan_prop:property_service set;
-# Audited locally.
-service_manager_local_audit_domain(bluetooth)
-auditallow bluetooth {
- service_manager_type
- -bluetooth_service
- -system_server_service
-}:service_manager find;
-
###
### Neverallow rules
###
diff --git a/bootanim.te b/bootanim.te
index 7592295..3a0a76f 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -11,7 +11,3 @@
# /oem access
allow bootanim oemfs:dir search;
-
-# Audited locally.
-service_manager_local_audit_domain(bootanim)
-auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
diff --git a/domain.te b/domain.te
index 0913453..ba4c65a 100644
--- a/domain.te
+++ b/domain.te
@@ -159,9 +159,7 @@
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
allow domain servicemanager:service_manager list;
-auditallow domain servicemanager:service_manager list;
allow domain service_manager_type:service_manager find;
-auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
###
### neverallow rules
@@ -265,7 +263,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
#
neverallow {
domain
@@ -276,6 +274,11 @@
-system_server
-zygote
} { file_type -system_file -exec_type }:file execute;
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
# Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
diff --git a/drmserver.te b/drmserver.te
index 12e3ac7..1993176 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -46,7 +46,3 @@
allow drmserver radio_data_file:file { read getattr };
allow drmserver drmserver_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
diff --git a/healthd.te b/healthd.te
index 940f7c4..e7e165a 100644
--- a/healthd.te
+++ b/healthd.te
@@ -22,6 +22,12 @@
### healthd: charger mode
###
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow healthd pstorefs:dir r_dir_perms;
+allow healthd pstorefs:file r_file_perms;
+
allow healthd graphics_device:dir r_dir_perms;
allow healthd graphics_device:chr_file rw_file_perms;
allow healthd input_device:dir r_dir_perms;
@@ -34,10 +40,6 @@
allow healthd healthd_service:service_manager add;
-# Audited locally.
-service_manager_local_audit_domain(healthd)
-auditallow healthd { service_manager_type -healthd_service }:service_manager find;
-
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
unix_socket_connect(healthd, property, init)
diff --git a/inputflinger.te b/inputflinger.te
index 4377a10..283bbba 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -9,7 +9,3 @@
binder_call(inputflinger, system_server)
allow inputflinger inputflinger_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(inputflinger)
-auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
diff --git a/isolated_app.te b/isolated_app.te
index 27b0e40..a156838 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,7 +18,3 @@
# Needed to allow dlopen() from Chrome renderer processes.
# See b/15902433 for details.
allow isolated_app app_data_file:file execute;
-
-# Audited locally.
-service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app service_manager_type:service_manager find;
diff --git a/keystore.te b/keystore.te
index f2c5039..afa701c 100644
--- a/keystore.te
+++ b/keystore.te
@@ -28,9 +28,5 @@
allow keystore keystore_service:service_manager add;
-# Audited locally.
-service_manager_local_audit_domain(keystore)
-auditallow keystore { service_manager_type -keystore_service }:service_manager find;
-
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/mediaserver.te b/mediaserver.te
index 52c593e..55d1f205 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -79,13 +79,3 @@
allow mediaserver tee:unix_stream_socket connectto;
allow mediaserver mediaserver_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(mediaserver)
-auditallow mediaserver {
- service_manager_type
- -drmserver_service
- -mediaserver_service
- -system_server_service
- -surfaceflinger_service
-}:service_manager find;
diff --git a/nfc.te b/nfc.te
index c32e9d5..65aaef7 100644
--- a/nfc.te
+++ b/nfc.te
@@ -15,11 +15,3 @@
allow nfc sysfs:file write;
allow nfc nfc_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(nfc)
-auditallow nfc {
- service_manager_type
- -mediaserver_service
- -system_server_service
-}:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index a44e35d..7ff8d62 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -27,13 +27,3 @@
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
-
-# Audited locally.
-service_manager_local_audit_domain(platform_app)
-auditallow platform_app {
- service_manager_type
- -mediaserver_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
diff --git a/radio.te b/radio.te
index 11691cb..d0018ea 100644
--- a/radio.te
+++ b/radio.te
@@ -28,12 +28,3 @@
allow radio ctl_rildaemon_prop:property_service set;
allow radio radio_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(radio)
-auditallow radio {
- service_manager_type
- -mediaserver_service
- -radio_service
- -system_server_service
-}:service_manager find;
diff --git a/service_contexts b/service_contexts
index 68be809..c8e388f 100644
--- a/service_contexts
+++ b/service_contexts
@@ -48,7 +48,7 @@
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
-imms u:object_r:system_app_service:s0
+imms u:object_r:radio_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
@@ -63,6 +63,7 @@
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
+media_projection u:object_r:system_server_service:s0
media_router u:object_r:system_server_service:s0
media_session u:object_r:system_server_service:s0
meminfo u:object_r:system_server_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index ff91993..c508612 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -59,14 +59,6 @@
allow surfaceflinger surfaceflinger_service:service_manager add;
-# Audited locally.
-service_manager_local_audit_domain(surfaceflinger)
-auditallow surfaceflinger {
- service_manager_type
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
-
###
### Neverallow rules
###
diff --git a/system_app.te b/system_app.te
index 24b135e..2a7421b 100644
--- a/system_app.te
+++ b/system_app.te
@@ -64,12 +64,3 @@
};
control_logd(system_app)
-
-# Audited locally.
-service_manager_local_audit_domain(system_app)
-auditallow system_app {
- service_manager_type
- -nfc_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
diff --git a/system_server.te b/system_server.te
index 9d973db..9afd8af 100644
--- a/system_server.te
+++ b/system_server.te
@@ -362,9 +362,6 @@
allow system_server system_server_service:service_manager add;
-# Audited locally.
-service_manager_local_audit_domain(system_server)
-
allow system_server keystore:keystore_key {
test
get
diff --git a/te_macros b/te_macros
index b2913f3..7c1f6e5 100644
--- a/te_macros
+++ b/te_macros
@@ -109,7 +109,6 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
-service_manager_local_audit_domain($1)
')
#####################################
@@ -359,11 +358,3 @@
allow keystore $1:process getattr;
binder_call($1, keystore)
')
-
-###########################################
-# service_manager_local_audit_domain(domain)
-# Has its own auditallow rule on service_manager
-# and should be excluded from the domain.te auditallow.
-define(`service_manager_local_audit_domain', `
- typeattribute $1 service_manager_local_audit;
-')
diff --git a/untrusted_app.te b/untrusted_app.te
index ef7f1b5..f29149e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,18 +64,6 @@
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(untrusted_app)
-auditallow untrusted_app {
- service_manager_type
- -drmserver_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
-
###
### neverallow rules
###