Snap for 5063321 from 8d6ea9f104ab850fb60e386f05d1ccfc3c36bc08 to pie-cts-release
Change-Id: Ibcd08a171e09329aa252734964d02f2b3c7a94fb
diff --git a/private/storaged.te b/private/storaged.te
index 8ad872f..65b83b9 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -49,7 +49,7 @@
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
# For collecting bugreports.
allow storaged dumpstate:fifo_file write;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 0a11558..0d062e9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
system_data_file
diff --git a/private/zygote.te b/private/zygote.te
index 2dcbdf1..8d0be61 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,7 +7,7 @@
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:global_capability_class_set setpcap;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 3aaefd3..e97e964 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,7 +6,7 @@
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
diff --git a/public/domain.te b/public/domain.te
index c0cd7ad..eb45b1f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1348,28 +1348,35 @@
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
-neverallow {
- domain
- -dnsmasq
- -dumpstate
- -init
- -installd
- -install_recovery
- -lmkd
- -netd
- -perfprofd
- -postinstall_dexopt
- -recovery
- -sdcardd
- -tee
- -ueventd
- -uncrypt
- -vendor_init
- -vold
- -vold_prepare_subdirs
- -zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 03fc737..23af7da 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -33,7 +33,7 @@
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
diff --git a/public/init.te b/public/init.te
index dafc06f..2284689 100644
--- a/public/init.te
+++ b/public/init.te
@@ -105,7 +105,7 @@
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };
# Set system clock.
allow init self:global_capability_class_set sys_time;
diff --git a/public/install_recovery.te b/public/install_recovery.te
index ab68838..24819c2 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/public/installd.te b/public/installd.te
index 6aba962..f34ef0c 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/public/lmkd.te b/public/lmkd.te
index 472946e..fc5ea4d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,7 +2,7 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
diff --git a/public/netd.te b/public/netd.te
index 18113e7..a550b25 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -61,7 +61,7 @@
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f067af5..b5c0145 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -23,7 +23,7 @@
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd app_data_file:file r_file_perms;
allow perfprofd app_data_file:dir search;
- allow perfprofd self:global_capability_class_set { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index ffd8bc5..8b6d6cc 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
diff --git a/public/recovery.te b/public/recovery.te
index 57ad202..6745bd6 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -15,6 +15,7 @@
allow recovery self:global_capability_class_set {
chown
dac_override
+ dac_read_search
fowner
setuid
setgid
diff --git a/public/runas.te b/public/runas.te
index 053a87f..6c5de7c 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -18,7 +18,7 @@
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 4a88f54..6749d16 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 9b9eacb..c626051 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 1e48b83..e64ce3e 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 4e4b313..0ac5189 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -25,7 +25,7 @@
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
diff --git a/public/vold.te b/public/vold.te
index 131f555..c2451a6 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -75,7 +75,7 @@
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
