Merge "Remove specifycapabilities permission."
diff --git a/adbd.te b/adbd.te
index 76cc4b1..44607c7 100644
--- a/adbd.te
+++ b/adbd.te
@@ -22,8 +22,10 @@
# Create and use network sockets.
net_domain(adbd)
-# Access /dev/android_adb.
+# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow adbd adb_device:chr_file rw_file_perms;
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
diff --git a/app.te b/app.te
index cd1d775..261ec32 100644
--- a/app.te
+++ b/app.te
@@ -52,6 +52,10 @@
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open };
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
@@ -95,6 +99,7 @@
# to any app that has backup ability. Hence, no open permissions here.
allow appdomain backup_data_file:file { read write getattr };
allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file getattr;
@@ -119,9 +124,13 @@
# For art.
allow appdomain dalvikcache_data_file:file execute;
+# /data/dalvik-cache/profiles
+allow appdomain dalvikcache_profiles_data_file:file write;
+
# For legacy unlabeled userdata on existing devices.
# See discussion of Unlabeled files in domain.te for more information.
allow appdomain unlabeled:file x_file_perms;
+auditallow appdomain unlabeled:file x_file_perms;
###
### CTS-specific rules
diff --git a/attributes b/attributes
index bbc3d92..69654e3 100644
--- a/attributes
+++ b/attributes
@@ -65,8 +65,5 @@
# All domains used for binder service domains.
attribute binderservicedomain;
-# Allow domains used for platform (signed by build key) apps.
-attribute platformappdomain;
-
# All domains which are allowed the "relabelto" permission
attribute relabeltodomain;
diff --git a/domain.te b/domain.te
index c329245..f61fd16 100644
--- a/domain.te
+++ b/domain.te
@@ -100,6 +100,8 @@
# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;
+allow domain dalvikcache_profiles_data_file:dir { search getattr };
+allow domain dalvikcache_profiles_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
@@ -152,6 +154,9 @@
#
allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
allow domain unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow kernel unlabeled:dir ~search;
neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
###
diff --git a/file.te b/file.te
index 6b7eda8..f42585a 100644
--- a/file.te
+++ b/file.te
@@ -31,6 +31,9 @@
type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, mlstrustedobject;
+type pstorefs, fs_type;
+type functionfs, fs_type;
+type oemfs, fs_type;
# File types
type unlabeled, file_type;
@@ -52,6 +55,8 @@
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
+# /data/dalvik-cache/profiles
+type dalvikcache_profiles_data_file, file_type, data_file_type;
# /data/local - writable by shell
type shell_data_file, file_type, data_file_type;
# /data/gps
diff --git a/file_contexts b/file_contexts
index dc91481..c136e26 100644
--- a/file_contexts
+++ b/file_contexts
@@ -168,6 +168,7 @@
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/vmdl.*\.tmp u:object_r:apk_tmp_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index f247cec..ec636b6 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -28,3 +28,5 @@
genfscon vfat / u:object_r:sdcard_external:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:sdcard_internal:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
diff --git a/installd.te b/installd.te
index 3f5e9a1..9712881 100644
--- a/installd.te
+++ b/installd.te
@@ -9,11 +9,15 @@
allow installd system_data_file:file create_file_perms;
allow installd system_data_file:lnk_file create;
allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_profiles_data_file:dir create_dir_perms;
+allow installd dalvikcache_profiles_data_file:file create_file_perms;
allow installd data_file_type:dir create_dir_perms;
allow installd data_file_type:dir { relabelfrom relabelto };
allow installd data_file_type:{ file_class_set } { getattr unlink };
allow installd apk_data_file:file r_file_perms;
allow installd apk_tmp_file:file r_file_perms;
+allow installd oemfs:dir r_dir_perms;
+allow installd oemfs:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
# Check validity of SELinux context before use.
diff --git a/logd.te b/logd.te
index 782d58e..cde721a 100644
--- a/logd.te
+++ b/logd.te
@@ -8,6 +8,7 @@
allow logd self:capability2 syslog;
allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
allow logd kernel:system syslog_read;
+allow logd kmsg_device:chr_file w_file_perms;
r_dir_file(logd, domain)
diff --git a/mac_permissions.xml b/mac_permissions.xml
index f9f631b..baaaf32 100644
--- a/mac_permissions.xml
+++ b/mac_permissions.xml
@@ -26,21 +26,6 @@
<seinfo value="platform" />
</signer>
- <!-- Media dev key in AOSP -->
- <signer signature="@MEDIA" >
- <seinfo value="media" />
- </signer>
-
- <!-- shared dev key in AOSP -->
- <signer signature="@SHARED" >
- <seinfo value="shared" />
- </signer>
-
- <!-- release dev key in AOSP -->
- <signer signature="@RELEASE" >
- <seinfo value="release" />
- </signer>
-
<!-- All other keys -->
<default>
<seinfo value="default" />
diff --git a/media_app.te b/media_app.te
deleted file mode 100644
index 5075cdf..0000000
--- a/media_app.te
+++ /dev/null
@@ -1,17 +0,0 @@
-###
-### Apps signed with the media key.
-###
-
-type media_app, domain;
-app_domain(media_app)
-platform_app_domain(media_app)
-binder_service(media_app)
-# Access the network.
-net_domain(media_app)
-# Access /dev/mtp_usb.
-allow media_app mtp_device:chr_file rw_file_perms;
-# Stat /cache/backup
-allow media_app cache_backup_file:file getattr;
-allow media_app cache_backup_file:dir getattr;
-
-# inherits from platformappdomain.te
diff --git a/netd.te b/netd.te
index 5020898..46cc436 100644
--- a/netd.te
+++ b/netd.te
@@ -56,9 +56,7 @@
domain_auto_trans(netd, clatd_exec, clatd)
allow netd clatd:process signal;
-# Support netd running mdnsd
-# TODO: prune this back further
-allow netd ctl_default_prop:property_service set;
+allow netd ctl_mdnsd_prop:property_service set;
###
### Neverallow rules
diff --git a/platform_app.te b/platform_app.te
index ba8ed4b..6cac4ee 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -5,7 +5,6 @@
type platform_app, domain;
permissive_or_unconfined(platform_app)
app_domain(platform_app)
-platform_app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
@@ -22,4 +21,10 @@
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;
-# inherits from platformappdomain.te
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
diff --git a/platformappdomain.te b/platformappdomain.te
deleted file mode 100644
index 5ba8601..0000000
--- a/platformappdomain.te
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# Rules for all platform app domains.
-# These rules are inherited by any domain that includes platform_app_domain().
-# Presently this consists of the four app domains corresponding to apps
-# signed by one of the four build keys: platform_app, shared_app, media_app,
-# release_app. These app domains have greater permissions to specific
-# directories owned by groups that are restricted to apps with
-# Android permissions that are signature|system.
-
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platformappdomain cache_file:dir create_dir_perms;
-allow platformappdomain cache_file:file create_file_perms;
diff --git a/property.te b/property.te
index c1dc254..6f2b280 100644
--- a/property.te
+++ b/property.te
@@ -6,8 +6,11 @@
type system_prop, property_type;
type vold_prop, property_type;
type rild_prop, property_type;
+type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_mdnsd_prop, property_type;
type ctl_rildaemon_prop, property_type;
type ctl_bugreport_prop, property_type;
type audio_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 08874c5..aedf60c 100644
--- a/property_contexts
+++ b/property_contexts
@@ -52,7 +52,10 @@
crypto. u:object_r:vold_prop:s0
# ctl properties
+ctl.bootanim u:object_r:ctl_bootanim_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
ctl.bugreport u:object_r:ctl_bugreport_prop:s0
ctl. u:object_r:ctl_default_prop:s0
diff --git a/release_app.te b/release_app.te
deleted file mode 100644
index 4dc78e7..0000000
--- a/release_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Apps signed with the release key (testkey in AOSP).
-###
-
-type release_app, domain;
-permissive_or_unconfined(release_app)
-app_domain(release_app)
-platform_app_domain(release_app)
-# Access the network.
-net_domain(release_app)
-# Access bluetooth.
-bluetooth_domain(release_app)
-
-# inherits from platformappdomain.te
diff --git a/seapp_contexts b/seapp_contexts
index ff0964a..7b217fb 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -40,9 +40,6 @@
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=shell domain=shell type=shell_data_file
-user=_app domain=untrusted_app type=app_data_file
-user=_app seinfo=platform domain=platform_app type=app_data_file
-user=_app seinfo=shared domain=shared_app type=app_data_file
-user=_app seinfo=media domain=media_app type=app_data_file
-user=_app seinfo=release domain=release_app type=app_data_file
user=_isolated domain=isolated_app
+user=_app seinfo=platform domain=platform_app type=app_data_file
+user=_app domain=untrusted_app type=app_data_file
diff --git a/shared_app.te b/shared_app.te
deleted file mode 100644
index ef72735..0000000
--- a/shared_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Apps signed with the shared key.
-###
-
-type shared_app, domain;
-permissive_or_unconfined(shared_app)
-app_domain(shared_app)
-platform_app_domain(shared_app)
-# Access the network.
-net_domain(shared_app)
-# Access bluetooth.
-bluetooth_domain(shared_app)
-
-# inherits from platformappdomain.te
diff --git a/shelldomain.te b/shelldomain.te
index e894d9d..0a86426 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -25,3 +25,10 @@
allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set;
+
+# systrace support - allow atrace to run
+# debugfs doesn't support labeling individual files, so we have
+# to grant read access to all of /sys/kernel/debug.
+# Directory read access and file write access is already granted
+# in domain.te.
+allow shelldomain debugfs:file r_file_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 5ecfd18..1fc18db 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -13,6 +13,7 @@
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
@@ -38,7 +39,7 @@
# Set properties.
allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_default_prop:property_service set;
+allow surfaceflinger ctl_bootanim_prop:property_service set;
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/system_server.te b/system_server.te
index e85281c..7a8979a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -274,6 +274,12 @@
# /sys/module/lowmemorykiller/parameters/minfree
allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow system_server pstorefs:dir r_dir_perms;
+allow system_server pstorefs:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/te_macros b/te_macros
index 3d170f4..ddae3df 100644
--- a/te_macros
+++ b/te_macros
@@ -119,14 +119,6 @@
')
#####################################
-# platform_app_domain(domain)
-# Allow permissions specific to platform apps.
-define(`platform_app_domain', `
-typeattribute $1 platformappdomain;
-typeattribute $1 mlstrustedsubject;
-')
-
-#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
diff --git a/ueventd.te b/ueventd.te
index e80fa32..66e70e8 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -12,8 +12,9 @@
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
allow ueventd sysfs:file setattr;
+allow ueventd sysfs:file relabelfrom;
allow ueventd sysfs_type:file { relabelfrom relabelto };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
+allow ueventd sysfs_devices_system_cpu:file {rw_file_perms setattr};
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
diff --git a/untrusted_app.te b/untrusted_app.te
index e60bfff..1d94923 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -10,7 +10,7 @@
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by one of the four platform keys. To move
+### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
@@ -21,7 +21,6 @@
###
type untrusted_app, domain;
-permissive_or_unconfined(untrusted_app)
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
@@ -48,3 +47,19 @@
# Figure out a way to remove these rules.
allow untrusted_app shell_data_file:file r_file_perms;
allow untrusted_app shell_data_file:dir r_dir_perms;
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access /dev/mtp_usb.
+allow untrusted_app mtp_device:chr_file rw_file_perms;
+
+# Access to /data/media.
+allow untrusted_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow untrusted_app cache_file:dir create_dir_perms;
+allow untrusted_app cache_file:file create_file_perms;
diff --git a/vold.te b/vold.te
index cc70e8a..350f630 100644
--- a/vold.te
+++ b/vold.te
@@ -65,7 +65,7 @@
# Property Service
allow vold vold_prop:property_service set;
allow vold powerctl_prop:property_service set;
-allow vold ctl_default_prop:property_service set;
+allow vold ctl_fuse_prop:property_service set;
# ASEC
allow vold asec_image_file:file create_file_perms;
@@ -84,3 +84,7 @@
# talk to batteryservice
binder_use(vold)
binder_call(vold, healthd)
+
+# talk to keymaster
+allow vold tee_device:chr_file rw_file_perms;
+
diff --git a/zygote.te b/zygote.te
index 225f431..199f165 100644
--- a/zygote.te
+++ b/zygote.te
@@ -5,7 +5,7 @@
init_daemon_domain(zygote)
typeattribute zygote mlstrustedsubject;
# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner };
+allow zygote self:capability { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
@@ -20,7 +20,7 @@
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
-allow zygote dalvikcache_data_file:dir rw_dir_perms;
+allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
# For art.
allow zygote dalvikcache_data_file:file execute;
@@ -46,14 +46,3 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
-
-# handle bugreports b/10498304
-allow zygote ashmem_device:chr_file execute;
-allow zygote shell_data_file:file { write getattr };
-allow zygote system_server:binder { transfer call };
-allow zygote servicemanager:binder { call };
-
-auditallow zygote ashmem_device:chr_file execute;
-auditallow zygote shell_data_file:file { write getattr };
-auditallow zygote system_server:binder { transfer call };
-auditallow zygote servicemanager:binder { call };