Merge "Remove domain_deprecated from sdcard domains"
diff --git a/app.te b/app.te
index b03355f..60fb0a2 100644
--- a/app.te
+++ b/app.te
@@ -92,6 +92,9 @@
allow appdomain system_file:file rx_file_perms;
allow appdomain toolbox_exec:file rx_file_perms;
+# Renderscript needs the ability to read directories on /system
+r_dir_file(appdomain, system_file)
+
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -204,6 +207,8 @@
allow appdomain console_device:chr_file { read write };
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+
###
### CTS-specific rules
###
@@ -226,6 +231,12 @@
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
###
### Neverallow rules
###
diff --git a/bootstat.te b/bootstat.te
new file mode 100644
index 0000000..44a8c91
--- /dev/null
+++ b/bootstat.te
@@ -0,0 +1,12 @@
+# bootstat command
+type bootstat, domain;
+type bootstat_exec, exec_type, file_type;
+
+init_daemon_domain(bootstat)
+
+# Allow persistent storage in /data/misc/bootstat.
+allow bootstat bootstat_data_file:dir rw_dir_perms;
+allow bootstat bootstat_data_file:file create_file_perms;
+
+# Read access to pseudo filesystems (for /proc/uptime).
+r_dir_file(bootstat, proc)
\ No newline at end of file
diff --git a/domain.te b/domain.te
index fb672ad..60025fd 100644
--- a/domain.te
+++ b/domain.te
@@ -23,6 +23,7 @@
};
allow domain self:fd use;
allow domain proc:dir search;
+allow domain proc_net:dir search;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
@@ -116,6 +117,7 @@
allow domain proc_cpuinfo:file r_file_perms;
# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr;
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
@@ -127,6 +129,10 @@
allow domain debugfs_tracing:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
###
### neverallow rules
###
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 7be9a3e..0db79da 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -25,10 +25,6 @@
# Device accesses.
allow domain_deprecated device:file read;
-# Filesystem accesses.
-allow domain_deprecated fs_type:filesystem getattr;
-allow domain_deprecated fs_type:dir getattr;
-
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
diff --git a/file.te b/file.te
index 0c965a3..81ff887 100644
--- a/file.te
+++ b/file.te
@@ -111,6 +111,7 @@
type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
+type bootstat_data_file, file_type, data_file_type;
type boottrace_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type;
type gatekeeper_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 1cd5fba..0a75659 100644
--- a/file_contexts
+++ b/file_contexts
@@ -154,6 +154,7 @@
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
+/system/bin/bootstat u:object_r:bootstat_exec:s0
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
@@ -251,6 +252,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
diff --git a/priv_app.te b/priv_app.te
index dc792e8..68b588c 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -72,6 +72,10 @@
allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:file r_file_perms;
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(priv_app, update_engine)
+allow priv_app update_engine_service:service_manager find;
+
###
### neverallow rules
###
diff --git a/service.te b/service.te
index bac387f..70bb34c 100644
--- a/service.te
+++ b/service.te
@@ -11,6 +11,7 @@
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
+type update_engine_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 85dcd3d..4116383 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,6 +2,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0
+android.os.IUpdateEngine u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0
diff --git a/shell.te b/shell.te
index 55757b0..8878873 100644
--- a/shell.te
+++ b/shell.te
@@ -21,10 +21,6 @@
allow shell misc_logd_file:file r_file_perms;
')
-# interact with adb
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { read write ioctl getattr };
-
# Root fs.
allow shell rootfs:dir r_dir_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 5d1199d..fbe1dd0 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -38,12 +38,8 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
-# Use open file provided by bootanim.
-allow surfaceflinger bootanim:fd use;
-
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
diff --git a/system_app.te b/system_app.te
index 8589a9d..5e66acd 100644
--- a/system_app.te
+++ b/system_app.te
@@ -12,10 +12,6 @@
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-# Read /data/misc/keychain subdirectory.
-allow system_app keychain_data_file:dir r_dir_perms;
-allow system_app keychain_data_file:file r_file_perms;
-
# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
diff --git a/system_server.te b/system_server.te
index d0cb229..eae67ed 100644
--- a/system_server.te
+++ b/system_server.te
@@ -443,6 +443,12 @@
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl };
+# Connect to adbd and use a socket transferred from it.
+# Used for e.g. jdwp.
+allow system_server adbd:unix_stream_socket connectto;
+allow system_server adbd:fd use;
+allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
###
### Neverallow rules
###
diff --git a/untrusted_app.te b/untrusted_app.te
index 463745e..7aedc39 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -20,7 +20,7 @@
### additional following rules:
###
-type untrusted_app, domain, domain_deprecated;
+type untrusted_app, domain;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
@@ -89,6 +89,10 @@
# for files. Suppress the denials when they occur.
dontaudit untrusted_app exec_type:file getattr;
+# TODO: access of /proc/meminfo, give specific label or switch to
+# using meminfo service
+allow untrusted_app proc:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/update_engine.te b/update_engine.te
index ea7fcaf..3fbfd8a 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -26,3 +26,10 @@
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
+
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+allow update_engine update_engine_service:service_manager { add };
+
+# Allow update_engine to call the callback function provided by priv_app.
+binder_call(update_engine, priv_app)
diff --git a/vold.te b/vold.te
index 8416531..e16ec73 100644
--- a/vold.te
+++ b/vold.te
@@ -81,8 +81,8 @@
allow vold kmsg_device:chr_file rw_file_perms;
-# Run fsck.
-allow vold fsck_exec:file rx_file_perms;
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
# Log fsck results
allow vold fscklogs:dir rw_dir_perms;
@@ -176,3 +176,5 @@
neverallow { domain -vold -init } vold_data_file:dir *;
neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold fsck_exec:file execute_no_trans;
diff --git a/watchdogd.te b/watchdogd.te
index 4077386..00292a9 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,4 +1,4 @@
# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain, domain_deprecated;
+type watchdogd, domain;
allow watchdogd watchdog_device:chr_file rw_file_perms;
allow watchdogd kmsg_device:chr_file rw_file_perms;