Merge "Renamed hardwareproperties to hardware_properties" into nyc-dev
diff --git a/access_vectors b/access_vectors
index ccf7018..c38aa7b 100644
--- a/access_vectors
+++ b/access_vectors
@@ -544,6 +544,30 @@
transfer
}
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
class property_service
{
set
diff --git a/app.te b/app.te
index 5ba0e74..29f0eeb 100644
--- a/app.te
+++ b/app.te
@@ -27,7 +27,7 @@
# Place process into foreground / background
allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file w_file_perms;
+allow appdomain cgroup:file rw_file_perms;
# Read /data/dalvik-cache.
allow appdomain dalvikcache_data_file:dir { search getattr };
@@ -104,6 +104,12 @@
# Read/write cached ringtones (opened by system).
allow appdomain ringtone_file:file { getattr read write };
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read };
+
# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
@@ -111,11 +117,15 @@
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
allow appdomain shell_data_file:file { write getattr };
# Write profiles /data/misc/profiles
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
+# Profiles for foreign dex files are just markers and only need create permissions.
+allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
+allow appdomain user_profile_foreign_dex_data_file:file create;
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
@@ -419,3 +429,7 @@
security_file
tmpfs
}:lnk_file no_w_file_perms;
+
+# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
+neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
+neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 36993eb..a2157a4 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -3,6 +3,7 @@
# Allow dumpstate to collect information from binder services
allow binderservicedomain dumpstate:fd use;
allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain dumpstate:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
diff --git a/debuggerd.te b/debuggerd.te
index 917c88c..0056550 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -15,7 +15,7 @@
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
allow debuggerd shared_relro_file:file r_file_perms;
-allow debuggerd domain:process { sigstop signal };
+allow debuggerd domain:process { sigstop sigkill signal };
allow debuggerd exec_type:file r_file_perms;
# Access app library
allow debuggerd system_data_file:file open;
diff --git a/domain.te b/domain.te
index 6aa69ad..34faafd 100644
--- a/domain.te
+++ b/domain.te
@@ -111,7 +111,7 @@
allow domain system_data_file:lnk_file read;
# required by the dynamic linker
-allow domain proc:lnk_file read;
+allow domain proc:lnk_file { getattr read };
# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;
@@ -249,7 +249,7 @@
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
@@ -264,7 +264,7 @@
userdebug_or_eng(`-su')
-system_server
-zygote
-} { file_type -system_file -exec_type }:file execute;
+} { file_type -system_file -exec_type -postinstall_file }:file execute;
neverallow {
domain
-appdomain # for oemfs
diff --git a/file.te b/file.te
index 1efdc58..43cacbb 100644
--- a/file.te
+++ b/file.te
@@ -25,6 +25,7 @@
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
@@ -41,8 +42,6 @@
type mqueue, fs_type;
type fuse, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
-typealias fuse alias sdcard_internal;
-typealias vfat alias sdcard_external;
type debugfs, fs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
@@ -88,6 +87,7 @@
type ota_data_file, file_type, data_file_type;
# /data/misc/profiles
type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
@@ -103,7 +103,7 @@
# /data/nativetest
type nativetest_data_file, file_type, data_file_type;
# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type;
+type ringtone_file, file_type, data_file_type, mlstrustedobject;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -115,6 +115,11 @@
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
+# /postinstall: Mount point used by update_engine to run postinstall.
+type postinstall_mnt_dir, file_type;
+# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
+type postinstall_file, file_type, exec_type;
+
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
@@ -164,6 +169,10 @@
type efs_file, file_type;
# Type for wallpaper file.
type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type;
# /mnt/asec
type asec_apk_file, file_type, data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
@@ -206,6 +215,7 @@
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
type system_ndebug_socket, file_type;
+type uncrypt_socket, file_type;
type vold_socket, file_type;
type wpa_socket, file_type;
type zygote_socket, file_type;
@@ -225,6 +235,7 @@
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
diff --git a/file_contexts b/file_contexts
index e94c95e..9ffc3c3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -23,6 +23,7 @@
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
/mnt u:object_r:tmpfs:s0
+/postinstall u:object_r:postinstall_mnt_dir:s0
/proc u:object_r:rootfs:s0
/root u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
@@ -116,6 +117,7 @@
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
@@ -294,6 +296,7 @@
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
# Fingerprint data
@@ -327,6 +330,13 @@
# Ringtone files
/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+
#############################
# efs files
#
@@ -349,6 +359,7 @@
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
+/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
diff --git a/global_macros b/global_macros
index 8d72868..e840d56 100644
--- a/global_macros
+++ b/global_macros
@@ -8,7 +8,7 @@
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
define(`dir_file_class_set', `{ dir file_class_set }')
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
diff --git a/hostapd.te b/hostapd.te
index 858c286..204a0d9 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -6,6 +6,7 @@
allow hostapd self:capability { net_admin net_raw setuid setgid };
allow hostapd self:netlink_socket create_socket_perms;
+allow hostapd self:netlink_generic_socket create_socket_perms;
allow hostapd self:packet_socket create_socket_perms;
allow hostapd self:netlink_route_socket nlmsg_write;
diff --git a/init.te b/init.te
index 1baeeee..047ea73 100644
--- a/init.te
+++ b/init.te
@@ -88,8 +88,9 @@
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
-# restorecon /adb_keys or any other rootfs files to a more specific type.
-allow init rootfs:file relabelfrom;
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
diff --git a/installd.te b/installd.te
index 688a7e6..f4ea424 100644
--- a/installd.te
+++ b/installd.te
@@ -115,6 +115,8 @@
# Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir create_dir_perms;
allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:dir rmdir;
+allow installd user_profile_data_file:file unlink;
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
diff --git a/isolated_app.te b/isolated_app.te
index c27b547..6497cf1 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -17,6 +17,7 @@
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
@@ -40,12 +41,13 @@
neverallow isolated_app app_data_file:file open;
# b/17487348
-# Isolated apps can only access two services,
-# activity_service and display_service
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
-display_service
+ -webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
diff --git a/netd.te b/netd.te
index e3df2ba..51445fc 100644
--- a/netd.te
+++ b/netd.te
@@ -19,6 +19,8 @@
allow netd self:netlink_nflog_socket create_socket_perms;
allow netd self:netlink_socket create_socket_perms;
allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms;
+allow netd self:netlink_netfilter_socket create_socket_perms;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
@@ -61,6 +63,7 @@
# Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
diff --git a/otapreopt.te b/otapreopt.te
index bb90eaf..0eada98 100644
--- a/otapreopt.te
+++ b/otapreopt.te
@@ -8,11 +8,21 @@
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(otapreopt, apk_data_file)
+# Access to app oat directory.
+r_dir_file(otapreopt, dalvikcache_data_file)
+
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow otapreopt ota_data_file:dir create_dir_perms;
allow otapreopt ota_data_file:file create_file_perms;
allow otapreopt ota_data_file:lnk_file create_file_perms;
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow otapreopt dalvikcache_data_file:dir { write add_name remove_name };
+allow otapreopt dalvikcache_data_file:file create_file_perms;
+
# Allow labeling of files under /data/app/com.example/oat/
# TODO: Restrict to .b suffix?
allow otapreopt dalvikcache_data_file:dir relabelto;
diff --git a/platform_app.te b/platform_app.te
index 3d46f7f..3e6cd1a 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -11,6 +11,7 @@
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
diff --git a/postinstall.te b/postinstall.te
new file mode 100644
index 0000000..8afc561
--- /dev/null
+++ b/postinstall.te
@@ -0,0 +1,20 @@
+# Domain where the postinstall program runs during the update.
+# Extend the permissions in this domain to allow this program to access other
+# files needed by the specific device on your device's sepolicy directory.
+type postinstall, domain;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine:fd use;
+allow postinstall update_engine:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
diff --git a/priv_app.te b/priv_app.te
index 79e9e96..8d744f1 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -22,9 +22,10 @@
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediaserver_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
@@ -86,6 +87,9 @@
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# Allow Phone to read/write cached ringtones (opened by system).
+allow priv_app ringtone_file:file { getattr read write };
+
###
### neverallow rules
###
diff --git a/rild.te b/rild.te
index 1183d4c..e2856a3 100644
--- a/rild.te
+++ b/rild.te
@@ -38,6 +38,7 @@
# Allow rild to create and use netlink sockets.
allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_generic_socket create_socket_perms;
allow rild self:netlink_kobject_uevent_socket create_socket_perms;
# Access to wake locks
diff --git a/security_classes b/security_classes
index 7ea3a38..680d3dd 100644
--- a/security_classes
+++ b/security_classes
@@ -84,6 +84,16 @@
class binder
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
# Property service
class property_service # userspace
diff --git a/service.te b/service.te
index ae62590..9a4da4b 100644
--- a/service.te
+++ b/service.te
@@ -74,6 +74,7 @@
type netstats_service, app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
@@ -93,6 +94,7 @@
type sensorservice_service, app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 9410e3b..681521d 100644
--- a/service_contexts
+++ b/service_contexts
@@ -86,6 +86,7 @@
netstats u:object_r:netstats_service:s0
network_management u:object_r:network_management_service:s0
network_score u:object_r:network_score_service:s0
+network_time_update_service u:object_r:network_time_update_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
otadexopt u:object_r:otadexopt_service:s0
@@ -112,6 +113,7 @@
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
+shortcut u:object_r:shortcut_service:s0
simphonebook_msim u:object_r:radio_service:s0
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
diff --git a/system_app.te b/system_app.te
index a07a9b9..afc2be5 100644
--- a/system_app.te
+++ b/system_app.te
@@ -22,6 +22,9 @@
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
# Write to properties
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
diff --git a/system_server.te b/system_server.te
index 1dd7a6e..fc0ad8e 100644
--- a/system_server.te
+++ b/system_server.te
@@ -11,6 +11,13 @@
allow system_server dalvikcache_data_file:file execute;
allow system_server dalvikcache_data_file:dir r_dir_perms;
+# Enable system server to check the foreign dex usage markers.
+# We need search on top level directories so that we can get to the files
+allow system_server user_profile_data_file:dir search;
+allow system_server user_profile_data_file:file getattr;
+allow system_server user_profile_foreign_dex_data_file:dir search;
+allow system_server user_profile_foreign_dex_data_file:file getattr;
+
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms;
@@ -64,6 +71,7 @@
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms;
+allow system_server self:netlink_generic_socket create_socket_perms;
# Use generic "sockets" where the address family is not known
# to the kernel.
@@ -83,7 +91,8 @@
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
-# all processes on the device.
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
r_dir_file(system_server, domain)
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
@@ -125,6 +134,7 @@
unix_socket_connect(system_server, gps, gpsd)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_send(system_server, wpa, wpa)
+unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
@@ -142,17 +152,6 @@
# Ask debuggerd to dump backtraces for native stacks of interest.
allow system_server { audioserver cameraserver mediaserver mediacodec mediadrmserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
-# Read /proc/pid files for dumping stack traces of native processes.
-r_dir_file(system_server, audioserver)
-r_dir_file(system_server, cameraserver)
-r_dir_file(system_server, mediaserver)
-r_dir_file(system_server, mediadrmserver)
-r_dir_file(system_server, mediaextractor)
-r_dir_file(system_server, mediacodec)
-r_dir_file(system_server, sdcardd)
-r_dir_file(system_server, surfaceflinger)
-r_dir_file(system_server, inputflinger)
-
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
allow system_server audioserver:udp_socket rw_socket_perms;
@@ -291,10 +290,20 @@
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { rw_file_perms unlink };
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
# Manage ringtones.
allow system_server ringtone_file:dir { create_dir_perms relabelto };
allow system_server ringtone_file:file create_file_perms;
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
+
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
diff --git a/tee.te b/tee.te
index ab625de..8ea6b95 100644
--- a/tee.te
+++ b/tee.te
@@ -12,3 +12,4 @@
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket create_socket_perms;
+allow tee self:netlink_generic_socket create_socket_perms;
diff --git a/ueventd.te b/ueventd.te
index 9eb2b1a..fb72663 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -14,6 +14,7 @@
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
diff --git a/uncrypt.te b/uncrypt.te
index 354bda0..c8840dd 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -16,10 +16,11 @@
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
-# Write to pipe file /cache/recovery/uncrypt_status
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-allow uncrypt cache_recovery_file:fifo_file w_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
diff --git a/untrusted_app.te b/untrusted_app.te
index 8672f58..34e5929 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -99,10 +99,13 @@
# https://code.google.com/p/chromium/issues/detail?id=586021
allow untrusted_app proc:file r_file_perms;
-auditallow untrusted_app proc:file r_file_perms;
# access /proc/net/xt_qtguid/stats
r_dir_file(untrusted_app, proc_net)
+# Cts: HwRngTest
+allow untrusted_app sysfs_hwrandom:dir search;
+allow untrusted_app sysfs_hwrandom:file r_file_perms;
+
###
### neverallow rules
###
@@ -173,6 +176,7 @@
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
+ -user_profile_foreign_dex_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
diff --git a/update_engine.te b/update_engine.te
index 39b9936..cf614e6 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -13,6 +13,9 @@
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
+# Ignore these denials.
+dontaudit update_engine kernel:process setsched;
+
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };
@@ -27,6 +30,25 @@
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
+# Allow update_engine to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine postinstall_mnt_dir:dir mounton;
+allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
+allow update_engine labeledfs:filesystem relabelfrom;
+
+# Allow update_engine to read and execute postinstall_file.
+allow update_engine postinstall_file:file rx_file_perms;
+allow update_engine postinstall_file:lnk_file r_file_perms;
+allow update_engine postinstall_file:dir r_dir_perms;
+
+# The postinstall program is run by update_engine and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine, postinstall_file, postinstall)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine shell_exec:file rx_file_perms;
+
# Register the service to perform Binder IPC.
binder_use(update_engine)
allow update_engine update_engine_service:service_manager { add };
diff --git a/vold.te b/vold.te
index fb3673c..5663562 100644
--- a/vold.te
+++ b/vold.te
@@ -187,6 +187,7 @@
# Prepare profile dir for users.
allow vold user_profile_data_file:dir create_dir_perms;
+allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
diff --git a/wpa.te b/wpa.te
index a562fb7..46d975b 100644
--- a/wpa.te
+++ b/wpa.te
@@ -11,6 +11,7 @@
allow wpa cgroup:dir create_dir_perms;
allow wpa self:netlink_route_socket nlmsg_write;
allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:netlink_generic_socket create_socket_perms;
allow wpa self:packet_socket create_socket_perms;
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;