Merge "Restrict system_server to only the data file types needed."
diff --git a/domain.te b/domain.te
index 5e29272..7f0347a 100644
--- a/domain.te
+++ b/domain.te
@@ -169,7 +169,8 @@
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+neverallow domain kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
neverallow domain kernel:security setbool;
diff --git a/kernel.te b/kernel.te
index 1ff8f68..c40d08b 100644
--- a/kernel.te
+++ b/kernel.te
@@ -11,7 +11,9 @@
allow kernel fs_type:filesystem *;
# Initial setenforce by init prior to switching to init domain.
-allow kernel self:security setenforce;
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
diff --git a/mediaserver.te b/mediaserver.te
index 265675a..6fdc080 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,6 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
+permissive_or_unconfined(mediaserver)
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
@@ -43,6 +44,9 @@
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver rpmsg_device:chr_file rw_file_perms;
diff --git a/ppp.te b/ppp.te
index bcab339..fb8641a 100644
--- a/ppp.te
+++ b/ppp.te
@@ -8,6 +8,7 @@
net_domain(ppp)
allow ppp mtp:socket rw_socket_perms;
+allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
diff --git a/zygote.te b/zygote.te
index 199f165..a1b6068 100644
--- a/zygote.te
+++ b/zygote.te
@@ -20,6 +20,8 @@
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
+auditallow zygote system_data_file:dir { write add_name remove_name };
+auditallow zygote system_data_file:file { create setattr write append link unlink rename };
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
# For art.