Merge "Allow redeclaring typeattributes"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index db14f1b..7638d36 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -110,7 +110,7 @@
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
- proc_asound_cards
+ proc_asound
proc_filesystems
proc_kmsg
proc_loadavg
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index ca34491..c60b2e6 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -446,7 +446,7 @@
(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
(typeattributeset print_service_26_0 (print_service))
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_asound_cards proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
+(typeattributeset proc_26_0 (proc proc_asound proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b5827c8..6a95ffb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,7 +2,8 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
-genfscon proc /asound/cards u:object_r:proc_asound_cards:s0
+genfscon proc /asound/cards u:object_r:proc_asound:s0
+genfscon proc /asound/devices u:object_r:proc_asound:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
diff --git a/private/system_server.te b/private/system_server.te
index c1b184a..8f9091d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -675,7 +675,7 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-r_dir_file(system_server, proc_asound_cards)
+r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_loadavg)
r_dir_file(system_server, proc_meminfo)
r_dir_file(system_server, proc_net)
diff --git a/public/file.te b/public/file.te
index 51a0439..79435e5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -13,7 +13,7 @@
type sysfs_usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
-type proc_asound_cards, fs_type;
+type proc_asound, fs_type;
type proc_cmdline, fs_type;
type proc_cpuinfo, fs_type;
type proc_filesystems, fs_type;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index be7e235..6a436bd 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -14,7 +14,7 @@
')
r_dir_file(hal_audio, proc)
-r_dir_file(hal_audio, proc_asound_cards)
+r_dir_file(hal_audio, proc_asound)
allow hal_audio audio_device:dir r_dir_perms;
allow hal_audio audio_device:chr_file rw_file_perms;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 05e65bf..f8e8a6b 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -22,6 +22,9 @@
crash_dump_fallback(mediaextractor)
+# Suppress denials from sdcardfs (b/67454004)
+dontaudit mediaextractor sdcardfs:file read;
+
# allow mediaextractor read permissions for file sources
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor app_data_file:file { getattr read };
@@ -50,3 +53,11 @@
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+ data_file_type
+ -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+}:file open;
diff --git a/public/vold.te b/public/vold.te
index a853715..a569f9e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -17,6 +17,7 @@
r_dir_file(vold, rootfs)
allow vold {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline
proc_drop_caches
proc_filesystems