Merge "Remove read access from mls constraints."
diff --git a/Android.mk b/Android.mk
index 8bf461d..0c44f1e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -2,22 +2,6 @@
include $(CLEAR_VARS)
-# Force permissive domains to be unconfined+enforcing?
-#
-# During development, this should be set to false.
-# Permissive means permissive.
-#
-# When we're close to a release and SELinux new policy development
-# is frozen, we should flip this to true. This forces any currently
-# permissive domains into unconfined+enforcing.
-#
-FORCE_PERMISSIVE_TO_UNCONFINED ?= false
-
-ifeq ($(TARGET_BUILD_VARIANT),user)
- # User builds are always forced unconfined+enforcing
- FORCE_PERMISSIVE_TO_UNCONFINED := true
-endif
-
# SELinux policy version.
# Must be <= /selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
@@ -114,7 +98,6 @@
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -142,7 +125,6 @@
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
-D target_recovery=true \
-s $^ > $@
@@ -171,7 +153,6 @@
mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=user \
- -D force_permissive_to_unconfined=true \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
diff --git a/attributes b/attributes
index 3f632de..af9af8e 100644
--- a/attributes
+++ b/attributes
@@ -56,9 +56,6 @@
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
-# Domains that are allowed all permissions ("unconfined").
-attribute unconfineddomain;
-
# All domains used for apps.
attribute appdomain;
diff --git a/device.te b/device.te
index 9ff30d5..c155fcc 100644
--- a/device.te
+++ b/device.te
@@ -76,6 +76,9 @@
# Recovery block device.
type recovery_block_device, dev_type;
+# boot block device.
+type boot_block_device, dev_type;
+
# Userdata block device mounted on /data.
type userdata_block_device, dev_type;
diff --git a/init.te b/init.te
index 14e9f80..564e557 100644
--- a/init.te
+++ b/init.te
@@ -1,6 +1,5 @@
# init switches to init domain (via init.rc).
type init, domain, mlstrustedsubject;
-permissive_or_unconfined(init)
tmpfs_domain(init)
# setrlimit
@@ -46,6 +45,9 @@
allow init cgroup:dir create_dir_perms;
allow init cpuctl_device:dir { create mounton };
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
# Create directories under /dev/cpuctl after chowning it to system.
allow init self:capability dac_override;
@@ -113,9 +115,6 @@
allow init kernel:system syslog_mod;
allow init self:capability2 syslog;
-# Triggered by chmod 0444 /sys/fs/selinux/policy.
-allow init kernel:security read_policy;
-
# Set usermodehelpers and /proc security settings.
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
diff --git a/install_recovery.te b/install_recovery.te
index 9155a2d..1385220 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -13,8 +13,9 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
-# Update the recovery block device
+# Update the recovery block device based off a diff of the boot block device
allow install_recovery block_device:dir search;
+allow install_recovery boot_block_device:blk_file r_file_perms;
allow install_recovery recovery_block_device:blk_file rw_file_perms;
# Create and delete /cache/saved.file
diff --git a/te_macros b/te_macros
index 1efe15f..de3f9f5 100644
--- a/te_macros
+++ b/te_macros
@@ -71,17 +71,6 @@
')
#####################################
-# unconfined_domain(domain)
-# Allow the specified domain to perform more privileged operations
-# than would be typically allowed. Please see the comments at the
-# top of unconfined.te.
-#
-define(`unconfined_domain', `
-typeattribute $1 mlstrustedsubject;
-typeattribute $1 unconfineddomain;
-')
-
-#####################################
# tmpfs_domain(domain)
# Define and allow access to a unique type for
# this domain when creating tmpfs / shmem / ashmem files.
@@ -308,17 +297,6 @@
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
-# permissive_or_unconfined
-# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
-# and "unconfined($1)" otherwise.
-#
-# This is used for experimental domains, where we want to ensure
-# the domain is unconfined+enforcing once new SELinux policy development
-# has ceased.
-#
-define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
-
-#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
diff --git a/unconfined.te b/unconfined.te
deleted file mode 100644
index 559ed59..0000000
--- a/unconfined.te
+++ /dev/null
@@ -1,93 +0,0 @@
-#######################################################
-#
-# This is the unconfined template. This template is the base policy
-# which is used by daemons and other privileged components of
-# Android.
-#
-# Historically, this template was called "unconfined" because it
-# allowed the domain to do anything it wanted. Over time,
-# this has changed, and will continue to change in the future.
-# The rules in this file will be removed when no remaining
-# unconfined domains require it, or when the rules contradict
-# Android security best practices. Domains which need rules not
-# provided by the unconfined template should add them directly to
-# the relevant policy.
-#
-# The use of this template is discouraged.
-######################################################
-
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
-allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
-allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:fd *;
-allow unconfineddomain domain:dir r_dir_perms;
-allow unconfineddomain domain:lnk_file r_file_perms;
-allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
-allow unconfineddomain domain:{
- socket
- netlink_socket
- key_socket
- unix_stream_socket
- unix_dgram_socket
- netlink_route_socket
- netlink_firewall_socket
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_selinux_socket
- netlink_audit_socket
- netlink_ip6fw_socket
- netlink_dnrt_socket
- netlink_kobject_uevent_socket
- tun_socket
-} *;
-allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain {
- file_type
- -keystore_data_file
- -property_data_file
- -system_file
- -exec_type
- -security_file
- -shell_data_file
- -app_data_file
- -unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain exec_type:file { r_file_perms execute };
-allow unconfineddomain exec_type:lnk_file r_file_perms;
-allow unconfineddomain system_file:dir r_dir_perms;
-allow unconfineddomain system_file:file { r_file_perms execute };
-allow unconfineddomain system_file:lnk_file r_file_perms;
-allow unconfineddomain {
- fs_type
- -usermodehelper
- -proc_security
- -contextmount_type
- -rootfs
- -sdcard_type
- -device
-}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {
- file_type
- -keystore_data_file
- -property_data_file
- -system_file
- -exec_type
- -security_file
- -shell_data_file
- -app_data_file
- -unlabeled
- -dalvikcache_data_file
-}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain rootfs:file execute;
-allow unconfineddomain contextmount_type:dir r_dir_perms;
-allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
-allow unconfineddomain node_type:node *;
-allow unconfineddomain netif_type:netif *;
-allow unconfineddomain domain:peer recv;
-allow unconfineddomain { domain -init }:binder { call transfer };