Merge "Allow gatekeeperd to check Android permissions"
diff --git a/app.te b/app.te
index 5917f7c..ffaae23 100644
--- a/app.te
+++ b/app.te
@@ -58,6 +58,9 @@
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open execmod };
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
# Keychain and user-trusted credentials
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
@@ -87,6 +90,14 @@
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
diff --git a/bluetooth.te b/bluetooth.te
index 9530702..bc2acef 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,13 +60,6 @@
service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
tmp_system_server_service
- -bluetooth_manager_service
- -connectivity_service
- -display_service
- -dropbox_service
- -media_session_service
- -network_management_service
- -power_service
-registry_service
-user_service
}:service_manager find;
diff --git a/drmserver.te b/drmserver.te
index 418ce39..d76d3be 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -50,12 +50,6 @@
allow drmserver oemfs:file r_file_perms;
allow drmserver drmserver_service:service_manager { add find };
-allow drmserver tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver {
- tmp_system_server_service
- -permission_service
-}:service_manager find;
+allow drmserver permission_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/file.te b/file.te
index bbfd665..42cc8ac 100644
--- a/file.te
+++ b/file.te
@@ -82,10 +82,13 @@
type property_data_file, file_type, data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
+type mnt_expand_file, file_type;
type storage_file, file_type;
# Label for storage dirs which are just mount stubs
diff --git a/file_contexts b/file_contexts
index 7ef7b3c..fcb22e9 100644
--- a/file_contexts
+++ b/file_contexts
@@ -190,6 +190,9 @@
#############################
# Data files
#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
/data(/.*)? u:object_r:system_data_file:s0
/data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
@@ -240,10 +243,23 @@
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
diff --git a/installd.te b/installd.te
index 2187a15..6c7fea4 100644
--- a/installd.te
+++ b/installd.te
@@ -16,6 +16,7 @@
allow installd oemfs:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
+allow installd mnt_expand_file:dir search;
# Check validity of SELinux context before use.
selinux_check_context(installd)
# Read /seapp_contexts and /data/security/seapp_contexts
diff --git a/mediaserver.te b/mediaserver.te
index 835802e..6497101 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -83,15 +83,15 @@
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
allow mediaserver tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
tmp_system_server_service
- -permission_service
- -power_service
- -processinfo_service
-scheduling_policy_service
}:service_manager find;
diff --git a/nfc.te b/nfc.te
index 0cfc447..e4a4ccb 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,13 +30,6 @@
service_manager_local_audit_domain(nfc)
auditallow nfc {
tmp_system_server_service
- -bluetooth_manager_service
- -connectivity_service
- -content_service
- -display_service
- -dropbox_service
- -network_management_service
- -power_service
-registry_service
-trust_service
-user_service
diff --git a/platform_app.te b/platform_app.te
index 2f1b87c..2943e6c 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -30,6 +30,7 @@
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
@@ -39,27 +40,6 @@
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
- -bluetooth_manager_service
- -connectivity_service
- -content_service
- -device_policy_service
- -display_service
- -dreams_service
- -dropbox_service
- -fingerprint_service
- -graphicsstats_service
- -input_method_service
- -input_service
- -lock_settings_service
- -media_projection_service
- -media_router_service
- -media_session_service
- -mount_service
- -netpolicy_service
- -netstats_service
- -network_management_service
- -notification_service
- -power_service
-registry_service
-search_service
-sensorservice_service
diff --git a/radio.te b/radio.te
index 76ffda7..469f1d9 100644
--- a/radio.te
+++ b/radio.te
@@ -41,18 +41,6 @@
service_manager_local_audit_domain(radio)
auditallow radio {
tmp_system_server_service
- -bluetooth_manager_service
- -connectivity_service
- -content_service
- -country_detector_service
- -display_service
- -dropbox_service
- -imms_service
- -input_method_service
- -netstats_service
- -network_management_service
- -notification_service
- -power_service
-registry_service
-trust_service
-user_service
diff --git a/service.te b/service.te
index 2341ff0..fa4d56e 100644
--- a/service.te
+++ b/service.te
@@ -22,57 +22,56 @@
type audio_service, app_api_service, system_server_service, service_manager_type;
type backup_service, system_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, system_server_service, service_manager_type;
-type battery_service, tmp_system_server_service, service_manager_type;
-type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
-type clipboard_service, tmp_system_server_service, service_manager_type;
-type IMms_service, tmp_system_server_service, service_manager_type;
+type battery_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, system_api_service, system_server_service, service_manager_type;
-type commontime_management_service, tmp_system_server_service, service_manager_type;
-type connectivity_service, tmp_system_server_service, service_manager_type;
+type commontime_management_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
-type content_service, tmp_system_server_service, service_manager_type;
-type country_detector_service, tmp_system_server_service, service_manager_type;
+type content_service, app_api_service, system_server_service, service_manager_type;
+type country_detector_service, system_api_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, tmp_system_server_service, service_manager_type;
-type deviceidle_service, tmp_system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type deviceidle_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, tmp_system_server_service, service_manager_type;
-type display_service, tmp_system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, tmp_system_server_service, service_manager_type;
-type dropbox_service, tmp_system_server_service, service_manager_type;
-type ethernet_service, tmp_system_server_service, service_manager_type;
-type fingerprint_service, tmp_system_server_service, service_manager_type;
+type dreams_service, system_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, tmp_system_server_service, service_manager_type;
-type hardware_service, tmp_system_server_service, service_manager_type;
-type hdmi_control_service, tmp_system_server_service, service_manager_type;
-type input_method_service, tmp_system_server_service, service_manager_type;
-type input_service, tmp_system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
+type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, tmp_system_server_service, service_manager_type;
-type launcherapps_service, tmp_system_server_service, service_manager_type;
-type location_service, tmp_system_server_service, service_manager_type;
-type lock_settings_service, tmp_system_server_service, service_manager_type;
-type media_projection_service, tmp_system_server_service, service_manager_type;
-type media_router_service, tmp_system_server_service, service_manager_type;
-type media_session_service, tmp_system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, system_server_service, service_manager_type;
+type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, system_server_service, service_manager_type;
-type mount_service, tmp_system_server_service, service_manager_type;
-type netpolicy_service, tmp_system_server_service, service_manager_type;
-type netstats_service, tmp_system_server_service, service_manager_type;
-type network_management_service, tmp_system_server_service, service_manager_type;
-type network_score_service, tmp_system_server_service, service_manager_type;
-type notification_service, tmp_system_server_service, service_manager_type;
-type package_service, tmp_system_server_service, service_manager_type;
-type permission_service, tmp_system_server_service, service_manager_type;
-type persistent_data_block_service, tmp_system_server_service, service_manager_type;
-type power_service, tmp_system_server_service, service_manager_type;
-type print_service, tmp_system_server_service, service_manager_type;
-type processinfo_service, tmp_system_server_service, service_manager_type;
-type procstats_service, tmp_system_server_service, service_manager_type;
+type mount_service, app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, system_server_service, service_manager_type;
+type netstats_service, system_api_service, system_server_service, service_manager_type;
+type network_management_service, system_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_server_service, service_manager_type;
+type power_service, app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, system_server_service, service_manager_type;
type restrictions_service, tmp_system_server_service, service_manager_type;
type rttmanager_service, tmp_system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 003a858..49773b7 100644
--- a/service_contexts
+++ b/service_contexts
@@ -17,7 +17,6 @@
bluetooth u:object_r:bluetooth_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
-com.android.internal.telephony.mms.IMms u:object_r:IMms_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 007be96..c83caf2 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -60,14 +60,14 @@
# media.player service
allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(surfaceflinger)
auditallow surfaceflinger {
tmp_system_server_service
- -permission_service
- -power_service
-window_service
}:service_manager find;
diff --git a/system_app.te b/system_app.te
index 565db59..9b4e29a 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,26 +60,6 @@
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
- -bluetooth_manager_service
- -connectivity_service
- -content_service
- -device_policy_service
- -display_service
- -dreams_service
- -dropbox_service
- -fingerprint_service
- -graphicsstats_service
- -input_method_service
- -input_service
- -lock_settings_service
- -media_session_service
- -mount_service
- -netstats_service
- -network_management_service
- -network_score_service
- -notification_service
- -power_service
- -print_service
-registry_service
-restrictions_service
-sensorservice_service
diff --git a/system_server.te b/system_server.te
index 27fd704..cb5d5cb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -14,6 +14,7 @@
# For art.
allow system_server dalvikcache_data_file:file execute;
+allow system_server dalvikcache_data_file:dir r_dir_perms;
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -174,7 +175,7 @@
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:file create_file_perms;
+allow system_server apk_data_file:file { create_file_perms link };
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
@@ -201,6 +202,10 @@
allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
allow system_server dalvikcache_profiles_data_file:file create_file_perms;
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
# Manage /data/misc/adb.
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
@@ -371,32 +376,6 @@
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
- -bluetooth_manager_service
- -connectivity_service
- -content_service
- -country_detector_service
- -device_policy_service
- -display_service
- -dreams_service
- -dropbox_service
- -ethernet_service
- -graphicsstats_service
- -hdmi_control_service
- -input_method_service
- -input_service
- -jobscheduler_service
- -location_service
- -lock_settings_service
- -media_router_service
- -media_session_service
- -mount_service
- -netpolicy_service
- -network_management_service
- -network_score_service
- -notification_service
- -package_service
- -permission_service
- -power_service
-registry_service
-sensorservice_service
-statusbar_service
@@ -456,6 +435,9 @@
# we shouldn't be killed during unsafe removal
allow system_server sdcard_type:dir { getattr search };
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
###
### Neverallow rules
###
diff --git a/untrusted_app.te b/untrusted_app.te
index 7026a84..c94092a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,40 +87,12 @@
# TODO: remove this once priv-apps are no longer running in untrusted_app
allow untrusted_app system_api_service:service_manager find;
+# TODO: remove and replace with specific package that accesses this
+allow untrusted_app persistent_data_block_service:service_manager find;
+
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
- -bluetooth_manager_service
- -clipboard_service
- -connectivity_service
- -content_service
- -country_detector_service
- -default_android_service
- -device_policy_service
- -diskstats_service
- -display_service
- -dropbox_service
- -graphicsstats_service
- -healthd_service
- -imms_service
- -input_method_service
- -input_service
- -jobscheduler_service
- -launcherapps_service
- -location_service
- -lock_settings_service
- -media_router_service
- -media_session_service
- -meminfo_service
- -mount_service
- -netpolicy_service
- -netstats_service
- -network_management_service
- -network_score_service
- -notification_service
- -persistent_data_block_service
- -power_service
- -procstats_service
-registry_service
-rttmanager_service
-search_service
diff --git a/vold.te b/vold.te
index dfdc3d9..b534c1e 100644
--- a/vold.te
+++ b/vold.te
@@ -52,6 +52,12 @@
allow vold mnt_user_file:dir create_dir_perms;
allow vold mnt_user_file:lnk_file create_file_perms;
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold media_rw_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
@@ -95,8 +101,8 @@
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
-# Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { create rw_dir_perms mounton };
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
