Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret."
diff --git a/private/file_contexts b/private/file_contexts
index fa27bd1..a6851b7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -76,6 +76,7 @@
/dev/cam u:object_r:camera_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)? u:object_r:cgroup:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 42534bd..047cca4 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -38,6 +38,9 @@
allow platform_app vfat:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 606c4a0..80afcb9 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -11,6 +11,9 @@
net_domain(system_app)
binder_service(system_app)
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index f5231fb..7cfbdff 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,21 +1,5 @@
# rules removed from the domain attribute
-# Search /storage/emulated tmpfs mount.
-allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -recovery
- -sdcardd
- -surfaceflinger
- -system_server
- -vold
- -zygote
-} tmpfs:dir r_dir_perms;
-')
-
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
@@ -135,42 +119,9 @@
} apk_data_file:lnk_file r_file_perms;
')
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -recovery
- -system_server
- -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
- domain_deprecated
- -appdomain
- -recovery
- -system_server
- -vold
-} cache_file:dir getattr;
-auditallow {
- domain_deprecated
- -recovery
- -system_server
- -vold
-} cache_file:file { getattr read };
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:lnk_file r_file_perms;
-')
-
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
-allow domain_deprecated proc_meminfo:file r_file_perms;
userdebug_or_eng(`
auditallow {
@@ -233,41 +184,4 @@
-ueventd
-vold
} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -dumpstate
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:dir r_dir_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dumpstate
- -fingerprintd
- -healthd
- -inputflinger
- -installd
- -keystore
- -netd
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} cgroup:{ file lnk_file } r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -surfaceflinger
- -system_server
- -vold
-} proc_meminfo:file r_file_perms;
')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ee27cbe..39bd85f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,5 +1,5 @@
# dumpstate
-type dumpstate, domain, domain_deprecated, mlstrustedsubject;
+type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
net_domain(dumpstate)
@@ -28,6 +28,9 @@
allow dumpstate system_file:file execute_no_trans;
allow dumpstate toolbox_exec:file rx_file_perms;
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
@@ -81,10 +84,19 @@
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { storage_file block_device }:dir { search getattr };
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
@@ -136,8 +148,10 @@
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
-# Read /proc/net
+# Read files in /proc
+allow dumpstate proc_meminfo:file r_file_perms;
allow dumpstate proc_net:file r_file_perms;
+r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;
@@ -197,6 +211,9 @@
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
+# read default labeled files in /sys
+r_dir_file(dumpstate, sysfs)
+
###
### neverallow rules
###
diff --git a/public/uncrypt.te b/public/uncrypt.te
index ef1289c..6d3ee10 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -14,6 +14,7 @@
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 8e454cc..775bb1e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -13,6 +13,10 @@
# requires it.
allow update_engine_common misc_block_device:blk_file rw_file_perms;
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir mounton;
@@ -24,6 +28,8 @@
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
