Merge "Define SELinux policy for RELRO sharing support."
diff --git a/domain.te b/domain.te
index f7e8692..b0d7c95 100644
--- a/domain.te
+++ b/domain.te
@@ -232,3 +232,17 @@
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the /system partition except for a few whitelisted domains.
+#
+neverallow {
+ domain
+ -appdomain
+ -dumpstate
+ -shelldomain
+ userdebug_or_eng(`-su')
+ -system_server
+ -zygote
+} { file_type -system_file -exec_type }:file execute;
diff --git a/healthd.te b/healthd.te
index 224090e..dd49e4e 100644
--- a/healthd.te
+++ b/healthd.te
@@ -9,7 +9,7 @@
allow healthd tmpfs:chr_file { read write };
allow healthd self:capability { net_admin mknod sys_tty_config };
-allow healthd self:capability2 block_suspend;
+wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
binder_use(healthd)
binder_service(healthd)
diff --git a/rild.te b/rild.te
index 6d2cd38..f272862 100644
--- a/rild.te
+++ b/rild.te
@@ -39,6 +39,6 @@
allow rild self:netlink_kobject_uevent_socket create_socket_perms;
# Access to wake locks
-allow rild sysfs_wake_lock:file rw_file_perms;
+wakelock_use(rild)
allow rild self:socket create_socket_perms;
diff --git a/system_server.te b/system_server.te
index 81e31fc..4b8e384 100644
--- a/system_server.te
+++ b/system_server.te
@@ -53,7 +53,7 @@
sys_tty_config
};
-allow system_server self:capability2 block_suspend;
+wakelock_use(system_server)
# Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace;
@@ -316,9 +316,6 @@
# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;
-# Access to wake locks
-allow system_server sysfs_wake_lock:file rw_file_perms;
-
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
diff --git a/te_macros b/te_macros
index ecdf8b4..fb6cdae 100644
--- a/te_macros
+++ b/te_macros
@@ -174,6 +174,16 @@
')
#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:capability2 block_suspend;
+')
+
+#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
diff --git a/unconfined.te b/unconfined.te
index 5a23c3f..326904a 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,7 +20,7 @@
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
diff --git a/vold.te b/vold.te
index 7fbba76..30cd9d2 100644
--- a/vold.te
+++ b/vold.te
@@ -77,8 +77,7 @@
allow vold asec_public_file:file { relabelto setattr };
# Handle wake locks (used for device encryption)
-allow vold sysfs_wake_lock:file rw_file_perms;
-allow vold self:capability2 block_suspend;
+wakelock_use(vold)
# talk to batteryservice
binder_use(vold)