Merge "Make ppp domain enforcing."
diff --git a/domain.te b/domain.te
index 5e29272..7f0347a 100644
--- a/domain.te
+++ b/domain.te
@@ -169,7 +169,8 @@
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+neverallow domain kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
neverallow domain kernel:security setbool;
diff --git a/file.te b/file.te
index 4f75d37..ac4220f 100644
--- a/file.te
+++ b/file.te
@@ -41,6 +41,9 @@
type system_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type;
+# /data/.layout_version or other installd-created files that
+# are created in a system_data_file directory.
+type install_data_file, file_type, data_file_type;
# /data/drm - DRM plugin data
type drm_data_file, file_type, data_file_type;
# /data/anr - ANR traces
diff --git a/file_contexts b/file_contexts
index ce26390..0926d74 100644
--- a/file_contexts
+++ b/file_contexts
@@ -164,6 +164,7 @@
# Data files
#
/data(/.*)? u:object_r:system_data_file:s0
+/data/.layout_version u:object_r:install_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/security(/.*)? u:object_r:security_file:s0
diff --git a/installd.te b/installd.te
index 8f332b2..cabebc6 100644
--- a/installd.te
+++ b/installd.te
@@ -31,7 +31,8 @@
allow installd media_rw_data_file:dir relabelto;
# Create /data/.layout_version.* file
-allow installd system_data_file:file create_file_perms;
+type_transition installd system_data_file:file install_data_file;
+allow installd install_data_file:file create_file_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
@@ -49,9 +50,9 @@
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom };
# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it.
+# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom };
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
diff --git a/kernel.te b/kernel.te
index 1ff8f68..c40d08b 100644
--- a/kernel.te
+++ b/kernel.te
@@ -11,7 +11,9 @@
allow kernel fs_type:filesystem *;
# Initial setenforce by init prior to switching to init domain.
-allow kernel self:security setenforce;
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
diff --git a/mediaserver.te b/mediaserver.te
index 1e3c41a..6fdc080 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -44,6 +44,9 @@
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver rpmsg_device:chr_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index 30f3025..66db7f8 100644
--- a/system_server.te
+++ b/system_server.te
@@ -167,9 +167,73 @@
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
-# Manage data files.
-allow system_server { data_file_type -keystore_data_file }:dir create_dir_perms;
-allow system_server { data_file_type -keystore_data_file }:notdevfile_class_set create_file_perms;
+# Manage system data files.
+allow system_server system_data_file:dir create_dir_perms;
+allow system_server system_data_file:notdevfile_class_set create_file_perms;
+
+# Manage /data/app.
+allow system_server apk_data_file:dir create_dir_perms;
+allow system_server apk_data_file:file create_file_perms;
+allow system_server apk_tmp_file:file create_file_perms;
+
+# Manage /data/app-private.
+allow system_server apk_private_data_file:dir create_dir_perms;
+allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:file create_file_perms;
+
+# Manage files within asec containers.
+allow system_server asec_apk_file:dir create_dir_perms;
+allow system_server asec_apk_file:file create_file_perms;
+allow system_server asec_public_file:file create_file_perms;
+
+# Manage /data/anr.
+allow system_server anr_data_file:dir create_dir_perms;
+allow system_server anr_data_file:file create_file_perms;
+
+# Manage /data/backup.
+allow system_server backup_data_file:dir create_dir_perms;
+allow system_server backup_data_file:file create_file_perms;
+
+# Manage /data/dalvik-cache.
+allow system_server dalvikcache_data_file:dir create_dir_perms;
+allow system_server dalvikcache_data_file:file create_file_perms;
+
+# Manage /data/misc/adb.
+allow system_server adb_keys_file:dir create_dir_perms;
+allow system_server adb_keys_file:file create_file_perms;
+
+# Manage /data/misc/sms.
+# TODO: Split into a separate type?
+allow system_server radio_data_file:dir create_dir_perms;
+allow system_server radio_data_file:file create_file_perms;
+
+# Manage /data/misc/systemkeys.
+allow system_server systemkeys_data_file:dir create_dir_perms;
+allow system_server systemkeys_data_file:file create_file_perms;
+
+# Manage /data/misc/vpn.
+allow system_server vpn_data_file:dir create_dir_perms;
+allow system_server vpn_data_file:file create_file_perms;
+
+# Manage /data/misc/wifi.
+allow system_server wifi_data_file:dir create_dir_perms;
+allow system_server wifi_data_file:file create_file_perms;
+
+# Manage /data/misc/zoneinfo.
+allow system_server zoneinfo_data_file:dir create_dir_perms;
+allow system_server zoneinfo_data_file:file create_file_perms;
+
+# Walk /data/data subdirectories.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+
+# Populate com.android.providers.settings/databases/settings.db.
+allow system_server system_app_data_file:dir create_dir_perms;
+allow system_server system_app_data_file:file create_file_perms;
+
+# Receive and use open app data files passed over binder IPC.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
# Read /file_contexts and /data/security/file_contexts
security_access_policy(system_server)