Merge "wpa_supplicant: Remove unnecessary permissions from system_server"
diff --git a/private/app.te b/private/app.te
index 04be106..ed2d8b6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,11 +87,12 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
# Renderscript needs the ability to read directories on /system
-r_dir_file(appdomain, system_file)
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -133,7 +134,7 @@
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 15ab764..5e47b68 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,3 +100,7 @@
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827..2b0515a 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -52,3 +52,7 @@
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index a75524d..d1b55cf 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -5,7 +5,6 @@
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
binder_call(cameraserver, appdomain)
-binder_call(cameraserver, hal_graphics_allocator)
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index abecbda..ff36956 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -15,7 +15,6 @@
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
-hwbinder_use(gatekeeperd)
hal_client_domain(gatekeeperd, hal_gatekeeper)
###
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index c428eba..618a2ee 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,4 @@
-# call into gatekeeperd process (callbacks)
-# TODO: This rules is unlikely to be needed because Gatekeeper HIDL
-# says there are no callbacks
-binder_call(hal_gatekeeper, gatekeeperd)
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/te_macros b/public/te_macros
index 60de568..0e1bffb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -148,26 +148,6 @@
typeattribute $1 bluetoothdomain;
')
-# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
-#####################################
-# hal_impl_domain(domain[, hal_type_attr])
-# Allow a base set of permissions required for a domain to host a
-# HAL implementation.
-#
-# Optionally, the type of the HAL can be specified as the second
-# argument. This is useful for HALs which may have multiple
-# implementations. Attributes are used to group the various
-# implementations of such HALs.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_impl_domain(hal_foo_default, hal_foo)
-#
-define(`hal_impl_domain', `
-typeattribute $1 halserverdomain;
-ifelse($2, `', `', `typeattribute $1 $2;')
-')
-
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a