Merge "wifi_supplicant: refactor permissions"
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ebb66e..00b68d2 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -134,7 +134,8 @@
(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
(typeattributeset default_android_service_26_0 (default_android_service))
(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0 (default_prop))
+(typeattributeset default_prop_26_0
+ ( default_prop pm_prop))
(typeattributeset device_26_0 (device))
(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
(typeattributeset deviceidle_service_26_0 (deviceidle_service))
@@ -455,6 +456,7 @@
proc_kmsg
proc_loadavg
proc_mounts
+ proc_overflowuid
proc_page_cluster
proc_pagetypeinfo
proc_random
diff --git a/private/domain.te b/private/domain.te
index 1f1af89..6be5082 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,7 +45,6 @@
-priv_app
-storaged
-system_app
- -system_server
-ueventd
-update_verifier
-vold
diff --git a/private/file.te b/private/file.te
index 7bd83f2..6994202 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,8 +1,3 @@
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-
# /proc/config.gz
type config_gz, fs_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a6de59a..ee17d49 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -31,6 +31,7 @@
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
diff --git a/private/property_contexts b/private/property_contexts
index 55974c0..1706224 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -68,6 +68,7 @@
ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
sys.boot.reason u:object_r:system_boot_reason_prop:s0
+pm. u:object_r:pm_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/private/system_server.te b/private/system_server.te
index b38509c..93c6a57 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -481,6 +481,7 @@
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
+set_prop(system_server, pm_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
diff --git a/public/charger.te b/public/charger.te
index 4b20d1d..5a5b653 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -18,8 +18,7 @@
allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Write to /sys/power/state
-# TODO: Split into a separate type?
-allow charger sysfs:file write;
+allow charger sysfs_power:file write;
allow charger sysfs_batteryinfo:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 9057c19..37ebde4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -26,6 +26,7 @@
type proc_modules, fs_type;
type proc_mounts, fs_type;
type proc_net, fs_type;
+type proc_overflowuid, fs_type;
type proc_page_cluster, fs_type;
type proc_pagetypeinfo, fs_type;
type proc_perf, fs_type;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 9cfd516..e2e3449 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -15,4 +15,5 @@
allow hal_usb sysfs:file open;
allow hal_usb sysfs:file write;
allow hal_usb sysfs:file getattr;
+allow hal_usb proc_overflowuid:file r_file_perms;
diff --git a/public/healthd.te b/public/healthd.te
index c0a7bec..e7c92c4 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -55,6 +55,7 @@
allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
+allow healthd proc_overflowuid:file r_file_perms;
add_service(healthd, batteryproperties_service)
diff --git a/public/init.te b/public/init.te
index 2d55aba..bc10a82 100644
--- a/public/init.te
+++ b/public/init.te
@@ -280,6 +280,9 @@
# Write to /proc/sys/vm/page-cluster
allow init proc_page_cluster:file w_file_perms;
+# Read /proc/sys/kernel/overflowuid
+allow init proc_overflowuid:file r_file_perms;
+
# Reboot.
allow init self:capability sys_boot;
diff --git a/public/netd.te b/public/netd.te
index a1917b3..17f60b5 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -37,6 +37,9 @@
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
+# Access for /proc/sys/kernel/overflowuid.
+allow netd proc_overflowuid:file r_file_perms;
+
# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir r_dir_perms;
r_dir_file(netd, sysfs_net)
diff --git a/public/property.te b/public/property.te
index 713dc83..be84d4a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -39,6 +39,7 @@
type pan_result_prop, property_type, core_property_type;
type persist_debug_prop, property_type, core_property_type;
type persistent_properties_ready_prop, property_type;
+type pm_prop, property_type;
type powerctl_prop, property_type, core_property_type;
type radio_prop, property_type, core_property_type;
type restorecon_prop, property_type, core_property_type;
diff --git a/public/te_macros b/public/te_macros
index 5a8ea5a..f3aa583 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -77,7 +77,7 @@
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr };
+allow $1 $1_tmpfs:file { read write getattr map };
allow $1 tmpfs:dir { getattr search };
')
diff --git a/public/ueventd.te b/public/ueventd.te
index 212087e..7e1f3fd 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -36,6 +36,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+# Access for /proc/sys/kernel/overflowuid.
+allow ueventd proc_overflowuid:file r_file_perms;
+
#####
##### neverallow rules
#####
diff --git a/public/vold.te b/public/vold.te
index 2c2f147..148f4b5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -24,6 +24,7 @@
proc_filesystems
proc_meminfo
proc_mounts
+ proc_overflowuid
}:file r_file_perms;
#Get file contexts