Merge "Sepolicy for allocator hal."
diff --git a/private/property_contexts b/private/property_contexts
index 3407560..a27b756 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,8 @@
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
+ro.serialno u:object_r:serialno_prop:s0
+ro.boot.serialno u:object_r:serialno_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/public/adbd.te b/public/adbd.te
index 675219a..59ee3e1 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -55,6 +55,9 @@
# Access device logging gating property
get_prop(adbd, device_logging_prop)
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index c9f7f6f..47b3e5a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -374,6 +374,18 @@
neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
+# Do not allow reading device's serial number from system properties except form
+# a few whitelisted domains.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -init
+ -mediadrmserver
+ -recovery
+ -system_server
+} serialno_prop:file r_file_perms;
+
neverallow {
domain
-init
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 08d24ae..ee617e5 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -187,6 +187,9 @@
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
+# Read device's serial number from system properties
+get_prop(dumpstate, serialno_prop)
+
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/public/hal_audio.te b/public/hal_audio.te
index b40427c..ca8fe52 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -1,5 +1,7 @@
hwbinder_use(hal_audio)
+binder_use(hal_audio)
binder_call(hal_audio, audioserver)
+binder_call(hal_audio, system_server)
allow hal_audio ion_device:chr_file r_file_perms;
@@ -15,6 +17,8 @@
allow hal_audio audio_device:dir r_dir_perms;
allow hal_audio audio_device:chr_file rw_file_perms;
+allow hal_audio scheduling_policy_service:service_manager find;
+
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(hal_audio, bluetooth, bluetooth)
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index b08664f..c9e28d7 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -55,6 +55,9 @@
allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# Permit reading device's serial number from system properties
+get_prop(mediadrmserver, serialno_prop)
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index 731eee5..0bba50d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -36,6 +36,7 @@
type radio_prop, property_type, core_property_type;
type restorecon_prop, property_type, core_property_type;
type safemode_prop, property_type;
+type serialno_prop, property_type;
type shell_prop, property_type, core_property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
diff --git a/public/recovery.te b/public/recovery.te
index 32601e3..bbee928 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,6 +92,9 @@
# Start/stop adbd via ctl.start adbd
set_prop(recovery, ctl_default_prop)
+ # Read device's serial number from system properties
+ get_prop(recovery, serialno_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/public/system_server.te b/public/system_server.te
index c0802e8..bc1dd9f 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -91,6 +91,7 @@
# Set scheduling info for apps.
allow system_server { appdomain ephemeral_app }:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
+allow system_server hal_audio:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
@@ -387,6 +388,9 @@
# Collect metrics on boot time created by init
get_prop(system_server, boottime_prop)
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
# Create a socket for receiving info from wpa.
allow system_server wpa_socket:dir rw_dir_perms;
allow system_server system_wpa_socket:sock_file create_file_perms;