Merge "watchdog: remove domain_deprecated"

commit: c1b0ffcfdcb331d578eb159b58b871041e49fb90 [log] [tgz]
author: Jeffrey Vander Stoep <jeffv@google.com> Mon Jan 25 17:09:46 2016 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jan 25 17:09:46 2016 +0000
tree: e9d1ac79d8a74ddd72f0417dcb133b2ba6ef27e4
parent: 5c8854abef570bf62930902ec6ca6b9df4523458 [diff]
parent: 1eeaa47eace2b8756f4aed9c59fa93f10aef9e8d [diff]
diff --git a/app.te b/app.te
index b03355f..f7f1a21 100644
--- a/app.te
+++ b/app.te

@@ -92,6 +92,9 @@
 allow appdomain system_file:file rx_file_perms;
 allow appdomain toolbox_exec:file rx_file_perms;
 
+# Renderscript needs the ability to read directories on /system
+r_dir_file(appdomain, system_file)
+
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
 
@@ -204,6 +207,8 @@
 
 allow appdomain console_device:chr_file { read write };
 
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+
 ###
 ### CTS-specific rules
 ###

diff --git a/bootstat.te b/bootstat.te
new file mode 100644
index 0000000..14b4ece
--- /dev/null
+++ b/bootstat.te

@@ -0,0 +1,9 @@
+# bootstat command
+type bootstat, domain;
+type bootstat_exec, exec_type, file_type;
+
+init_daemon_domain(bootstat)
+
+# Allow persistent storage in /data/misc/bootstat.
+allow bootstat bootstat_data_file:dir rw_dir_perms;
+allow bootstat bootstat_data_file:file create_file_perms;

diff --git a/domain.te b/domain.te
index fb672ad..c5296c4 100644
--- a/domain.te
+++ b/domain.te

@@ -23,6 +23,7 @@
 };
 allow domain self:fd use;
 allow domain proc:dir search;
+allow domain proc_net:dir search;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
 allow domain self:{ fifo_file file } rw_file_perms;
@@ -127,6 +128,10 @@
 allow domain debugfs_tracing:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
 ###
 ### neverallow rules
 ###

diff --git a/domain_deprecated.te b/domain_deprecated.te
index 7be9a3e..0db79da 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te

@@ -25,10 +25,6 @@
 # Device accesses.
 allow domain_deprecated device:file read;
 
-# Filesystem accesses.
-allow domain_deprecated fs_type:filesystem getattr;
-allow domain_deprecated fs_type:dir getattr;
-
 # System file accesses.
 allow domain_deprecated system_file:dir r_dir_perms;
 allow domain_deprecated system_file:file r_file_perms;

diff --git a/file.te b/file.te
index 0c965a3..81ff887 100644
--- a/file.te
+++ b/file.te

@@ -111,6 +111,7 @@
 type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
+type bootstat_data_file, file_type, data_file_type;
 type boottrace_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
 type gatekeeper_data_file, file_type, data_file_type;

diff --git a/file_contexts b/file_contexts
index 1cd5fba..78964cb 100644
--- a/file_contexts
+++ b/file_contexts

@@ -251,6 +251,7 @@
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
+/data/misc/bootstat(/.*)?       u:object_r:bootstat_data_file:s0
 /data/misc/boottrace(/.*)?      u:object_r:boottrace_data_file:s0
 /data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
 /data/misc/bluedroid(/.*)?      u:object_r:bluetooth_data_file:s0

diff --git a/untrusted_app.te b/untrusted_app.te
index 463745e..7aedc39 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -20,7 +20,7 @@
 ### additional following rules:
 ###
 
-type untrusted_app, domain, domain_deprecated;
+type untrusted_app, domain;
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
@@ -89,6 +89,10 @@
 # for files. Suppress the denials when they occur.
 dontaudit untrusted_app exec_type:file getattr;
 
+# TODO: access of /proc/meminfo, give specific label or switch to
+# using meminfo service
+allow untrusted_app proc:file r_file_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/vold.te b/vold.te
index 8416531..e16ec73 100644
--- a/vold.te
+++ b/vold.te

@@ -81,8 +81,8 @@
 
 allow vold kmsg_device:chr_file rw_file_perms;
 
-# Run fsck.
-allow vold fsck_exec:file rx_file_perms;
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
 
 # Log fsck results
 allow vold fscklogs:dir rw_dir_perms;
@@ -176,3 +176,5 @@
 neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold fsck_exec:file execute_no_trans;
commit	c1b0ffcfdcb331d578eb159b58b871041e49fb90	[log] [tgz]
author	Jeffrey Vander Stoep <jeffv@google.com>	Mon Jan 25 17:09:46 2016 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Jan 25 17:09:46 2016 +0000
tree	e9d1ac79d8a74ddd72f0417dcb133b2ba6ef27e4
parent	5c8854abef570bf62930902ec6ca6b9df4523458 [diff]
parent	1eeaa47eace2b8756f4aed9c59fa93f10aef9e8d [diff]