Merge "Adding permissions needed to remove cache"
diff --git a/adbd.te b/adbd.te
index 6adba83..b44cd98 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,11 +1,52 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain;
-unconfined_domain(adbd)
+permissive adbd;
domain_auto_trans(adbd, shell_exec, shell)
# this is an entrypoint
allow adbd rootfs:file entrypoint;
+# Do not sanitize the environment or open fds of the shell.
+allow adbd shell:process noatsecure;
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+
+# Create and use network sockets.
+net_domain(adbd)
+
+# Access /dev/android_adb.
+allow adbd adb_device:chr_file rw_file_perms;
+
+# On emulator, access /dev/qemu*.
+allow adbd qemu_device:chr_file rw_file_perms;
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir rw_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+# adb push/pull sdcard.
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
+# Set service.adb.*, sys.powerctl properties.
+unix_socket_connect(adbd, property, init)
+allow adbd shell_prop:property_service set;
+allow adbd powerctl_prop:property_service set;
+
+# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain?
+# Also covers running /system/bin/bu.
+allow adbd system_file:file rx_file_perms;
+unix_socket_connect(adbd, vold, vold)
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;
diff --git a/app.te b/app.te
index eb91793..7d4acfb 100644
--- a/app.te
+++ b/app.te
@@ -7,6 +7,10 @@
### zygote spawned apps should be added here.
###
+# Dalvik Compiler JIT Mapping.
+allow appdomain self:process execmem;
+allow appdomain ashmem_device:chr_file execute;
+
# Allow apps to connect to the keystore
unix_socket_connect(appdomain, keystore, keystore)
@@ -63,7 +67,6 @@
# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
-allow appdomain ping_exec:file rx_file_perms;
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { read write };
@@ -152,6 +155,9 @@
allow appdomain usb_device:chr_file { read write getattr ioctl };
allow appdomain usbaccessory_device:chr_file { read write getattr };
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+
###
### CTS-specific rules
###
@@ -261,7 +267,7 @@
{ sigkill sigstop signal };
# Transition to a non-app domain.
-# Exception for the shell domain, can transition to runas, ping, etc.
+# Exception for the shell domain, can transition to runas, etc.
neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
{ transition dyntransition };
diff --git a/bluetooth.te b/bluetooth.te
index a6e0c4e..a391ef7 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,6 +1,5 @@
# bluetooth subsystem
type bluetooth, domain;
-permissive bluetooth;
app_domain(bluetooth)
# Data file accesses.
diff --git a/dhcp.te b/dhcp.te
index 5004565..e710360 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,10 +1,32 @@
type dhcp, domain;
+permissive dhcp;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
type dhcp_system_file, file_type, data_file_type;
init_daemon_domain(dhcp)
net_domain(dhcp)
-unconfined_domain(dhcp)
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms;
+allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
+allow dhcp system_prop:property_service set ;
+allow dhcp dhcp_system_file:file rx_file_perms;
+allow dhcp dhcp_system_file:dir r_dir_perms;
+unix_socket_connect(dhcp, property, init)
+allow dhcp owntty_device:chr_file rw_file_perms;
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/domain.te b/domain.te
index d0e3ff4..a498980 100644
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,7 @@
allow domain tmpfs:dir r_dir_perms;
# Intra-domain accesses.
-allow domain self:process ~{ execstack execheap ptrace };
+allow domain self:process ~{ execmem execstack execheap ptrace };
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
@@ -23,9 +23,10 @@
allow domain system_server:fd use;
# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr read write shutdown };
+allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
###
### Talk to debuggerd.
@@ -105,6 +106,7 @@
r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
+r_dir_file(domain, proc_net)
# debugfs access
allow domain debugfs:dir r_dir_perms;
@@ -165,3 +167,7 @@
# No domain should be allowed to ptrace init.
neverallow domain init:process ptrace;
+
+# Init can't receive binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow domain init:binder call;
diff --git a/drmserver.te b/drmserver.te
index b465430..112d7a1 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -34,3 +34,6 @@
type_transition drmserver apk_data_file:sock_file drmserver_socket;
allow drmserver drmserver_socket:sock_file create_file_perms;
allow drmserver tee:unix_stream_socket connectto;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)
diff --git a/dumpstate.te b/dumpstate.te
index 8c27273..e0fe4ce 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -68,3 +68,8 @@
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir create_dir_perms;
+allow dumpstate shell_data_file:file create_file_perms;
diff --git a/file.te b/file.te
index 3ca9fd7..e255ae9 100644
--- a/file.te
+++ b/file.te
@@ -10,6 +10,7 @@
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
+type proc_net, fs_type;
type selinuxfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 817c0e0..6c530a6 100644
--- a/file_contexts
+++ b/file_contexts
@@ -142,7 +142,6 @@
/system/etc/dhcpcd(/.*)? u:object_r:dhcp_system_file:s0
/system/xbin/su u:object_r:su_exec:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
-/system/bin/ping u:object_r:ping_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/hostapd u:object_r:hostapd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
diff --git a/genfs_contexts b/genfs_contexts
index 8560e38..634f4bd 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -2,6 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
@@ -15,6 +16,7 @@
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
diff --git a/media_app.te b/media_app.te
index 5f09a63..830cbd5 100644
--- a/media_app.te
+++ b/media_app.te
@@ -3,7 +3,6 @@
###
type media_app, domain;
-permissive media_app;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
diff --git a/mediaserver.te b/mediaserver.te
index 4a94012..6097ccb 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -25,6 +25,7 @@
allow mediaserver platform_app_data_file:file { getattr read };
allow mediaserver sdcard_type:file write;
allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
allow mediaserver audio_device:dir r_dir_perms;
allow mediaserver qemu_device:chr_file rw_file_perms;
@@ -48,8 +49,8 @@
allow mediaserver system_server:fifo_file r_file_perms;
# Camera data
-allow mediaserver camera_data_file:dir r_dir_perms;
-allow mediaserver camera_data_file:file r_file_perms;
+r_dir_file(mediaserver, camera_data_file)
+r_dir_file(mediaserver, media_rw_data_file)
# Grant access to audio files to mediaserver
allow mediaserver audio_data_file:dir ra_dir_perms;
diff --git a/netd.te b/netd.te
index 72784da..f8c9ffb 100644
--- a/netd.te
+++ b/netd.te
@@ -16,8 +16,7 @@
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
-# XXX Split /proc/sys/net into its own type.
-allow netd proc:file write;
+allow netd proc_net:file write;
# For /sys/modules/bcmdhd/parameters/firmware_path
# XXX Split into its own type.
diff --git a/nfc.te b/nfc.te
index efb1a14..9a354bb 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,6 +1,5 @@
# nfc subsystem
type nfc, domain;
-permissive nfc;
app_domain(nfc)
# NFC device access.
diff --git a/ping.te b/ping.te
deleted file mode 100644
index a53f057..0000000
--- a/ping.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type ping, domain;
-type ping_exec, exec_type, file_type;
-domain_auto_trans(shell, ping_exec, ping)
-domain_auto_trans(dumpstate, ping_exec, ping)
-
-allow ping self:capability net_raw;
-allow ping self:rawip_socket create_socket_perms;
-allow ping self:udp_socket create_socket_perms;
-allow ping node:rawip_socket node_bind;
-allow ping dnsproxyd_socket:sock_file write;
-allow ping netd:unix_stream_socket connectto;
-allow ping devpts:chr_file rw_file_perms;
-allow ping shell:fd use;
-
-allow ping dumpstate:fd use;
-allow ping dumpstate:unix_stream_socket { read write };
diff --git a/platform_app.te b/platform_app.te
index 5a0167e..40f2dd3 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,6 +36,7 @@
# App sandbox file accesses.
allow platformappdomain platform_app_data_file:dir create_dir_perms;
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
# App sdcard file accesses
allow platformappdomain sdcard_type:dir create_dir_perms;
allow platformappdomain sdcard_type:file create_file_perms;
diff --git a/radio.te b/radio.te
index 9de8aba..a119d75 100644
--- a/radio.te
+++ b/radio.te
@@ -1,6 +1,5 @@
# phone subsystem
type radio, domain;
-permissive radio;
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
diff --git a/sdcardd.te b/sdcardd.te
index f9e72b7..4cf080a 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,9 +1,23 @@
type sdcardd, domain;
+permissive sdcardd;
type sdcardd_exec, exec_type, file_type;
init_daemon_domain(sdcardd)
-unconfined_domain(sdcardd)
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton;
+allow sdcardd sdcard_type:filesystem mount;
+allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
allow sdcardd media_rw_data_file:dir create_dir_perms;
allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+
+# Compatibility for existing devices with /data/media in system_data_file.
+# TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file.
+allow sdcardd system_data_file:dir create_dir_perms;
+allow sdcardd system_data_file:file create_file_perms;
diff --git a/shell.te b/shell.te
index 9fd7c6d..18c1dfc 100644
--- a/shell.te
+++ b/shell.te
@@ -2,6 +2,9 @@
type shell, domain, shelldomain, mlstrustedsubject;
type shell_exec, exec_type, file_type;
+# Create and use network sockets.
+net_domain(shell)
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/shell_user.te b/shell_user.te
index 27a5cd0..ad30802 100644
--- a/shell_user.te
+++ b/shell_user.te
@@ -2,6 +2,9 @@
type shell, domain, shelldomain, mlstrustedsubject;
type shell_exec, exec_type, file_type;
+# Create and use network sockets.
+net_domain(shell)
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c9dbda9..e926bc8 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -22,6 +22,7 @@
allow surfaceflinger graphics_device:chr_file rw_file_perms;
# Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
# Create and use netlink kobject uevent sockets.
@@ -38,3 +39,8 @@
# Use open file provided by bootanim.
allow surfaceflinger bootanim:fd use;
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+binder_call(surfaceflinger, shell)
+allow surfaceflinger shell_data_file:file write;
diff --git a/system_server.te b/system_server.te
index 69e9cb0..09e6ec5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -5,8 +5,16 @@
type system_server, domain, mlstrustedsubject;
permissive system_server;
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
# Dalvik Compiler JIT Mapping.
allow system_server self:process execmem;
+allow system_server ashmem_device:chr_file execute;
+allow system_server system_server_tmpfs:file execute;
+
+# For art.
+allow system_server dalvikcache_data_file:file execute;
# Child of the zygote.
allow system_server zygote:fd use;
@@ -92,7 +100,6 @@
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC.
-tmpfs_domain(system_server)
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
@@ -125,6 +132,7 @@
allow system_server tty_device:chr_file rw_file_perms;
allow system_server urandom_device:chr_file rw_file_perms;
allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
allow system_server video_device:chr_file rw_file_perms;
allow system_server qemu_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
diff --git a/te_macros b/te_macros
index 3ccb86f..a05b7ac 100644
--- a/te_macros
+++ b/te_macros
@@ -88,8 +88,7 @@
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file { read write execute execmod };
+allow $1 $1_tmpfs:file { read write };
')
#####################################
@@ -108,6 +107,8 @@
typeattribute $1 appdomain;
# Label ashmem objects with our own unique type.
tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
')
#####################################
@@ -163,8 +164,6 @@
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
-# Map /dev/ashmem with PROT_EXEC.
-allow $1 ashmem_device:chr_file execute;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
diff --git a/unconfined.te b/unconfined.te
index 45c8292..bdebf3a 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -38,5 +38,5 @@
allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer set_context_mgr };
+allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
allow unconfineddomain property_type:property_service set;
diff --git a/zygote.te b/zygote.te
index 5d1f489..9092457 100644
--- a/zygote.te
+++ b/zygote.te
@@ -47,7 +47,6 @@
# handle bugreports b/10498304
allow zygote ashmem_device:chr_file execute;
-allow zygote init:binder call;
allow zygote shell_data_file:file { write getattr };
allow zygote system_server:binder { transfer call };
allow zygote servicemanager:binder { call };