Merge "Allow Bluetooth sys_nice and system_server setsched for Bluetooth HAL" into oc-dev
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7827c8b..0917724 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -91,6 +91,9 @@
')
}:dir_file_class_set { create unlink };
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
# Do not allow untrusted apps to directly open tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..fd4634a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@
allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101..7950044 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/public/domain.te b/public/domain.te
index 1e5c16c..f75b531 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -549,6 +549,8 @@
-nfc_service
-radio_service
-surfaceflinger_service
+ -virtual_touchpad_service
+ -vr_hwc_service
-vr_manager_service
}:service_manager find;
neverallow {
@@ -986,26 +988,6 @@
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-neverallow {
- domain
- -init
- -recovery
- -sdcardd
- -vold
-} fuse_device:chr_file open;
-neverallow {
- domain
- -dumpstate
- -init
- -priv_app
- -recovery
- -sdcardd
- -shell # Restricted by shell.te to only getattr
- -system_server
- -ueventd
- -vold
-} fuse_device:chr_file *;
-
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 544550a..8a28cf0 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -7,6 +7,3 @@
# Requires access to /dev/uinput to create and feed the virtual device.
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Limit access so that nothing else can inject input.
-neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index b0d3ad9..7488cc0 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -8,6 +8,7 @@
binder_service(vr_hwc)
binder_call(vr_hwc, surfaceflinger)
+# TODO(dnicoara): Remove once vr_wm is disabled.
binder_call(vr_hwc, vr_wm)
add_service(vr_hwc, vr_hwc_service)
@@ -24,6 +25,3 @@
# Allow connection to VR DisplayClient to get the primary display metadata
# (ie: size).
use_pdx(vr_hwc, surfaceflinger)
-
-# Limit access so only vr_wm can connect.
-neverallow { domain -vr_hwc -vr_wm } vr_hwc_service:service_manager find;