Merge "Label /data/.layout_version with its own type."
diff --git a/domain.te b/domain.te
index 5e29272..7f0347a 100644
--- a/domain.te
+++ b/domain.te
@@ -169,7 +169,8 @@
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+neverallow domain kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
neverallow domain kernel:security setbool;
diff --git a/kernel.te b/kernel.te
index 1ff8f68..c40d08b 100644
--- a/kernel.te
+++ b/kernel.te
@@ -11,7 +11,9 @@
allow kernel fs_type:filesystem *;
# Initial setenforce by init prior to switching to init domain.
-allow kernel self:security setenforce;
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
diff --git a/mediaserver.te b/mediaserver.te
index 265675a..6fdc080 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,6 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
+permissive_or_unconfined(mediaserver)
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
@@ -43,6 +44,9 @@
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver rpmsg_device:chr_file rw_file_perms;
diff --git a/ppp.te b/ppp.te
index bcab339..fb8641a 100644
--- a/ppp.te
+++ b/ppp.te
@@ -8,6 +8,7 @@
net_domain(ppp)
allow ppp mtp:socket rw_socket_perms;
+allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
diff --git a/system_server.te b/system_server.te
index 30f3025..66db7f8 100644
--- a/system_server.te
+++ b/system_server.te
@@ -167,9 +167,73 @@
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
-# Manage data files.
-allow system_server { data_file_type -keystore_data_file }:dir create_dir_perms;
-allow system_server { data_file_type -keystore_data_file }:notdevfile_class_set create_file_perms;
+# Manage system data files.
+allow system_server system_data_file:dir create_dir_perms;
+allow system_server system_data_file:notdevfile_class_set create_file_perms;
+
+# Manage /data/app.
+allow system_server apk_data_file:dir create_dir_perms;
+allow system_server apk_data_file:file create_file_perms;
+allow system_server apk_tmp_file:file create_file_perms;
+
+# Manage /data/app-private.
+allow system_server apk_private_data_file:dir create_dir_perms;
+allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:file create_file_perms;
+
+# Manage files within asec containers.
+allow system_server asec_apk_file:dir create_dir_perms;
+allow system_server asec_apk_file:file create_file_perms;
+allow system_server asec_public_file:file create_file_perms;
+
+# Manage /data/anr.
+allow system_server anr_data_file:dir create_dir_perms;
+allow system_server anr_data_file:file create_file_perms;
+
+# Manage /data/backup.
+allow system_server backup_data_file:dir create_dir_perms;
+allow system_server backup_data_file:file create_file_perms;
+
+# Manage /data/dalvik-cache.
+allow system_server dalvikcache_data_file:dir create_dir_perms;
+allow system_server dalvikcache_data_file:file create_file_perms;
+
+# Manage /data/misc/adb.
+allow system_server adb_keys_file:dir create_dir_perms;
+allow system_server adb_keys_file:file create_file_perms;
+
+# Manage /data/misc/sms.
+# TODO: Split into a separate type?
+allow system_server radio_data_file:dir create_dir_perms;
+allow system_server radio_data_file:file create_file_perms;
+
+# Manage /data/misc/systemkeys.
+allow system_server systemkeys_data_file:dir create_dir_perms;
+allow system_server systemkeys_data_file:file create_file_perms;
+
+# Manage /data/misc/vpn.
+allow system_server vpn_data_file:dir create_dir_perms;
+allow system_server vpn_data_file:file create_file_perms;
+
+# Manage /data/misc/wifi.
+allow system_server wifi_data_file:dir create_dir_perms;
+allow system_server wifi_data_file:file create_file_perms;
+
+# Manage /data/misc/zoneinfo.
+allow system_server zoneinfo_data_file:dir create_dir_perms;
+allow system_server zoneinfo_data_file:file create_file_perms;
+
+# Walk /data/data subdirectories.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+
+# Populate com.android.providers.settings/databases/settings.db.
+allow system_server system_app_data_file:dir create_dir_perms;
+allow system_server system_app_data_file:file create_file_perms;
+
+# Receive and use open app data files passed over binder IPC.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
# Read /file_contexts and /data/security/file_contexts
security_access_policy(system_server)
diff --git a/zygote.te b/zygote.te
index 199f165..a1b6068 100644
--- a/zygote.te
+++ b/zygote.te
@@ -20,6 +20,8 @@
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
+auditallow zygote system_data_file:dir { write add_name remove_name };
+auditallow zygote system_data_file:file { create setattr write append link unlink rename };
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
# For art.