Merge "Make kernel / init enforcing"
diff --git a/debuggerd.te b/debuggerd.te
index cdf00de..5a2e5ff 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,11 +1,26 @@
# debugger interface
type debuggerd, domain;
+permissive debuggerd;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
-unconfined_domain(debuggerd)
+typeattribute debuggerd mlstrustedsubject;
+allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
+allow debuggerd domain:dir r_dir_perms;
+allow debuggerd domain:file r_file_perms;
+allow debuggerd domain:process ptrace;
+security_access_policy(debuggerd)
+allow debuggerd system_data_file:dir create_dir_perms;
+allow debuggerd system_data_file:dir relabelfrom;
relabelto_domain(debuggerd)
allow debuggerd tombstone_data_file:dir relabelto;
+allow debuggerd tombstone_data_file:dir create_dir_perms;
+allow debuggerd tombstone_data_file:file create_file_perms;
+allow debuggerd domain:process { sigstop signal };
+allow debuggerd exec_type:file r_file_perms;
+# Access app library
+allow debuggerd system_data_file:file open;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/device.te b/device.te
index 508c0eb..76302cd 100644
--- a/device.te
+++ b/device.te
@@ -15,6 +15,7 @@
type ram_device, dev_type;
type console_device, dev_type;
type cpuctl_device, dev_type;
+type fscklogs, dev_type;
type full_device, dev_type;
type graphics_device, dev_type;
type hw_random_device, dev_type;
diff --git a/file_contexts b/file_contexts
index d8315a1..41f9b1c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -45,6 +45,7 @@
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
+/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/full u:object_r:full_device:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
diff --git a/system_server.te b/system_server.te
index 1ffa34d..4d79c1a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -212,3 +212,8 @@
# Access to wake locks
allow system_server sysfs_wake_lock:file rw_file_perms;
+
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
diff --git a/ueventd.te b/ueventd.te
index 275286b..2af8e94 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -1,7 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
-permissive ueventd;
tmpfs_domain(ueventd)
write_klog(ueventd)
security_access_policy(ueventd)