Merge "Allow clatd to read from packet sockets and write to raw sockets"
diff --git a/Android.mk b/Android.mk
index bdf26b3..1163477 100644
--- a/Android.mk
+++ b/Android.mk
@@ -198,6 +198,26 @@
built_pc := $(LOCAL_BUILT_MODULE)
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+ALL_SVC_FILES := $(call build_policy, service_contexts)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(ALL_SVC_FILES) > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+
+built_svc := $(LOCAL_BUILT_MODULE)
+
+##################################
##################################
include $(CLEAR_VARS)
@@ -243,7 +263,7 @@
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc)
+$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
@mkdir -p $(dir $@)
$(hide) echo -n $(BUILD_FINGERPRINT) > $@
@@ -255,5 +275,6 @@
built_sc :=
built_fc :=
built_pc :=
+built_svc :=
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/access_vectors b/access_vectors
index 2655872..7609d9d 100644
--- a/access_vectors
+++ b/access_vectors
@@ -888,3 +888,8 @@
{
set
}
+
+class service_manager
+{
+ add
+}
diff --git a/app.te b/app.te
index 44cd266..73febbc 100644
--- a/app.te
+++ b/app.te
@@ -131,7 +131,8 @@
allow appdomain dalvikcache_data_file:file execute;
# /data/dalvik-cache/profiles
-allow appdomain dalvikcache_profiles_data_file:file write;
+allow appdomain dalvikcache_profiles_data_file:dir { search getattr };
+allow appdomain dalvikcache_profiles_data_file:file rw_file_perms;
# Allow any app to read shared RELRO files.
allow appdomain shared_relro_file:dir search;
diff --git a/attributes b/attributes
index 261500f..64de61a 100644
--- a/attributes
+++ b/attributes
@@ -39,6 +39,9 @@
# All types used for property service
attribute property_type;
+# All types used for services managed by service_manager.
+attribute service_manager_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 757d807..db2f93f 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -11,3 +11,7 @@
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
+
+# Allow binderservicedomain to add services by default.
+allow binderservicedomain service_manager_type:service_manager add;
+auditallow binderservicedomain default_android_service:service_manager add;
diff --git a/domain.te b/domain.te
index c5db6bb..b161467 100644
--- a/domain.te
+++ b/domain.te
@@ -101,8 +101,6 @@
# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;
-allow domain dalvikcache_profiles_data_file:dir { search getattr };
-allow domain dalvikcache_profiles_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
index e2b62df..1993176 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -44,3 +44,5 @@
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
+
+allow drmserver drmserver_service:service_manager add;
diff --git a/healthd.te b/healthd.te
index 97c0ca5..08472cc 100644
--- a/healthd.te
+++ b/healthd.te
@@ -32,3 +32,5 @@
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
+
+allow healthd healthd_service:service_manager add;
diff --git a/inputflinger.te b/inputflinger.te
index b08b345..0bef25e 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -8,3 +8,5 @@
binder_service(inputflinger)
binder_call(inputflinger, system_server)
+
+allow inputflinger inputflinger_service:service_manager add;
diff --git a/installd.te b/installd.te
index 586f426..eed0343 100644
--- a/installd.te
+++ b/installd.te
@@ -46,8 +46,6 @@
allow installd dalvikcache_data_file:file create_file_perms;
# Create /data/dalvik-cache/profiles.
-allow installd dalvikcache_data_file:dir relabelfrom;
-allow installd dalvikcache_profiles_data_file:dir relabelto;
allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
allow installd dalvikcache_profiles_data_file:file create_file_perms;
diff --git a/keystore.te b/keystore.te
index 8aa1d7d..3e627f8 100644
--- a/keystore.te
+++ b/keystore.te
@@ -25,3 +25,5 @@
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
+
+allow keystore keystore_service:service_manager add;
diff --git a/mediaserver.te b/mediaserver.te
index 439315f..55d1f205 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,6 +1,5 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
-permissive_or_unconfined(mediaserver)
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
@@ -78,3 +77,5 @@
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
+
+allow mediaserver mediaserver_service:service_manager add;
diff --git a/nfc.te b/nfc.te
index 0968c35..65aaef7 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,3 +13,5 @@
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
+
+allow nfc nfc_service:service_manager add;
diff --git a/radio.te b/radio.te
index d5bf42b..4f1df1f 100644
--- a/radio.te
+++ b/radio.te
@@ -22,3 +22,5 @@
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
+
+allow radio radio_service:service_manager add;
diff --git a/security_classes b/security_classes
index 197805e..9ff494f 100644
--- a/security_classes
+++ b/security_classes
@@ -137,4 +137,7 @@
# Property service
class property_service # userspace
+# Service manager
+class service_manager # userspace
+
# FLASK
diff --git a/service.te b/service.te
new file mode 100644
index 0000000..650ac13
--- /dev/null
+++ b/service.te
@@ -0,0 +1,10 @@
+type default_android_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type healthd_service, service_manager_type;
+type inputflinger_service, service_manager_type;
+type keystore_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type surfaceflinger_service, service_manager_type;
+type system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
new file mode 100644
index 0000000..3720b46
--- /dev/null
+++ b/service_contexts
@@ -0,0 +1,96 @@
+accessibility u:object_r:system_server_service:s0
+account u:object_r:system_server_service:s0
+activity u:object_r:system_server_service:s0
+alarm u:object_r:system_server_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+appops u:object_r:system_server_service:s0
+appwidget u:object_r:system_server_service:s0
+assetatlas u:object_r:system_server_service:s0
+audio u:object_r:system_server_service:s0
+backup u:object_r:system_server_service:s0
+batteryproperties u:object_r:healthd_service:s0
+batterystats u:object_r:system_server_service:s0
+battery u:object_r:system_server_service:s0
+bluetooth_manager u:object_r:system_server_service:s0
+clipboard u:object_r:system_server_service:s0
+com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
+commontime_management u:object_r:system_server_service:s0
+connectivity u:object_r:system_server_service:s0
+consumer_ir u:object_r:system_server_service:s0
+content u:object_r:system_server_service:s0
+country_detector u:object_r:system_server_service:s0
+cpuinfo u:object_r:system_server_service:s0
+dbinfo u:object_r:system_server_service:s0
+device_policy u:object_r:system_server_service:s0
+devicestoragemonitor u:object_r:system_server_service:s0
+diskstats u:object_r:system_server_service:s0
+display.qservice u:object_r:surfaceflinger_service:s0
+display u:object_r:system_server_service:s0
+DockObserver u:object_r:system_server_service:s0
+dreams u:object_r:system_server_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:system_server_service:s0
+entropy u:object_r:system_server_service:s0
+ethernet u:object_r:system_server_service:s0
+gfxinfo u:object_r:system_server_service:s0
+hardware u:object_r:system_server_service:s0
+hdmi_control u:object_r:system_server_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:system_server_service:s0
+input u:object_r:system_server_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+launcherapps u:object_r:system_server_service:s0
+location u:object_r:system_server_service:s0
+lock_settings u:object_r:system_server_service:s0
+media.audio_flinger u:object_r:mediaserver_service:s0
+media.audio_policy u:object_r:mediaserver_service:s0
+media.camera u:object_r:mediaserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media_router u:object_r:system_server_service:s0
+media_session u:object_r:system_server_service:s0
+meminfo u:object_r:system_server_service:s0
+mount u:object_r:system_server_service:s0
+netpolicy u:object_r:system_server_service:s0
+netstats u:object_r:system_server_service:s0
+network_management u:object_r:system_server_service:s0
+network_score u:object_r:system_server_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:system_server_service:s0
+package u:object_r:system_server_service:s0
+permission u:object_r:system_server_service:s0
+phone u:object_r:radio_service:s0
+power u:object_r:system_server_service:s0
+print u:object_r:system_server_service:s0
+procstats u:object_r:system_server_service:s0
+restrictions u:object_r:system_server_service:s0
+samplingprofiler u:object_r:system_server_service:s0
+scheduling_policy u:object_r:system_server_service:s0
+search u:object_r:system_server_service:s0
+sensorservice u:object_r:system_server_service:s0
+serial u:object_r:system_server_service:s0
+servicediscovery u:object_r:system_server_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+statusbar u:object_r:system_server_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+task u:object_r:system_server_service:s0
+telecomm u:object_r:radio_service:s0
+telephony.registry u:object_r:system_server_service:s0
+textservices u:object_r:system_server_service:s0
+trust u:object_r:system_server_service:s0
+tv_input u:object_r:system_server_service:s0
+uimode u:object_r:system_server_service:s0
+updatelock u:object_r:system_server_service:s0
+usagestats u:object_r:system_server_service:s0
+usb u:object_r:system_server_service:s0
+user u:object_r:system_server_service:s0
+vibrator u:object_r:system_server_service:s0
+voiceinteraction u:object_r:system_server_service:s0
+wallpaper u:object_r:system_server_service:s0
+wifip2p u:object_r:system_server_service:s0
+wifiscanner u:object_r:system_server_service:s0
+wifi u:object_r:system_server_service:s0
+window u:object_r:system_server_service:s0
+
+* u:object_r:default_android_service:s0
diff --git a/servicemanager.te b/servicemanager.te
index a78a485..f3dbca8 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -12,3 +12,10 @@
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
+
+# Get contexts of binder services that call servicemanager.
+allow servicemanager binderservicedomain:dir search;
+allow servicemanager binderservicedomain:file { read open };
+allow servicemanager binderservicedomain:process getattr;
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/shell.te b/shell.te
index 6df9c85..aa02ce5 100644
--- a/shell.te
+++ b/shell.te
@@ -29,6 +29,7 @@
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 6a40bfc..c508612 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -57,6 +57,8 @@
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
+allow surfaceflinger surfaceflinger_service:service_manager add;
+
###
### Neverallow rules
###
diff --git a/system_server.te b/system_server.te
index aa4d6c4..fc0da2b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -195,6 +195,10 @@
allow system_server dalvikcache_data_file:dir create_dir_perms;
allow system_server dalvikcache_data_file:file create_file_perms;
+# Read from /data/dalvik-cache/profiles
+allow system_server dalvikcache_profiles_data_file:dir w_dir_perms;
+allow system_server dalvikcache_profiles_data_file:file create_file_perms;
+
# Manage /data/misc/adb.
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
@@ -350,6 +354,8 @@
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
+allow system_server system_server_service:service_manager add;
+
###
### Neverallow rules
###