am 65384426: am d5892b4c: Allow shell to read /proc/pid/attr/current for ps -Z.
* commit '653844260fc37240bb810a0fe13daaa9dc03433c':
Allow shell to read /proc/pid/attr/current for ps -Z.
diff --git a/adbd.te b/adbd.te
index babbdc5..c80dba4 100644
--- a/adbd.te
+++ b/adbd.te
@@ -73,10 +73,6 @@
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
-# b/18078338 - allow read access to executable types on /system
-# to assist with debugging OTA issues.
-allow adbd exec_type:file r_file_perms;
-
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
diff --git a/domain.te b/domain.te
index 733a095..a67a855 100644
--- a/domain.te
+++ b/domain.te
@@ -92,6 +92,7 @@
allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms;
+allow domain init:key search;
# logd access
write_logd(domain)
@@ -262,7 +263,7 @@
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -init -ueventd } device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
@@ -300,7 +301,7 @@
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
diff --git a/file.te b/file.te
index fe28213..fa4c482 100644
--- a/file.te
+++ b/file.te
@@ -49,6 +49,8 @@
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type;
+# Unencrypted data
+type unencrypted_data_file, file_type, data_file_type;
# /data/.layout_version or other installd-created files that
# are created in a system_data_file directory.
type install_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index ce55cc8..e540042 100644
--- a/file_contexts
+++ b/file_contexts
@@ -181,6 +181,7 @@
#
/data(/.*)? u:object_r:system_data_file:s0
/data/.layout_version u:object_r:install_data_file:s0
+/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/security(/.*)? u:object_r:security_file:s0
diff --git a/init.te b/init.te
index da9a722..909490d 100644
--- a/init.te
+++ b/init.te
@@ -234,6 +234,18 @@
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+# Allow init to link temp fs to unencrypted data on userdata
+allow init tmpfs:lnk_file { create read getattr relabelfrom };
+
+# Allow init to manipulate /data/unencrypted
+allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
+allow init unencrypted_data_file:dir create_dir_perms;
+
+unix_socket_connect(init, vold, vold)
+
###
### neverallow rules
###
diff --git a/service_contexts b/service_contexts
index afc8585..34d9aa6 100644
--- a/service_contexts
+++ b/service_contexts
@@ -61,6 +61,7 @@
media.camera u:object_r:mediaserver_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
+media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
media_projection u:object_r:media_projection_service:s0
media_router u:object_r:media_router_service:s0
diff --git a/system_server.te b/system_server.te
index 9079acb..b93a5cb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -161,7 +161,9 @@
allow system_server video_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
-allow system_server audio_device:chr_file r_file_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
diff --git a/vold.te b/vold.te
index f605f8a..17ddd61 100644
--- a/vold.te
+++ b/vold.te
@@ -101,3 +101,7 @@
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
+
+# Allow init to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;