diff options
-rw-r--r-- | dex2oat.te | 1 | ||||
-rw-r--r-- | domain.te | 4 | ||||
-rw-r--r-- | file.te | 2 | ||||
-rw-r--r-- | file_contexts | 3 | ||||
-rw-r--r-- | global_macros | 2 | ||||
-rw-r--r-- | property.te | 1 | ||||
-rw-r--r-- | property_contexts | 4 | ||||
-rw-r--r-- | radio.te | 3 | ||||
-rw-r--r-- | recovery.te | 2 | ||||
-rw-r--r-- | service_contexts | 2 | ||||
-rw-r--r-- | shell.te | 1 | ||||
-rw-r--r-- | system_app.te | 3 | ||||
-rw-r--r-- | system_server.te | 1 | ||||
-rw-r--r-- | untrusted_app.te | 9 | ||||
-rw-r--r-- | zygote.te | 3 |
15 files changed, 35 insertions, 6 deletions
@@ -12,3 +12,4 @@ allow dex2oat installd:fd use; # locked APKs. allow dex2oat asec_apk_file:file read; allow dex2oat unlabeled:file read; +allow dex2oat oemfs:file read; @@ -59,6 +59,10 @@ userdebug_or_eng(` # allow "gdbserver --attach" to work for su. allow domain su:process sigchld; + + # Allow writing coredumps to /cores/* + allow domain coredump_file:file create_file_perms; + allow domain coredump_file:dir ra_dir_perms; ') ### @@ -43,6 +43,8 @@ type usbfs, fs_type; type unlabeled, file_type; # Default type for anything under /system. type system_file, file_type; +# /cores for coredumps on userdebug / eng builds +type coredump_file, file_type; # Default type for anything under /data. type system_data_file, file_type, data_file_type; # /data/.layout_version or other installd-created files that diff --git a/file_contexts b/file_contexts index fce051b..62802e0 100644 --- a/file_contexts +++ b/file_contexts @@ -219,6 +219,9 @@ /data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0 /data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 +# coredump directory for userdebug/eng devices +/cores(/.*)? u:object_r:coredump_file:s0 + # Wallpaper file for other users /data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0 ############################# diff --git a/global_macros b/global_macros index b4a934d..62d5934 100644 --- a/global_macros +++ b/global_macros @@ -41,7 +41,7 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') ##################################### # Common socket permission sets. -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') +define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }') define(`create_socket_perms', `{ create rw_socket_perms }') define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }') diff --git a/property.te b/property.te index cfa3ec9..aff073a 100644 --- a/property.te +++ b/property.te @@ -3,6 +3,7 @@ type shell_prop, property_type; type debug_prop, property_type; type debuggerd_prop, property_type; type dhcp_prop, property_type; +type fingerprint_prop, property_type; type radio_prop, property_type; type net_radio_prop, property_type; type system_radio_prop, property_type; diff --git a/property_contexts b/property_contexts index f89c432..91ab594 100644 --- a/property_contexts +++ b/property_contexts @@ -49,6 +49,10 @@ selinux. u:object_r:security_prop:s0 vold. u:object_r:vold_prop:s0 crypto. u:object_r:vold_prop:s0 +# ro.build.fingerprint is either set in /system/build.prop, or is +# set at runtime by system_server. +build.fingerprint u:object_r:fingerprint_prop:s0 + # ctl properties ctl.bootanim u:object_r:ctl_bootanim_prop:s0 ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0 @@ -17,6 +17,9 @@ allow radio radio_data_file:notdevfile_class_set create_file_perms; allow radio alarm_device:chr_file rw_file_perms; +allow radio net_data_file:dir search; +allow radio net_data_file:file r_file_perms; + # Property service allow radio radio_prop:property_service set; allow radio net_radio_prop:property_service set; diff --git a/recovery.te b/recovery.te index 204c096..821da01 100644 --- a/recovery.te +++ b/recovery.te @@ -50,6 +50,8 @@ recovery_only(` # TODO: create more specific label? allow recovery sysfs:file w_file_perms; + access_kmsg(recovery) + # Access /dev/android_adb or /dev/usb-ffs/adb/ep0 allow recovery adb_device:chr_file rw_file_perms; allow recovery functionfs:dir search; diff --git a/service_contexts b/service_contexts index 8585fcf..767d7db 100644 --- a/service_contexts +++ b/service_contexts @@ -102,7 +102,7 @@ sip u:object_r:radio_service:s0 statusbar u:object_r:system_server_service:s0 SurfaceFlinger u:object_r:surfaceflinger_service:s0 task u:object_r:system_server_service:s0 -telecom u:object_r:radio_service:s0 +telecom u:object_r:system_server_service:s0 telephony.registry u:object_r:system_server_service:s0 textservices u:object_r:system_server_service:s0 trust u:object_r:system_server_service:s0 @@ -21,6 +21,7 @@ allow shell anr_data_file:file r_file_perms; allow shell shell_data_file:dir create_dir_perms; allow shell shell_data_file:file create_file_perms; allow shell shell_data_file:file rx_file_perms; +allow shell shell_data_file:lnk_file create_file_perms; # adb bugreport unix_socket_connect(shell, dumpstate, dumpstate) diff --git a/system_app.te b/system_app.te index ea23c81..0930ca0 100644 --- a/system_app.te +++ b/system_app.te @@ -45,6 +45,9 @@ allow system_app logd_prop:property_service set; allow system_app anr_data_file:dir ra_dir_perms; allow system_app anr_data_file:file create_file_perms; +# Settings need to access app name and icon from asec +allow system_app asec_apk_file:file r_file_perms; + allow system_app system_app_service:service_manager add; allow system_app keystore:keystore_key { diff --git a/system_server.te b/system_server.te index 5786c2e..d45d5de 100644 --- a/system_server.te +++ b/system_server.te @@ -278,6 +278,7 @@ allow system_server net_radio_prop:property_service set; allow system_server system_radio_prop:property_service set; allow system_server debug_prop:property_service set; allow system_server powerctl_prop:property_service set; +allow system_server fingerprint_prop:property_service set; # ctl interface allow system_server ctl_default_prop:property_service set; diff --git a/untrusted_app.te b/untrusted_app.te index 1142b7a..c5c887f 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -32,7 +32,6 @@ allow untrusted_app app_data_file:file { rx_file_perms execmod }; allow untrusted_app tun_device:chr_file rw_file_perms; # ASEC -allow untrusted_app asec_apk_file:dir { getattr }; allow untrusted_app asec_apk_file:file r_file_perms; # Execute libs in asec containers. allow untrusted_app asec_public_file:file { execute execmod }; @@ -48,6 +47,14 @@ create_pty(untrusted_app) allow untrusted_app shell_data_file:file r_file_perms; allow untrusted_app shell_data_file:dir r_dir_perms; +# b/18504118: Allow reads from /data/anr/traces.txt +# TODO: We shouldn't be allowing all untrusted_apps to read +# this file. This is only needed for the GMS feedback agent. +# See also b/18340553. GMS runs as untrusted_app, and +# it's too late to change the domain it runs in. +# This line needs to be deleted. +allow untrusted_app anr_data_file:file r_file_perms; + # # Rules migrated from old app domains coalesced into untrusted_app. # This includes what used to be media_app, shared_app, and release_app. @@ -21,9 +21,6 @@ allow zygote appdomain:process { getpgid setpgid }; # Read system data. allow zygote system_data_file:dir r_dir_perms; allow zygote system_data_file:file r_file_perms; -# Read system security data. -allow zygote keychain_data_file:dir r_dir_perms; -allow zygote keychain_data_file:file r_file_perms; # Write to /data/dalvik-cache. allow zygote dalvikcache_data_file:dir create_dir_perms; allow zygote dalvikcache_data_file:file create_file_perms; |