Merge "audioserver: grant read perms to /proc"
diff --git a/app.te b/app.te
index 70975d9..9f68327 100644
--- a/app.te
+++ b/app.te
@@ -240,6 +240,8 @@
allow appdomain adbd:fd use;
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow appdomain cache_file:dir getattr;
+
###
### Neverallow rules
###
diff --git a/autoplay_app.te b/autoplay_app.te
index 022c036..f671d5d 100644
--- a/autoplay_app.te
+++ b/autoplay_app.te
@@ -41,10 +41,6 @@
allow autoplay_app autoplay_data_file:dir create_dir_perms;
allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;
-# For /acct/uid/*/tasks.
-allow autoplay_app cgroup:dir { search write };
-allow autoplay_app cgroup:file w_file_perms;
-
# For art.
allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
diff --git a/bluetooth.te b/bluetooth.te
index 6a329b7..0c42eb5 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -37,6 +37,7 @@
allow bluetooth audioserver_service:service_manager find;
allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth cameraserver_service:service_manager find;
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
diff --git a/bootanim.te b/bootanim.te
index 550c6dc..fa0e4dc 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -18,10 +18,6 @@
allow bootanim surfaceflinger_service:service_manager find;
-# For /acct/uid/*/tasks.
-allow bootanim cgroup:dir { search write };
-allow bootanim cgroup:file w_file_perms;
-
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/cameraserver.te b/cameraserver.te
new file mode 100644
index 0000000..3a5dff3
--- /dev/null
+++ b/cameraserver.te
@@ -0,0 +1,120 @@
+# cameraserver - camera daemon
+type cameraserver, domain, domain_deprecated;
+type cameraserver_exec, exec_type, file_type;
+
+typeattribute cameraserver mlstrustedsubject;
+
+net_domain(cameraserver)
+init_daemon_domain(cameraserver)
+
+r_dir_file(cameraserver, sdcard_type)
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+# Required by Widevine DRM (b/22990512)
+allow cameraserver self:process execmem;
+
+allow cameraserver kernel:system module_request;
+allow cameraserver media_data_file:dir create_dir_perms;
+allow cameraserver media_data_file:file create_file_perms;
+allow cameraserver camera_data_file:dir create_dir_perms;
+allow cameraserver camera_data_file:file create_file_perms;
+allow cameraserver app_data_file:dir search;
+allow cameraserver app_data_file:file rw_file_perms;
+allow cameraserver sdcard_type:file write;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver video_device:dir r_dir_perms;
+allow cameraserver video_device:chr_file rw_file_perms;
+allow cameraserver audio_device:dir r_dir_perms;
+allow cameraserver tee_device:chr_file rw_file_perms;
+
+set_prop(cameraserver, audio_prop)
+
+# Access audio devices at all.
+allow cameraserver audio_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow cameraserver sysfs:file r_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow cameraserver apk_data_file:file { read getattr };
+allow cameraserver asec_apk_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow cameraserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow cameraserver appdomain:fifo_file { getattr read write };
+
+allow cameraserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow cameraserver system_server:fifo_file r_file_perms;
+
+# Camera data
+r_dir_file(cameraserver, camera_data_file)
+r_dir_file(cameraserver, media_rw_data_file)
+
+# Grant access to audio files to cameraserver
+allow cameraserver audio_data_file:dir ra_dir_perms;
+allow cameraserver audio_data_file:file create_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow cameraserver qtaguid_proc:file rw_file_perms;
+allow cameraserver qtaguid_device:chr_file r_file_perms;
+
+# Allow abstract socket connection
+allow cameraserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(cameraserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(cameraserver, bluetooth, bluetooth)
+
+# Connect to tee service.
+allow cameraserver tee:unix_stream_socket connectto;
+
+allow cameraserver activity_service:service_manager find;
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver cameraserver_service:service_manager { add find };
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver drmserver_service:service_manager find;
+allow cameraserver mediaextractor_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver permission_service:service_manager find;
+allow cameraserver power_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+# /oem access
+allow cameraserver oemfs:dir search;
+allow cameraserver oemfs:file r_file_perms;
+
+use_drmservice(cameraserver)
+allow cameraserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
diff --git a/debuggerd.te b/debuggerd.te
index 576c76f..917c88c 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -22,7 +22,8 @@
# Allow debuggerd to redirect a dump_backtrace request to itself.
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { audioserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+
+allow debuggerd { audioserver cameraserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/dex2oat.te b/dex2oat.te
index 42abb55..4252b88 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -3,7 +3,8 @@
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
@@ -16,4 +17,27 @@
allow dex2oat apk_tmp_file:file read;
allow dex2oat app_data_file:file {read write lock};
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat otapreopt:fd use;
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file read;
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+##############
+# Neverallow #
+##############
+
neverallow dex2oat app_data_file:notdevfile_class_set open;
diff --git a/domain.te b/domain.te
index 0ac3418..e8d15fe 100644
--- a/domain.te
+++ b/domain.te
@@ -24,8 +24,7 @@
allow domain self:fd use;
allow domain proc:dir search;
allow domain proc_net:dir search;
-allow domain self:dir r_dir_perms;
-allow domain self:lnk_file r_file_perms;
+r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -122,6 +121,10 @@
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
@@ -267,7 +270,7 @@
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# Protect most domains from executing arbitrary content from /data.
neverallow {
@@ -320,6 +323,7 @@
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
@@ -338,6 +342,7 @@
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
+ -otapreopt
-dex2oat
} dalvikcache_data_file:file no_w_file_perms;
@@ -345,6 +350,7 @@
domain
-init
-installd
+ -otapreopt
-dex2oat
-zygote
} dalvikcache_data_file:dir no_w_dir_perms;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 0db79da..ed88cca 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,10 +49,6 @@
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
-# For /acct/uid/*/tasks.
-allow domain_deprecated cgroup:dir { search write };
-allow domain_deprecated cgroup:file w_file_perms;
-
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
diff --git a/dumpstate.te b/dumpstate.te
index 667c8fc..16be441 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file.te b/file.te
index 0c5593d..88d997c 100644
--- a/file.te
+++ b/file.te
@@ -82,6 +82,8 @@
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
+# /data/ota
+type ota_data_file, file_type, data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
@@ -145,9 +147,10 @@
typealias app_data_file alias download_file;
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
-# Type for /cache/.*\.{data|restore} and default
-# type for anything under /cache/backup
+# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type;
# Type for anything under /cache/recovery
type cache_recovery_file, file_type, mlstrustedobject;
# Default type for anything under /efs
diff --git a/file_contexts b/file_contexts
index 0a25389..1195ebd 100644
--- a/file_contexts
+++ b/file_contexts
@@ -166,9 +166,11 @@
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
+/system/bin/otapreopt u:object_r:otapreopt_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@@ -236,6 +238,7 @@
/data/gps(/.*)? u:object_r:gps_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/ota(/.*)? u:object_r:ota_data_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
@@ -307,7 +310,8 @@
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
-# Wallpaper file for other users
+# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
#############################
# efs files
@@ -317,11 +321,12 @@
# Cache files
#
/cache(/.*)? u:object_r:cache_file:s0
-/cache/.*\.data u:object_r:cache_backup_file:s0
-/cache/.*\.restore u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this directory
-/cache/backup(/.*)? u:object_r:cache_backup_file:s0
/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
#############################
# sysfs files
#
diff --git a/healthd.te b/healthd.te
index d09eab4..4f2a2ea 100644
--- a/healthd.te
+++ b/healthd.te
@@ -5,6 +5,9 @@
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(healthd, sysfs)
+
allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/init.te b/init.te
index 7346d9a..1baeeee 100644
--- a/init.te
+++ b/init.te
@@ -266,6 +266,7 @@
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
+allow init kernel:system syslog_read;
# linux keyring configuration
allow init init:key { write search setattr };
diff --git a/installd.te b/installd.te
index 379e074..f685a48 100644
--- a/installd.te
+++ b/installd.te
@@ -69,6 +69,9 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
+# Run otapreopt in its own sandbox.
+domain_auto_trans(installd, otapreopt_exec, otapreopt)
+
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/kernel.te b/kernel.te
index 05838af..67edc10 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,6 +3,15 @@
allow kernel self:capability sys_nice;
+# Root fs.
+allow kernel rootfs:dir r_dir_perms;
+allow kernel rootfs:file r_file_perms;
+allow kernel rootfs:lnk_file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
diff --git a/logd.te b/logd.te
index 9b1fdd3..aa24c05 100644
--- a/logd.te
+++ b/logd.te
@@ -4,6 +4,10 @@
init_daemon_domain(logd)
+# Read access to pseudo filesystems.
+r_dir_file(logd, proc)
+r_dir_file(logd, proc_net)
+
allow logd self:capability { setuid setgid sys_nice audit_control };
allow logd self:capability2 syslog;
allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
diff --git a/mediaserver.te b/mediaserver.te
index 8b5b5d5..a54e198 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -9,6 +9,12 @@
r_dir_file(mediaserver, sdcard_type)
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, { appdomain autoplay_app })
@@ -81,6 +87,7 @@
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index e02c119..6333e59 100644
--- a/nfc.te
+++ b/nfc.te
@@ -18,6 +18,7 @@
allow nfc sysfs:file write;
allow nfc audioserver_service:service_manager find;
+allow nfc cameraserver_service:service_manager find;
allow nfc drmserver_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
diff --git a/otapreopt.te b/otapreopt.te
new file mode 100644
index 0000000..bb90eaf
--- /dev/null
+++ b/otapreopt.te
@@ -0,0 +1,31 @@
+# otapreopt executable
+type otapreopt, domain, mlstrustedsubject;
+type otapreopt_exec, exec_type, file_type;
+
+init_daemon_domain(otapreopt)
+allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid };
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow otapreopt ota_data_file:dir create_dir_perms;
+allow otapreopt ota_data_file:file create_file_perms;
+allow otapreopt ota_data_file:lnk_file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow otapreopt dalvikcache_data_file:dir relabelto;
+allow otapreopt dalvikcache_data_file:file { relabelto link };
+
+allow otapreopt selinuxfs:dir r_dir_perms;
+
+# Check validity of SELinux context before use.
+selinux_check_context(otapreopt)
+selinux_check_access(otapreopt)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(otapreopt, dex2oat_exec, dex2oat)
+
+# Allow otapreopt to use file descriptors from installd.
+allow otapreopt installd:fd use;
diff --git a/platform_app.te b/platform_app.te
index e5cd0a6..7730054 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,11 +39,13 @@
allow platform_app vfat:file create_file_perms;
allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app voiceinteraction_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index d31bf47..9c43ec2 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -20,6 +20,7 @@
create_pty(priv_app)
allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
@@ -29,6 +30,7 @@
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app voiceinteraction_service:service_manager find;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
diff --git a/property.te b/property.te
index 94567ed..c649a90 100644
--- a/property.te
+++ b/property.te
@@ -23,6 +23,7 @@
type ctl_console_prop, property_type;
type audio_prop, property_type, core_property_type;
type logd_prop, property_type, core_property_type;
+type mmc_prop, property_type;
type restorecon_prop, property_type, core_property_type;
type security_prop, property_type, core_property_type;
type bluetooth_prop, property_type, core_property_type;
diff --git a/property_contexts b/property_contexts
index 47c3cf7..9e936ca 100644
--- a/property_contexts
+++ b/property_contexts
@@ -41,6 +41,7 @@
persist.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.log.tag u:object_r:logd_prop:s0
+persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
diff --git a/radio.te b/radio.te
index 0da43a6..c4df1f7 100644
--- a/radio.te
+++ b/radio.te
@@ -28,6 +28,7 @@
set_prop(radio, ctl_rildaemon_prop)
allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find };
diff --git a/recovery.te b/recovery.te
index d2cc90e..afacf40 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,7 +48,7 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
- access_kmsg(recovery)
+ allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
index 056e9f8..846c59b 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -4,6 +4,7 @@
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd tmpfs:dir r_dir_perms;
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
diff --git a/service.te b/service.te
index 6c284e6..45f1c87 100644
--- a/service.te
+++ b/service.te
@@ -1,5 +1,6 @@
type audioserver_service, service_manager_type;
type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
type drmserver_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
@@ -70,6 +71,7 @@
type network_management_service, app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type;
+type otadexopt_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
@@ -98,7 +100,7 @@
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 58120c0..747369e 100644
--- a/service_contexts
+++ b/service_contexts
@@ -63,7 +63,7 @@
lock_settings u:object_r:lock_settings_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
-media.camera u:object_r:mediaserver_service:s0
+media.camera u:object_r:cameraserver_service:s0
media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0
@@ -84,6 +84,7 @@
network_score u:object_r:network_score_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
+otadexopt u:object_r:otadexopt_service:s0
package u:object_r:package_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 8fb6463..31f7de6 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -54,6 +54,7 @@
# media.player service
allow surfaceflinger audioserver_service:service_manager find;
+allow surfaceflinger cameraserver_service:service_manager find;
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index 55c3fff0..e8c52ff 100644
--- a/system_server.te
+++ b/system_server.te
@@ -78,6 +78,7 @@
# Set scheduling info for apps.
allow system_server { appdomain autoplay_app }:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
@@ -138,10 +139,11 @@
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, audioserver)
+r_dir_file(system_server, cameraserver)
r_dir_file(system_server, mediaserver)
r_dir_file(system_server, mediaextractor)
r_dir_file(system_server, sdcardd)
@@ -151,6 +153,8 @@
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server cameraserver:tcp_socket rw_socket_perms;
+allow system_server cameraserver:udp_socket rw_socket_perms;
allow system_server mediaserver:tcp_socket rw_socket_perms;
allow system_server mediaserver:udp_socket rw_socket_perms;
@@ -333,14 +337,12 @@
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
-# BackupManagerService lets PMS create a data backup file
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
allow system_server cache_backup_file:file create_file_perms;
-# Relabel /data/backup
-allow system_server backup_data_file:dir { relabelto relabelfrom };
-# Relabel /cache/.*\.{data|restore}
-allow system_server cache_backup_file:file { relabelto relabelfrom };
-# LocalTransport creates and relabels /cache/backup
-allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
# Allow system to talk to usb device
allow system_server usb_device:chr_file rw_file_perms;
@@ -380,6 +382,7 @@
allow system_server sysfs_zram:file r_file_perms;
allow system_server audioserver_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -454,7 +457,7 @@
# For AppFuse.
allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl };
+allow system_server fuse_device:chr_file { read write ioctl getattr };
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
diff --git a/te_macros b/te_macros
index 6d91835..4d18973 100644
--- a/te_macros
+++ b/te_macros
@@ -270,16 +270,6 @@
')
#####################################
-# access_kmsg(domain)
-# Ability to read from kernel logs
-# and execute the klogctl syscall
-# in a non destructive manner. See
-# man 2 klogctl
-define(`access_kmsg', `
-allow $1 kernel:system syslog_read;
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/untrusted_app.te b/untrusted_app.te
index dff1cb2..d864424 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -67,6 +67,7 @@
allow untrusted_app servicemanager:service_manager list;
allow untrusted_app audioserver_service:service_manager find;
+allow untrusted_app cameraserver_service:service_manager find;
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
@@ -94,6 +95,8 @@
# TODO: access of /proc/meminfo, give specific label or switch to
# using meminfo service
allow untrusted_app proc:file r_file_perms;
+# access /proc/net/xt_qtguid/stats
+r_dir_file(untrusted_app, proc_net)
###
### neverallow rules
diff --git a/vold.te b/vold.te
index e16ec73..67e461a 100644
--- a/vold.te
+++ b/vold.te
@@ -8,6 +8,17 @@
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(vold, proc)
+r_dir_file(vold, proc_net)
+r_dir_file(vold, sysfs)
+r_dir_file(vold, rootfs)
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, shell_exec, blkid);
diff --git a/zygote.te b/zygote.te
index f3a8853..67fd621 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,6 +64,16 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+allow zygote rootfs:file r_file_perms;
+
+# System file accesses.
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
+
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;