Merge "Drop levelFrom=none from untrusted_app entry."
diff --git a/app.te b/app.te
index cb6ecbc..5334914 100644
--- a/app.te
+++ b/app.te
@@ -113,37 +113,12 @@
allow appdomain download_file:dir search;
allow appdomain download_file:file r_file_perms;
-# Allow applications to communicate with netd via /dev/socket/dnsproxyd
-# to do DNS resolution
-unix_socket_connect(appdomain, dnsproxyd, netd)
-
# Allow applications to communicate with drmserver over binder
binder_call(appdomain, drmserver)
# Allow applications to communicate with mediaserver over binder
binder_call(appdomain, mediaserver)
-# Allow applications to make outbound tcp connections to any port
-allow appdomain port_type:tcp_socket name_connect;
-
-# Allow apps to see changes to the routing table.
-allow appdomain self:netlink_route_socket {
- read
- bind
- create
- nlmsg_read
- ioctl
- getattr
- setattr
- getopt
- setopt
- shutdown
-};
-
-# Allow apps to use rawip sockets. This is needed for apps which execute
-# /system/bin/ping, for example.
-allow appdomain self:rawip_socket create_socket_perms;
-
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
diff --git a/bluetooth.te b/bluetooth.te
index 81c2298..d1fed20 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,6 +1,7 @@
# bluetooth subsystem
type bluetooth, domain;
app_domain(bluetooth)
+net_domain(bluetooth)
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
diff --git a/domain.te b/domain.te
index 1fb2ef8..878ac9f 100644
--- a/domain.te
+++ b/domain.te
@@ -128,9 +128,10 @@
# Get SELinux enforcing status.
selinux_getenforce(domain)
-# security files
+# /data/security files
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;
+allow domain security_file:lnk_file r_file_perms;
# World readable asec image contents
allow domain asec_public_file:file r_file_perms;
diff --git a/file.te b/file.te
index 61c9be5..dc0b0c6 100644
--- a/file.te
+++ b/file.te
@@ -116,6 +116,7 @@
type logdr_socket, file_type;
type logdw_socket, file_type;
type mdns_socket, file_type;
+type mdnsd_socket, file_type;
type netd_socket, file_type;
type property_socket, file_type;
type qemud_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 81698d1..4b0ae8a 100644
--- a/file_contexts
+++ b/file_contexts
@@ -86,6 +86,7 @@
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
+/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/qemud u:object_r:qemud_socket:s0
@@ -130,6 +131,7 @@
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/debuggerd u:object_r:debuggerd_exec:s0
diff --git a/global_macros b/global_macros
index 2f9b4fa..b4a934d 100644
--- a/global_macros
+++ b/global_macros
@@ -43,3 +43,5 @@
# Common socket permission sets.
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/isolated_app.te b/isolated_app.te
index f1ddb37..7e51d30 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -11,6 +11,7 @@
type isolated_app, domain;
app_domain(isolated_app)
+net_domain(isolated_app)
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
diff --git a/mdnsd.te b/mdnsd.te
new file mode 100644
index 0000000..cfcf873
--- /dev/null
+++ b/mdnsd.te
@@ -0,0 +1,7 @@
+# mdns daemon
+type mdnsd, domain;
+permissive_or_unconfined(mdnsd)
+type mdnsd_exec, exec_type, file_type;
+
+init_daemon_domain(mdnsd)
+net_domain(mdnsd)
diff --git a/net.te b/net.te
index b10cecd..c67f456 100644
--- a/net.te
+++ b/net.te
@@ -4,15 +4,30 @@
type port, port_type;
# Use network sockets.
-allow netdomain self:{ tcp_socket udp_socket } *;
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
allow netdomain port_type:udp_socket name_bind;
allow netdomain port_type:tcp_socket name_bind;
-# Get route information.
-allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket {
+ read
+ bind
+ create
+ nlmsg_read
+ ioctl
+ getattr
+ setattr
+ getopt
+ setopt
+ shutdown
+};
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/netd.te b/netd.te
index f8c9ffb..b8d26f9 100644
--- a/netd.te
+++ b/netd.te
@@ -5,7 +5,16 @@
init_daemon_domain(netd)
net_domain(netd)
-allow netd self:capability { net_admin net_raw kill fsetid };
+allow netd self:capability { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for netd to operate. Uncomment the dontaudit rule below after
+# sufficient testing of the fsetid removal.
+# dontaudit netd self:capability fsetid;
+
allow netd self:netlink_kobject_uevent_socket *;
allow netd self:netlink_route_socket *;
allow netd self:netlink_nflog_socket *;
@@ -52,7 +61,6 @@
# Support netd running mdnsd
# TODO: prune this back further
allow netd ctl_default_prop:property_service set;
-allow netd device:sock_file write;
###
### Neverallow rules
diff --git a/nfc.te b/nfc.te
index d0e4d83..0522c52 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,6 +1,7 @@
# nfc subsystem
type nfc, domain;
app_domain(nfc)
+net_domain(nfc)
binder_service(nfc)
# NFC device access.
diff --git a/property_contexts b/property_contexts
index eb23a6d..12fd108 100644
--- a/property_contexts
+++ b/property_contexts
@@ -2,7 +2,7 @@
# property service keys
#
#
-net.rmnet0 u:object_r:radio_prop:s0
+net.rmnet u:object_r:radio_prop:s0
net.gprs u:object_r:radio_prop:s0
net.ppp u:object_r:radio_prop:s0
net.qmi u:object_r:radio_prop:s0
diff --git a/sdcardd.te b/sdcardd.te
index 411120a..7a06998 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -18,8 +18,3 @@
# Read /data/system/packages.list.
allow sdcardd system_data_file:file r_file_perms;
-
-# Compatibility for existing devices with /data/media in system_data_file.
-# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
-allow sdcardd system_data_file:dir create_dir_perms;
-allow sdcardd system_data_file:file create_file_perms;
diff --git a/system_app.te b/system_app.te
index 4f5492c..702c556 100644
--- a/system_app.te
+++ b/system_app.te
@@ -6,6 +6,7 @@
type system_app, domain;
permissive_or_unconfined(system_app)
app_domain(system_app)
+net_domain(system_app)
binder_service(system_app)
# Perform binder IPC to any app domain.
diff --git a/uncrypt.te b/uncrypt.te
index 97258a7..f62fbbf 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -3,7 +3,6 @@
type uncrypt_exec, exec_type, file_type;
init_daemon_domain(uncrypt)
-permissive_or_unconfined(uncrypt)
allow uncrypt self:capability dac_override;
diff --git a/untrusted_app.te b/untrusted_app.te
index 16499c1..85cf79e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -46,13 +46,6 @@
# Execute libs in asec containers.
allow untrusted_app asec_public_file:file execute;
-# Create tcp/udp sockets
-allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
-allow untrusted_app self:{ tcp_socket udp_socket } { create_socket_perms accept listen };
-# Bind to a particular hostname/address/interface (e.g., localhost) instead of
-# ANY. Normally, apps should not be listening on all interfaces.
-allow untrusted_app port:{ tcp_socket udp_socket } name_bind;
-
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)