commit c103da877b72aae80616dbc192982aaf75dfe888
author Nick Kralevich <nnk@google.com> Fri Jul 11 12:46:07 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jul 10 20:43:44 2014 +0000
tree aa100647518fb46a1f03d3aaf385a019615508b2
parent 3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea
parent 75d63fcfd264ae741ec23dccad6bb54fa819e40c

Merge "Put dex2oat in it's own sandbox"

adbd.te

diff --git a/adbd.te b/adbd.te
index 705f5f0..58fdead 100644
--- a/adbd.te
+++ b/adbd.te
@@ -8,8 +8,6 @@
 ')
 
 domain_auto_trans(adbd, shell_exec, shell)
-# this is an entrypoint
-allow adbd rootfs:file entrypoint;
 
 # Do not sanitize the environment or open fds of the shell.
 allow adbd shell:process noatsecure;

bootanim.te

diff --git a/bootanim.te b/bootanim.te
index 024d20c..3a0a76f 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -8,3 +8,6 @@
 binder_call(bootanim, surfaceflinger)
 
 allow bootanim gpu_device:chr_file rw_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir search;

healthd.te

diff --git a/healthd.te b/healthd.te
index 9832ac4..ce6b877 100644
--- a/healthd.te
+++ b/healthd.te
@@ -2,7 +2,6 @@
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
 
-allow healthd rootfs:file { read entrypoint };
 write_klog(healthd)
 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by healthd.

init.te

diff --git a/init.te b/init.te
index 191c570..abd0690 100644
--- a/init.te
+++ b/init.te
@@ -60,12 +60,23 @@
 allow init proc_security:file rw_file_perms;
 
 # Transitions to seclabel processes in init.rc
-allow init adbd:process transition;
-allow init healthd:process transition;
-allow init recovery:process transition;
-allow init shell:process transition;
-allow init ueventd:process transition;
-allow init watchdogd:process transition;
+domain_trans(init, rootfs, adbd)
+domain_trans(init, rootfs, healthd)
+recovery_only(`
+  domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, rootfs, ueventd)
+domain_trans(init, rootfs, watchdogd)
+
+# Certain domains need LD_PRELOAD passed from init.
+# https://android-review.googlesource.com/94851
+# For now, allow it to all domains.
+# TODO: scope this down.
+allow init domain:process noatsecure;
+
+# Support "adb shell stop"
+allow init domain:process sigkill;
 
 # Init creates keystore's directory on boot, and walks through
 # the directory as part of a recursive restorecon.
@@ -92,6 +103,10 @@
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };
 
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow init kernel:process setsched;
+
 ###
 ### neverallow rules
 ###

recovery.te

diff --git a/recovery.te b/recovery.te
index aac201b..75a024c 100644
--- a/recovery.te
+++ b/recovery.te
@@ -7,8 +7,6 @@
 # But the allow rules are only included in the recovery policy.
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
-  allow recovery rootfs:file { entrypoint execute };
-
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 
   # Set security contexts on files that are not known to the loaded policy.

system_server.te

diff --git a/system_server.te b/system_server.te
index 3b33160..d7453ad 100644
--- a/system_server.te
+++ b/system_server.te
@@ -388,6 +388,9 @@
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
 
+# /oem access
+allow system_server oemfs:dir search;
+
 ###
 ### Neverallow rules
 ###

ueventd.te

diff --git a/ueventd.te b/ueventd.te
index d8ae16c..2e61e88 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -4,7 +4,6 @@
 tmpfs_domain(ueventd)
 write_klog(ueventd)
 security_access_policy(ueventd)
-allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;

unconfined.te

diff --git a/unconfined.te b/unconfined.te
index 6b64fb9..a76c3d8 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,27 +20,6 @@
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:process {
-    fork
-    sigchld
-    sigkill
-    sigstop
-    signull
-    signal
-    getsched
-    setsched
-    getsession
-    getpgid
-    setpgid
-    getcap
-    setcap
-    share
-    getattr
-    noatsecure
-    siginh
-    setrlimit
-    rlimitinh
-};
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;

watchdogd.te

diff --git a/watchdogd.te b/watchdogd.te
index be193ea..ab93560 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,6 +1,5 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-allow watchdogd rootfs:file { entrypoint r_file_perms };
 allow watchdogd self:capability mknod;
 allow watchdogd device:dir { add_name write remove_name };
 allow watchdogd watchdog_device:chr_file rw_file_perms;