Merge "kernel: grant perms from domain_deprecated"
diff --git a/app.te b/app.te
index 60fb0a2..6ad58a6 100644
--- a/app.te
+++ b/app.te
@@ -237,6 +237,8 @@
allow appdomain adbd:fd use;
allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow appdomain cache_file:dir getattr;
+
###
### Neverallow rules
###
diff --git a/blkid.te b/blkid.te
index 7a7e024..23ce3a9 100644
--- a/blkid.te
+++ b/blkid.te
@@ -1,5 +1,5 @@
# blkid called from vold
-type blkid, domain;
+type blkid, domain, domain_deprecated;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
@@ -14,9 +14,6 @@
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
-# access to /proc/filesystems
-allow blkid proc:file r_file_perms;
-
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow domain blkid:process dyntransition;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index df8e447..7e53de7 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -1,5 +1,5 @@
# blkid for untrusted block devices
-type blkid_untrusted, domain;
+type blkid_untrusted, domain, domain_deprecated;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
diff --git a/bootanim.te b/bootanim.te
index 550c6dc..fa0e4dc 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -18,10 +18,6 @@
allow bootanim surfaceflinger_service:service_manager find;
-# For /acct/uid/*/tasks.
-allow bootanim cgroup:dir { search write };
-allow bootanim cgroup:file w_file_perms;
-
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/domain.te b/domain.te
index 60025fd..2a63c82 100644
--- a/domain.te
+++ b/domain.te
@@ -24,8 +24,7 @@
allow domain self:fd use;
allow domain proc:dir search;
allow domain proc_net:dir search;
-allow domain self:dir r_dir_perms;
-allow domain self:lnk_file r_file_perms;
+r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -122,6 +121,10 @@
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 0db79da..ed88cca 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,10 +49,6 @@
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
-# For /acct/uid/*/tasks.
-allow domain_deprecated cgroup:dir { search write };
-allow domain_deprecated cgroup:file w_file_perms;
-
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
diff --git a/fsck.te b/fsck.te
index ebff968..cdf1188 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain;
+type fsck, domain, domain_deprecated;
type fsck_exec, exec_type, file_type;
init_daemon_domain(fsck)
@@ -24,8 +24,6 @@
# fsck performs a stat() on swap to verify that it is a valid
# swap device before setting the EXT2_MF_SWAP mount flag.
allow fsck swap_block_device:blk_file getattr;
-# access to /proc/swaps
-allow fsck proc:file r_file_perms;
###
### neverallow rules
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 67c67b7..4f01db2 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
+type fsck_untrusted, domain, domain_deprecated;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/healthd.te b/healthd.te
index d09eab4..4f2a2ea 100644
--- a/healthd.te
+++ b/healthd.te
@@ -5,6 +5,9 @@
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(healthd, sysfs)
+
allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/recovery.te b/recovery.te
index d2cc90e..afacf40 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,7 +48,7 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
- access_kmsg(recovery)
+ allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
index a664820..846c59b 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,9 +1,10 @@
-type sdcardd, domain;
+type sdcardd, domain, domain_deprecated;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd tmpfs:dir r_dir_perms;
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
diff --git a/sgdisk.te b/sgdisk.te
index 8a689a1..b8d6b3f 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -1,5 +1,5 @@
# sgdisk called from vold
-type sgdisk, domain;
+type sgdisk, domain, domain_deprecated;
type sgdisk_exec, exec_type, file_type;
# Allowed to read/write low-level partition tables
diff --git a/te_macros b/te_macros
index 6d91835..4d18973 100644
--- a/te_macros
+++ b/te_macros
@@ -270,16 +270,6 @@
')
#####################################
-# access_kmsg(domain)
-# Ability to read from kernel logs
-# and execute the klogctl syscall
-# in a non destructive manner. See
-# man 2 klogctl
-define(`access_kmsg', `
-allow $1 kernel:system syslog_read;
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/untrusted_app.te b/untrusted_app.te
index 7aedc39..a92323e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -92,6 +92,8 @@
# TODO: access of /proc/meminfo, give specific label or switch to
# using meminfo service
allow untrusted_app proc:file r_file_perms;
+# access /proc/net/xt_qtguid/stats
+r_dir_file(untrusted_app, proc_net)
###
### neverallow rules
diff --git a/vold.te b/vold.te
index e16ec73..67e461a 100644
--- a/vold.te
+++ b/vold.te
@@ -8,6 +8,17 @@
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(vold, proc)
+r_dir_file(vold, proc_net)
+r_dir_file(vold, sysfs)
+r_dir_file(vold, rootfs)
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, shell_exec, blkid);
diff --git a/zygote.te b/zygote.te
index 30ac4ed..421a54b 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,6 +64,16 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+allow zygote rootfs:file r_file_perms;
+
+# System file accesses.
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
+
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;
