allow policy to create a file by vfat (fs_type) for a case using sdcardfs
am: adf210d654
Change-Id: I0386db7e81ed5e6a6c032adb1173163f45ad726e
diff --git a/app.te b/app.te
index f2adf37..e9dd7b3 100644
--- a/app.te
+++ b/app.te
@@ -438,6 +438,21 @@
tmpfs
}:lnk_file no_w_file_perms;
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
diff --git a/bootanim.te b/bootanim.te
index 91a50d5..ae25c32 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -6,6 +6,7 @@
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
allow bootanim gpu_device:chr_file rw_file_perms;
@@ -17,6 +18,7 @@
allow bootanim audio_device:chr_file rw_file_perms;
allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim audioserver_service:service_manager find;
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/domain.te b/domain.te
index 1ac33f1..a853b3a 100644
--- a/domain.te
+++ b/domain.te
@@ -292,9 +292,7 @@
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
- -untrusted_app
- -priv_app
- -shell
+ -appdomain
} {
data_file_type
-dalvikcache_data_file
@@ -485,6 +483,11 @@
-zygote
} shell:process { transition dyntransition };
+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -zygote } {
+ appdomain -shell userdebug_or_eng(`-su') -bluetooth
+}:process { transition dyntransition };
+
# Minimize read access to shell- or app-writable symlinks.
# This is to prevent malicious symlink attacks.
neverallow {
diff --git a/mediadrmserver.te b/mediadrmserver.te
index cfa4b28..d9368ad 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -49,6 +49,7 @@
allow mediadrmserver mediadrmserver_service:service_manager { add find };
allow mediadrmserver mediaserver_service:service_manager { add find };
allow mediadrmserver processinfo_service:service_manager find;
+allow mediadrmserver surfaceflinger_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
diff --git a/nfc.te b/nfc.te
index 5b7f4b9..fc7e167 100644
--- a/nfc.te
+++ b/nfc.te
@@ -21,10 +21,11 @@
allow nfc sysfs_usb:file write;
# SoundPool loading and playback
-allow nfc mediaserver_service:service_manager find;
allow nfc audioserver_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
+allow nfc drmserver_service:service_manager find;
allow nfc mediacodec_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
diff --git a/zygote.te b/zygote.te
index 89dccfc..3de9f40 100644
--- a/zygote.te
+++ b/zygote.te
@@ -39,6 +39,12 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote self:capability sys_admin;
+# Allow zygote to stat the files that it opens. The zygote must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384
+allow zygote pmsg_device:chr_file { getattr };
+allow zygote debugfs_trace_marker:file { getattr };
+
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.