Merge "checkseapp: Detect duplicate entries within seapp_contexts."
diff --git a/README b/README
index 83ee7a2..46f58b5 100644
--- a/README
+++ b/README
@@ -1,3 +1,9 @@
+This directory contains the core Android SELinux policy configuration.
+It defines the domains and types for the AOSP services and apps common to
+all devices. Device-specific policy should be placed under a
+separate device/<vendor>/<board>/sepolicy subdirectory and linked
+into the policy build as described below.
+
Policy Generation:
Additional, per device, policy files can be added into the
diff --git a/domain.te b/domain.te
index 731e0c4..1e3b2fb 100644
--- a/domain.te
+++ b/domain.te
@@ -362,3 +362,7 @@
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
neverallow domain domain:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
diff --git a/mls b/mls
index 3a64004..d5942c3 100644
--- a/mls
+++ b/mls
@@ -78,12 +78,13 @@
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
-# is a MLS trusted subject and can receive data at any level.
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+ (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
#
# IPC constraints
diff --git a/property.te b/property.te
index 6fedfa7..8faa472 100644
--- a/property.te
+++ b/property.te
@@ -8,6 +8,7 @@
type net_radio_prop, property_type;
type system_radio_prop, property_type;
type system_prop, property_type;
+type verity_prop, property_type;
type vold_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 06f6c17..47e544a 100644
--- a/property_contexts
+++ b/property_contexts
@@ -49,6 +49,9 @@
vold. u:object_r:vold_prop:s0
crypto. u:object_r:vold_prop:s0
+# dm-verity properties
+verity. u:object_r:verity_prop:s0
+
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
build.fingerprint u:object_r:fingerprint_prop:s0
diff --git a/ueventd.te b/ueventd.te
index 2e61e88..0f2809d 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -23,3 +23,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+
+# Set property.
+unix_socket_connect(ueventd, property, init)
+
+# Property service
+allow ueventd verity_prop:property_service set;
diff --git a/unconfined.te b/unconfined.te
index d9a5b04..559ed59 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -43,8 +43,8 @@
tun_socket
} *;
allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
+allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
allow unconfineddomain {
file_type
-keystore_data_file
@@ -55,7 +55,7 @@
-shell_data_file
-app_data_file
-unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
allow unconfineddomain exec_type:dir r_dir_perms;
allow unconfineddomain exec_type:file { r_file_perms execute };
allow unconfineddomain exec_type:lnk_file r_file_perms;