Merge "Make mtp enforcing."
diff --git a/app.te b/app.te
index 9adb86a..3081f53 100644
--- a/app.te
+++ b/app.te
@@ -42,7 +42,7 @@
allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
@@ -69,7 +69,7 @@
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
# Write to /proc/net/xt_qtaguid/ctrl file.
@@ -89,14 +89,11 @@
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
@@ -112,6 +109,10 @@
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow appdomain media_rw_data_file:file { read getattr };
+# Access SDcard.
+allow appdomain sdcard_type:dir create_dir_perms;
+allow appdomain sdcard_type:file create_file_perms;
+
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
@@ -190,13 +191,6 @@
{ read write };
neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
-# Set SELinux enforcing mode, booleans or any other SELinux settings.
-neverallow { appdomain -unconfineddomain } kernel:security
- { setenforce setbool setsecparam setcheckreqprot };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
# Privileged netlink socket interfaces.
neverallow { appdomain -unconfineddomain }
self:{
diff --git a/bluetooth.te b/bluetooth.te
index c63dc02..8869ce6 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -31,7 +31,7 @@
# Allow clients to use a socket provided by the bluetooth app.
# TODO: See if this is still required under bluedroid.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt getattr read write shutdown };
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt getattr read write ioctl shutdown };
# tethering
allow bluetooth self:tun_socket create_socket_perms;
@@ -43,10 +43,6 @@
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-# bluetooth file transfers
-allow bluetooth sdcard_internal:dir create_dir_perms;
-allow bluetooth sdcard_internal:file create_file_perms;
-
# Allow write access to bluetooth specific properties
allow bluetooth bluetooth_prop:property_service set;
diff --git a/clatd.te b/clatd.te
index 4971102..be0314d 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,6 +1,5 @@
# 464xlat daemon
type clatd, domain;
-permissive_or_unconfined(clatd)
type clatd_exec, exec_type, file_type;
net_domain(clatd)
diff --git a/dhcp.te b/dhcp.te
index 89346d5..81f6db4 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,5 +1,4 @@
type dhcp, domain;
-permissive_or_unconfined(dhcp)
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
diff --git a/dnsmasq.te b/dnsmasq.te
index fcf7c6d..61382a2 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -5,7 +5,16 @@
net_domain(dnsmasq)
-allow dnsmasq self:capability { net_bind_service setgid setuid };
+allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
+
+# Inherit and use open files from netd.
+allow dnsmasq netd:fd use;
+allow dnsmasq netd:fifo_file { read write };
+# TODO: Investigate whether these inherited sockets should be closed on exec.
+allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
+allow dnsmasq netd:netlink_nflog_socket { read write };
+allow dnsmasq netd:netlink_route_socket { read write };
+allow dnsmasq netd:unix_stream_socket { read write };
diff --git a/domain.te b/domain.te
index 34af567..c329245 100644
--- a/domain.te
+++ b/domain.te
@@ -61,7 +61,7 @@
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
allow domain device:file read;
-allow domain socket_device:dir search;
+allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file r_file_perms;
@@ -183,6 +183,14 @@
# switching domains, there is never any need to setenforce again by init.
neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow domain kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
diff --git a/healthd.te b/healthd.te
index 63efd05..62a20e8 100644
--- a/healthd.te
+++ b/healthd.te
@@ -15,6 +15,10 @@
binder_service(healthd)
binder_call(healthd, system_server)
+# Write to state file.
+# TODO: Split into a separate type?
+allow healthd sysfs:file write;
+
###
### healthd: charger mode
###
@@ -23,5 +27,6 @@
allow healthd graphics_device:chr_file rw_file_perms;
allow healthd input_device:dir r_dir_perms;
allow healthd input_device:chr_file r_file_perms;
+allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
diff --git a/isolated_app.te b/isolated_app.te
index 7e51d30..4745d7e 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,12 +12,3 @@
type isolated_app, domain;
app_domain(isolated_app)
net_domain(isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-allow isolated_app dalvikcache_data_file:file execute;
-allow isolated_app apk_data_file:dir getattr;
diff --git a/media_app.te b/media_app.te
index 65f3863..099e0a6 100644
--- a/media_app.te
+++ b/media_app.te
@@ -10,20 +10,15 @@
net_domain(media_app)
# Access /dev/mtp_usb.
allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
# Stat /cache/backup
allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir (in particular, file_contexts for restorecon).
-allow media_app rootfs:file r_file_perms;
+# Create download files.
allow media_app download_file:dir rw_dir_perms;
allow media_app download_file:file create_file_perms;
# Allow platform apps to mark platform app data files as download files
relabelto_domain(media_app)
allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;
+
+# inherits from platformappdomain.te
diff --git a/mediaserver.te b/mediaserver.te
index ad291b0..1019fc7 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -69,3 +69,6 @@
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+# Connect to tee service.
+allow mediaserver tee:unix_stream_socket connectto;
diff --git a/netd.te b/netd.te
index 19fcad2..5020898 100644
--- a/netd.te
+++ b/netd.te
@@ -68,12 +68,6 @@
# Block device access.
neverallow netd dev_type:blk_file { read write };
-# Setting SELinux enforcing status or booleans.
-neverallow netd kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow netd kernel:security load_policy;
-
# ptrace any other app
neverallow netd { domain }:process ptrace;
diff --git a/nfc.te b/nfc.te
index 0522c52..0968c35 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,6 +13,3 @@
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
-
-allow nfc sdcard_type:dir create_dir_perms;
-allow nfc sdcard_type:file create_file_perms;
diff --git a/platform_app.te b/platform_app.te
index bbbc0f7..ea49c00 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -10,10 +10,7 @@
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
+# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app shell_data_file:lnk_file read;
@@ -26,20 +23,5 @@
allow platform_app asec_apk_file:file create_file_perms;
# Access download files.
allow platform_app download_file:file rw_file_perms;
-# Allow BackupManagerService to backup all app domains
-allow platform_app appdomain:fifo_file write;
-#
-# Rules for all platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/platformappdomain.te b/platformappdomain.te
new file mode 100644
index 0000000..701a636
--- /dev/null
+++ b/platformappdomain.te
@@ -0,0 +1,21 @@
+#
+# Rules for all platform app domains.
+# These rules are inherited by any domain that includes platform_app_domain().
+# Presently this consists of the four app domains corresponding to apps
+# signed by one of the four build keys: platform_app, shared_app, media_app,
+# release_app. These app domains use platform_app_data_file rather
+# than app_data_file for their /data/data directories (as specified via
+# type= in seapp_contexts) and have greater permissions to specific
+# directories owned by groups that are restricted to apps with
+# Android permissions that are signature|system.
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;
+# Write to /cache.
+allow platformappdomain cache_file:dir create_dir_perms;
+allow platformappdomain cache_file:file create_file_perms;
diff --git a/property.te b/property.te
index 9c6233c..c1dc254 100644
--- a/property.te
+++ b/property.te
@@ -9,6 +9,7 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_rildaemon_prop, property_type;
+type ctl_bugreport_prop, property_type;
type audio_prop, property_type;
type security_prop, property_type;
type bluetooth_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 12fd108..08874c5 100644
--- a/property_contexts
+++ b/property_contexts
@@ -54,4 +54,5 @@
# ctl properties
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl.bugreport u:object_r:ctl_bugreport_prop:s0
ctl. u:object_r:ctl_default_prop:s0
diff --git a/release_app.te b/release_app.te
index 69cff19..4dc78e7 100644
--- a/release_app.te
+++ b/release_app.te
@@ -11,6 +11,4 @@
# Access bluetooth.
bluetooth_domain(release_app)
-# Write to /cache.
-allow release_app cache_file:dir rw_dir_perms;
-allow release_app cache_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/shared_app.te b/shared_app.te
index 2223882..ef72735 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -10,3 +10,5 @@
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
+
+# inherits from platformappdomain.te
diff --git a/shelldomain.te b/shelldomain.te
index d4bb019..e894d9d 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -5,10 +5,6 @@
allow shelldomain shell_data_file:file create_file_perms;
allow shelldomain shell_data_file:file rx_file_perms;
-# Access sdcard.
-allow shelldomain sdcard_type:dir create_dir_perms;
-allow shelldomain sdcard_type:file create_file_perms;
-
# adb bugreport
unix_socket_connect(shelldomain, dumpstate, dumpstate)
@@ -29,13 +25,3 @@
allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set;
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shelldomain, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shelldomain app_data_file:dir search;
-
-# ps and ps -Z output for app processes.
-r_dir_file(shelldomain, appdomain)
-allow shelldomain appdomain:process getattr;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 7d73696..1268247 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -11,11 +11,17 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
-binder_call(surfaceflinger, system_server)
-binder_call(surfaceflinger, nfc)
-binder_call(surfaceflinger, mediaserver)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
binder_service(surfaceflinger)
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -50,3 +56,13 @@
# but seems expected and appropriate for all devices.
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+# TODO: Remove -unconfineddomain when we remove permissive_or_unconfined above.
+neverallow { surfaceflinger -unconfineddomain } sdcard_type:file rw_file_perms;
diff --git a/system_app.te b/system_app.te
index dc02118..25da88a 100644
--- a/system_app.te
+++ b/system_app.te
@@ -20,14 +20,13 @@
# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };
-# Read SELinux enforcing status.
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
allow system_app radio_prop:property_service set;
allow system_app system_prop:property_service set;
+allow system_app ctl_bugreport_prop:property_service set;
+
+# Create /data/anr/traces.txt.
+allow system_app anr_data_file:dir ra_dir_perms;
+allow system_app anr_data_file:file create_file_perms;
diff --git a/system_server.te b/system_server.te
index 9b7b85a..b59f5a3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -74,9 +74,11 @@
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
-# Read /proc data for apps.
-allow system_server appdomain:dir r_dir_perms;
-allow system_server appdomain:{ file lnk_file } rw_file_perms;
+# Read /proc/pid data for apps.
+r_dir_file(system_server, appdomain)
+
+# Write to /proc/pid/oom_adj_score for apps.
+allow system_server appdomain:file write;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
@@ -119,11 +121,10 @@
binder_call(system_server, dumpstate)
binder_service(system_server)
-# Read /proc/pid files for Binder clients.
-r_dir_file(system_server, appdomain)
+# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, mediaserver)
-allow system_server appdomain:process getattr;
-allow system_server mediaserver:process getattr;
+r_dir_file(system_server, sdcardd)
+r_dir_file(system_server, surfaceflinger)
# Use sockets received over binder from various services.
allow system_server mediaserver:tcp_socket rw_socket_perms;
@@ -210,11 +211,6 @@
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
-# Allow reading of /proc/pid data for other domains.
-# XXX dontaudit candidate
-allow system_server domain:dir r_dir_perms;
-allow system_server domain:file r_file_perms;
-
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_device:chr_file rw_file_perms;
diff --git a/unconfined.te b/unconfined.te
index 80d42b3..c3355c7 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -18,7 +18,7 @@
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system *;
allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
allow unconfineddomain domain:fd *;
diff --git a/untrusted_app.te b/untrusted_app.te
index 85cf79e..e60bfff 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,14 +32,6 @@
allow untrusted_app tun_device:chr_file rw_file_perms;
-# Internal SDCard rw access.
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-
-# External SDCard rw access.
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-
# ASEC
allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms;
diff --git a/wpa_supplicant.te b/wpa.te
similarity index 100%
rename from wpa_supplicant.te
rename to wpa.te
diff --git a/zygote.te b/zygote.te
index c20072d..225f431 100644
--- a/zygote.te
+++ b/zygote.te
@@ -45,10 +45,15 @@
allow zygote labeledfs:filesystem remount;
# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file { execute_no_trans open };
+allow zygote zygote_exec:file rx_file_perms;
# handle bugreports b/10498304
allow zygote ashmem_device:chr_file execute;
allow zygote shell_data_file:file { write getattr };
allow zygote system_server:binder { transfer call };
allow zygote servicemanager:binder { call };
+
+auditallow zygote ashmem_device:chr_file execute;
+auditallow zygote shell_data_file:file { write getattr };
+auditallow zygote system_server:binder { transfer call };
+auditallow zygote servicemanager:binder { call };