commit d107abd1ba4758db1f6d3c427ba69382007b31ff
author Nick Kralevich <nnk@google.com> Tue Feb 25 15:40:59 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Feb 25 15:40:59 2014 +0000
tree 6480b2b7ed16ea7fb921cbcf7f95105940b16e7d
parent 798668f32fccb5ff49753c15a8b742eb43ddfa7e
parent d581b812d61ea5ee6a267afe9ae28c0808fc8aa4

Merge "Remove fsetid from netd."

domain.te

diff --git a/domain.te b/domain.te
index 1fb2ef8..878ac9f 100644
--- a/domain.te
+++ b/domain.te
@@ -128,9 +128,10 @@
 # Get SELinux enforcing status.
 selinux_getenforce(domain)
 
-# security files
+# /data/security files
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;
+allow domain security_file:lnk_file r_file_perms;
 
 # World readable asec image contents
 allow domain asec_public_file:file r_file_perms;

property_contexts

diff --git a/property_contexts b/property_contexts
index eb23a6d..12fd108 100644
--- a/property_contexts
+++ b/property_contexts
@@ -2,7 +2,7 @@
 # property service keys
 #
 #
-net.rmnet0              u:object_r:radio_prop:s0
+net.rmnet               u:object_r:radio_prop:s0
 net.gprs                u:object_r:radio_prop:s0
 net.ppp                 u:object_r:radio_prop:s0
 net.qmi                 u:object_r:radio_prop:s0

sdcardd.te

diff --git a/sdcardd.te b/sdcardd.te
index 411120a..7a06998 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -18,8 +18,3 @@
 
 # Read /data/system/packages.list.
 allow sdcardd system_data_file:file r_file_perms;
-
-# Compatibility for existing devices with /data/media in system_data_file.
-# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
-allow sdcardd system_data_file:dir  create_dir_perms;
-allow sdcardd system_data_file:file create_file_perms;

uncrypt.te

diff --git a/uncrypt.te b/uncrypt.te
index 97258a7..f62fbbf 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -3,7 +3,6 @@
 type uncrypt_exec, exec_type, file_type;
 
 init_daemon_domain(uncrypt)
-permissive_or_unconfined(uncrypt)
 
 allow uncrypt self:capability dac_override;
 

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index 16499c1..85cf79e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -46,13 +46,6 @@
 # Execute libs in asec containers.
 allow untrusted_app asec_public_file:file execute;
 
-# Create tcp/udp sockets
-allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
-allow untrusted_app self:{ tcp_socket udp_socket } { create_socket_perms accept listen };
-# Bind to a particular hostname/address/interface (e.g., localhost) instead of
-# ANY. Normally, apps should not be listening on all interfaces.
-allow untrusted_app port:{ tcp_socket udp_socket } name_bind;
-
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)