am bf323ff8: am 21827ff0: am f82f5e01: Accept command-line input for neverallow-check.
* commit 'bf323ff8037e92cdb0bb215aeec6f5c6142c74a2':
diff --git a/dex2oat.te b/dex2oat.te
index 5fded36..f7de25d 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -12,3 +12,4 @@
# locked APKs.
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
+allow dex2oat oemfs:file read;
diff --git a/domain.te b/domain.te
index cb1c4f3..c978ffa 100644
--- a/domain.te
+++ b/domain.te
@@ -59,6 +59,10 @@
# allow "gdbserver --attach" to work for su.
allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
')
###
diff --git a/file.te b/file.te
index 6ac6002..9e56d7f 100644
--- a/file.te
+++ b/file.te
@@ -43,6 +43,8 @@
type unlabeled, file_type;
# Default type for anything under /system.
type system_file, file_type;
+# /cores for coredumps on userdebug / eng builds
+type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type;
# /data/.layout_version or other installd-created files that
diff --git a/file_contexts b/file_contexts
index fce051b..62802e0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -219,6 +219,9 @@
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+# coredump directory for userdebug/eng devices
+/cores(/.*)? u:object_r:coredump_file:s0
+
# Wallpaper file for other users
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
#############################
diff --git a/global_macros b/global_macros
index b4a934d..62d5934 100644
--- a/global_macros
+++ b/global_macros
@@ -41,7 +41,7 @@
#####################################
# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
define(`create_socket_perms', `{ create rw_socket_perms }')
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/property.te b/property.te
index cfa3ec9..aff073a 100644
--- a/property.te
+++ b/property.te
@@ -3,6 +3,7 @@
type debug_prop, property_type;
type debuggerd_prop, property_type;
type dhcp_prop, property_type;
+type fingerprint_prop, property_type;
type radio_prop, property_type;
type net_radio_prop, property_type;
type system_radio_prop, property_type;
diff --git a/property_contexts b/property_contexts
index f89c432..91ab594 100644
--- a/property_contexts
+++ b/property_contexts
@@ -49,6 +49,10 @@
vold. u:object_r:vold_prop:s0
crypto. u:object_r:vold_prop:s0
+# ro.build.fingerprint is either set in /system/build.prop, or is
+# set at runtime by system_server.
+build.fingerprint u:object_r:fingerprint_prop:s0
+
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
diff --git a/radio.te b/radio.te
index d0018ea..7d90706 100644
--- a/radio.te
+++ b/radio.te
@@ -17,6 +17,9 @@
allow radio alarm_device:chr_file rw_file_perms;
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
# Property service
allow radio radio_prop:property_service set;
allow radio net_radio_prop:property_service set;
diff --git a/recovery.te b/recovery.te
index 204c096..821da01 100644
--- a/recovery.te
+++ b/recovery.te
@@ -50,6 +50,8 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
+ access_kmsg(recovery)
+
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
allow recovery functionfs:dir search;
diff --git a/service_contexts b/service_contexts
index 8585fcf..767d7db 100644
--- a/service_contexts
+++ b/service_contexts
@@ -102,7 +102,7 @@
statusbar u:object_r:system_server_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:system_server_service:s0
-telecom u:object_r:radio_service:s0
+telecom u:object_r:system_server_service:s0
telephony.registry u:object_r:system_server_service:s0
textservices u:object_r:system_server_service:s0
trust u:object_r:system_server_service:s0
diff --git a/shell.te b/shell.te
index 5f70cd0..77b21be 100644
--- a/shell.te
+++ b/shell.te
@@ -21,6 +21,7 @@
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)
diff --git a/system_app.te b/system_app.te
index ea23c81..0930ca0 100644
--- a/system_app.te
+++ b/system_app.te
@@ -45,6 +45,9 @@
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
+# Settings need to access app name and icon from asec
+allow system_app asec_apk_file:file r_file_perms;
+
allow system_app system_app_service:service_manager add;
allow system_app keystore:keystore_key {
diff --git a/system_server.te b/system_server.te
index 5786c2e..d45d5de 100644
--- a/system_server.te
+++ b/system_server.te
@@ -278,6 +278,7 @@
allow system_server system_radio_prop:property_service set;
allow system_server debug_prop:property_service set;
allow system_server powerctl_prop:property_service set;
+allow system_server fingerprint_prop:property_service set;
# ctl interface
allow system_server ctl_default_prop:property_service set;
diff --git a/untrusted_app.te b/untrusted_app.te
index 1142b7a..c5c887f 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,7 +32,6 @@
allow untrusted_app tun_device:chr_file rw_file_perms;
# ASEC
-allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms;
# Execute libs in asec containers.
allow untrusted_app asec_public_file:file { execute execmod };
@@ -48,6 +47,14 @@
allow untrusted_app shell_data_file:file r_file_perms;
allow untrusted_app shell_data_file:dir r_dir_perms;
+# b/18504118: Allow reads from /data/anr/traces.txt
+# TODO: We shouldn't be allowing all untrusted_apps to read
+# this file. This is only needed for the GMS feedback agent.
+# See also b/18340553. GMS runs as untrusted_app, and
+# it's too late to change the domain it runs in.
+# This line needs to be deleted.
+allow untrusted_app anr_data_file:file r_file_perms;
+
#
# Rules migrated from old app domains coalesced into untrusted_app.
# This includes what used to be media_app, shared_app, and release_app.
diff --git a/zygote.te b/zygote.te
index 67660b3..adbea06 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,9 +21,6 @@
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
-# Read system security data.
-allow zygote keychain_data_file:dir r_dir_perms;
-allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
