Merge "vold: remove access to /proc/net files"

commit: b1f6942c79373e954c3b96c39e0a607b8d72811f [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Mon Nov 19 16:01:28 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Nov 19 16:01:28 2018 +0000
tree: bf3850547b28acc927a7226072ce75e7d3c629f9
parent: 99ce20e52e206975131c8a95ab956961687b1c87 [diff]
parent: 1c5d223b1621d8a3055465af3d4b2eed1b9170a5 [diff]
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index bd71a2a..3dffd86 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts

@@ -1,2 +1,3 @@
 /manifest\.json   u:object_r:system_file:s0
 (/.*)?            u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0

diff --git a/private/coredomain.te b/private/coredomain.te
index cf3930b..2fbbbfd 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te

@@ -105,3 +105,14 @@
     -init
   }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
+
+# Audit coredomain access to /dev nodes that might no longer be needed after
+# Treble.
+userdebug_or_eng(`
+    auditallow coredomain {
+        audio_device
+        iio_device
+        radio_device
+        tee_device
+    }:chr_file { open read append write ioctl };
+')

diff --git a/private/zygote.te b/private/zygote.te
index 491f079..d1e0f55 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -48,6 +48,9 @@
 # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
 allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
 
+# Allow zygote to create JIT memory.
+allow zygote self:process execmem;
+
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?

diff --git a/public/domain.te b/public/domain.te
index 20ae4a9..b788f0d 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -328,7 +328,7 @@
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
 # read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
 ###

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 8f58868..e86becf 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te

@@ -23,7 +23,7 @@
 crash_dump_fallback(mediaextractor)
 
 # allow mediaextractor read permissions for file sources
-allow mediaextractor sdcardfs:file { getattr read };
+allow mediaextractor sdcard_type:file { getattr read };
 allow mediaextractor media_rw_data_file:file { getattr read };
 allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
commit	b1f6942c79373e954c3b96c39e0a607b8d72811f	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Mon Nov 19 16:01:28 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Nov 19 16:01:28 2018 +0000
tree	bf3850547b28acc927a7226072ce75e7d3c629f9
parent	99ce20e52e206975131c8a95ab956961687b1c87 [diff]
parent	1c5d223b1621d8a3055465af3d4b2eed1b9170a5 [diff]