Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b8298d7216f6545c19932885dbcd0e97516d6d00^2..b8298d7216f6545c19932885dbcd0e97516d6d00 / .
commitb8298d7216f6545c19932885dbcd0e97516d6d00[log] [tgz]
authorNick Kralevich <nnk@google.com>Thu Feb 20 21:06:43 2014 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Feb 20 21:06:43 2014 +0000
tree56f375b483e3920d519ef50a03695feb4372ff93
parentaf99ed85d773eb0e136bd89d8a4e9e2c40aec306 [diff]
parent6139de50fdb212d28fe406525dce5246f4a4da36 [diff]
Merge "Add support for and use new path= specifier in seapp_contexts."
diff --git a/domain.te b/domain.te
index 5ac6b46..1fb2ef8 100644
--- a/domain.te
+++ b/domain.te

@@ -159,7 +159,7 @@
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 
 # Limit device node creation and raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod };
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
 
 # No domain needs mac_override as it is unused by SELinux.
 neverallow domain self:capability2 mac_override;
@@ -203,7 +203,7 @@
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.

diff --git a/file_contexts b/file_contexts
index e0eabe7..81698d1 100644
--- a/file_contexts
+++ b/file_contexts

@@ -150,6 +150,7 @@
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
+/system/bin/uncrypt     u:object_r:uncrypt_exec:s0
 #############################
 # Vendor files
 #
@@ -194,10 +195,6 @@
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 
-# App sandboxes
-/data/data/.*		u:object_r:app_data_file:s0
-# Wallpaper file.
-/data/data/com.android.settings/files/wallpaper	u:object_r:wallpaper_file:s0
 # Wallpaper file for other users
 /data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
 # Downloaded files

diff --git a/lmkd.te b/lmkd.te
index 2d09ce5..8643d91 100644
--- a/lmkd.te
+++ b/lmkd.te

@@ -4,7 +4,7 @@
 
 init_daemon_domain(lmkd)
 
-allow lmkd self:capability dac_override;
+allow lmkd self:capability { dac_override sys_resource };
 
 ## Open and write to /proc/PID/oom_score_adj
 ## TODO: maybe scope this down?

diff --git a/uncrypt.te b/uncrypt.te
new file mode 100644
index 0000000..97258a7
--- /dev/null
+++ b/uncrypt.te

@@ -0,0 +1,30 @@
+# uncrypt
+type uncrypt, domain;
+type uncrypt_exec, exec_type, file_type;
+
+init_daemon_domain(uncrypt)
+permissive_or_unconfined(uncrypt)
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+r_dir_file(uncrypt, app_data_file)
+
+userdebug_or_eng(`
+  # For debugging, allow /data/local/tmp access
+  r_dir_file(uncrypt, shell_data_file)
+')
+
+# Create tmp file /cache/recovery/command.tmp
+# Read /cache/recovery/command
+# Rename /cache/recovery/command.tmp to /cache/recovery/command
+allow uncrypt cache_file:dir rw_dir_perms;
+allow uncrypt cache_file:file create_file_perms;
+
+# Set a property to reboot the device.
+unix_socket_connect(uncrypt, property, init)
+allow uncrypt powerctl_prop:property_service set;
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt block_device:blk_file w_file_perms;