commit ec651944a04551578080b8f49fb0286d9c16f891
author Remi NGUYEN VAN <reminv@google.com> Sat Feb 16 01:48:49 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sat Feb 16 01:48:49 2019 +0000
tree ba6418a69a893b8fbb1e39d94d347fdefd966ad2
parent 161601cbf6022dc8095db2b8302c699efe0c529a
parent 3b006d9bd4a7a3043a78087d7d7e4a2d8ed2009a

Merge "sepolicy change for NetworkStack signature"

private/bug_map

diff --git a/private/bug_map b/private/bug_map
index 60a7337..ae7b695 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,4 +1,5 @@
 cppreopts cppreopts capability 79414024
+crash_dump gpu_device chr_file 124468495
 dnsmasq netd fifo_file 77868789
 dnsmasq netd unix_stream_socket 77868789
 init app_data_file file 77873135
@@ -27,6 +28,7 @@
 system_server sdcardfs file 77856826
 system_server storage_stub_file dir 112609936
 system_server zygote process 77856826
+untrusted_app_27 mnt_user_file dir 118185801
 usbd usbd capability 72472544
 vrcore_app mnt_user_file dir 118185801
 webview_zygote system_data_file lnk_file 123246126

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 233d5f4..97352a5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -489,6 +489,7 @@
 /data/misc/stats-service(/.*)?  u:object_r:stats_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/textclassifier(/.*)?       u:object_r:textclassifier_data_file:s0
+/data/misc/train-info(/.*)?     u:object_r:stats_data_file:s0
 /data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
 /data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
 /data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index da3303b..bbba1d9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,10 +68,14 @@
 allow platform_app system_api_service:service_manager find;
 allow platform_app vr_manager_service:service_manager find;
 allow platform_app gpu_service:service_manager find;
+allow platform_app stats_service:service_manager find;
 
 # Allow platform apps to interact with gpuservice
 binder_call(platform_app, gpuservice)
 
+# Allow platform apps to log via statsd.
+allow platform_app statsd:binder call;
+
 # Access to /data/preloads
 allow platform_app preloads_data_file:file r_file_perms;
 allow platform_app preloads_data_file:dir r_dir_perms;

private/stats.te

diff --git a/private/stats.te b/private/stats.te
index 2c7199d..81ec1cf 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
   domain
   -dumpstate
   -incidentd
+  -platform_app
   -priv_app
   -shell
   -stats

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index c8bd87e..29d61b4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -96,11 +96,13 @@
 allow zygote mnt_user_file:file create_file_perms;
 # Allowed to mount user-specific storage into place
 allow zygote storage_file:dir { search mounton };
-# Allow mounting on sdcardfs dirs
+
+# Allow mounting and creating files, dirs on sdcardfs.
 # TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
 # (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
 # sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcardfs media_rw_data_file vfat }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index e8baabc..2621d81 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -355,6 +355,7 @@
   -healthd
   -uncrypt
   -tee
+  -hal_bootctl
 } self:global_capability_class_set sys_rawio;
 
 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -607,6 +608,8 @@
 neverallow {
   domain
   -fastbootd
+  userdebug_or_eng(`-fsck')
+  userdebug_or_eng(`-init')
   -recovery
   -update_engine
 } system_block_device:blk_file { write append };

public/flags_health_check.te

diff --git a/public/flags_heatlh_check.te b/public/flags_health_check.te
similarity index 100%
rename from public/flags_heatlh_check.te
rename to public/flags_health_check.te

public/fsck.te

diff --git a/public/fsck.te b/public/fsck.te
index dbbe34c..7a9fbee 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -18,6 +18,9 @@
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
 
 # For the block devices where we have ioctl access,
 # allow at a minimum the following common fsck ioctls.
@@ -55,6 +58,7 @@
   root_block_device
   swap_block_device
   system_block_device
+  userdebug_or_eng(`-system_block_device')
   vold_device
 }:blk_file no_rw_file_perms;
 

public/hal_bootctl.te

diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 2491734..be9975f 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,5 +3,3 @@
 binder_call(hal_bootctl_server, hal_bootctl_client)
 
 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-
-dontaudit hal_bootctl self:global_capability_class_set sys_rawio;

public/init.te

diff --git a/public/init.te b/public/init.te
index 02302b2..7f5b3fc 100644
--- a/public/init.te
+++ b/public/init.te
@@ -317,6 +317,8 @@
 userdebug_or_eng(`
   # Overlayfs workdir write access check during mount to permit remount,rw
   allow init overlayfs_file:dir { relabelfrom mounton write };
+  allow init overlayfs_file:file { append };
+  allow init system_block_device:blk_file { write };
 ')
 
 allow init {

public/property_contexts

diff --git a/public/property_contexts b/public/property_contexts
index b636b34..836b2a4 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -80,6 +80,7 @@
 persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
 persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
 persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.sf.color_mode u:object_r:exported2_system_prop:s0 exact int
 persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
 persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
 pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string

public/radio.te

diff --git a/public/radio.te b/public/radio.te
index dcafd93..4527707 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -39,3 +39,6 @@
 # Perform HwBinder IPC.
 hwbinder_use(radio)
 hal_client_domain(radio, hal_telephony)
+
+# Used by TelephonyManager
+allow radio proc_cmdline:file r_file_perms;

public/update_engine_common.te

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 078a41b..b55f4bc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -73,3 +73,6 @@
 
 # get physical block device to map logical partitions on device mapper
 allow update_engine_common block_device:dir r_dir_perms;
+
+# Allow update_engine_common to write to statsd socket.
+unix_socket_send(update_engine_common, statsdw, statsd)

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 801c2de..d201257 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -248,7 +248,7 @@
     domain
     -vold
     -vold_prepare_subdirs
-} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
 
 neverallow {
     domain