Merge "Add WITH_DEXPREOPT_PIC to 'with_dexpreopt' SELinux macro."
diff --git a/private/file_contexts b/private/file_contexts
index f1d736d..e0e9d08 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -134,7 +134,7 @@
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:urandom_device:s0
+/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
diff --git a/public/device.te b/public/device.te
index b4ca618..f01dc66 100644
--- a/public/device.te
+++ b/public/device.te
@@ -40,7 +40,6 @@
type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
-type urandom_device, dev_type, mlstrustedobject;
type video_device, dev_type;
type vcs_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 66b1d8a..7c15ebc 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -76,7 +76,6 @@
allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
-allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:dir r_dir_perms;
allow domain properties_serial:file r_file_perms;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 226cc0f..19a03b7 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,13 +1,5 @@
# rules removed from the domain attribute
-# Read access to properties mapping.
-allow domain_deprecated kernel:fd use;
-allow domain_deprecated tmpfs:file { read getattr };
-allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow { domain_deprecated -init } kernel:fd use;
-auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
-auditallow domain_deprecated tmpfs:lnk_file { read getattr };
-
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
@@ -18,12 +10,8 @@
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:unix_stream_socket connectto;
allow domain_deprecated adbd:fd use;
-allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket connectto;
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
@@ -33,14 +21,9 @@
auditallow { domain_deprecated -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
auditallow { domain_deprecated -appdomain -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-# Device accesses.
-allow domain_deprecated device:file read;
-auditallow domain_deprecated device:file read;
-
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
-allow domain_deprecated system_file:lnk_file r_file_perms;
auditallow {
domain_deprecated
-appdomain
@@ -60,16 +43,6 @@
-system_server
-zygote
} system_file:file { ioctl lock }; # read open getattr in domain
-auditallow {
- domain_deprecated
- -appdomain
- -init
- -installd
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} system_file:lnk_file { getattr open ioctl lock }; # read in domain
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
@@ -85,32 +58,6 @@
auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
-# Read /data/dalvik-cache.
-allow domain_deprecated dalvikcache_data_file:dir { search getattr };
-allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -debuggerd
- -dex2oat
- -dumpstate
- -init
- -installd
- -system_server
- -zygote
-} dalvikcache_data_file:dir { search getattr };
-auditallow {
- domain_deprecated
- -appdomain
- -debuggerd
- -dex2oat
- -dumpstate
- -init
- -installd
- -system_server
- -zygote
-} dalvikcache_data_file:file r_file_perms;
-
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
diff --git a/public/init.te b/public/init.te
index bef8de7..235f70c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -21,7 +21,6 @@
allow init { device socket_device }:dir relabelto;
# /dev/random, /dev/urandom
allow init random_device:chr_file relabelto;
-allow init urandom_device:chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;