Merge changes I5bbbcad3,Ifa4630ed
* changes:
wifi_hal: Rename to 'hal_wifi'
wpa: Add permissions for hwbinder
diff --git a/public/domain.te b/public/domain.te
index b464fc6..bbf4d68 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -108,6 +108,7 @@
domain
-appdomain
-dex2oat
+ -dumpstate
-recovery
-zygote
} libart_file:file { execute read open getattr };
@@ -653,3 +654,10 @@
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
neverallow * ~{ system_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+ domain
+ -recovery
+} self:capability setfcap;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index b8ad83c..e6e827b 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -62,8 +62,27 @@
# Read /data/dalvik-cache.
allow domain_deprecated dalvikcache_data_file:dir { search getattr };
allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -init -installd -system_server -zygote } dalvikcache_data_file:dir { search getattr };
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -installd -system_server -zygote } dalvikcache_data_file:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -debuggerd
+ -dex2oat
+ -dumpstate
+ -init
+ -installd
+ -system_server
+ -zygote
+} dalvikcache_data_file:dir { search getattr };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -debuggerd
+ -dex2oat
+ -dumpstate
+ -installd
+ -system_server
+ -zygote
+} dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
@@ -100,7 +119,18 @@
auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -clatd
+ -dumpstate
+ -init
+ -netd
+ -system_server
+ -vold
+ -wpa
+ -zygote
+} proc_net:{ file lnk_file } r_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 690e843..20f8bda 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -118,7 +118,9 @@
allow dumpstate dumpstate_tmpfs:file execute;
allow dumpstate self:process execmem;
# For art.
-allow dumpstate dalvikcache_data_file:file execute;
+allow dumpstate libart_file:file { r_file_perms execute };
+allow dumpstate dalvikcache_data_file:dir { search getattr };
+allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
# For Bluetooth
@@ -133,6 +135,9 @@
read_logd(dumpstate)
control_logd(dumpstate)
+# Read /proc/net
+allow dumpstate proc_net:file r_file_perms;
+
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;