Merge upstream sepolicy into AOSP
Change-Id: Ia292607cbd06514a8ac3b0ad49eaefcdce12ef16
diff --git a/Android.mk b/Android.mk
index ee1a931..119c6ef 100644
--- a/Android.mk
+++ b/Android.mk
@@ -16,6 +16,10 @@
LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_FS_USE := $(wildcard $(addsuffix sepolicy.fs_use, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PORT_CONTEXTS := $(wildcard $(addsuffix sepolicy.port_contexts, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_GENFS_CONTEXTS := $(wildcard $(addsuffix sepolicy.genfs_contexts, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_INITIAL_SID_CONTEXTS := $(wildcard $(addsuffix sepolicy.initial_sid_contexts, $(LOCAL_POLICY_DIRS)))
##################################
include $(CLEAR_VARS)
@@ -31,7 +35,7 @@
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te) $(LOCAL_POLICY_TE) $(addprefix $(LOCAL_PATH)/, roles users ocontexts))
+$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te) $(LOCAL_POLICY_TE) $(addprefix $(LOCAL_PATH)/, roles users initial_sid_contexts) $(LOCAL_POLICY_INITIAL_SID_CONTEXTS) $(addprefix $(LOCAL_PATH)/,fs_use) $(LOCAL_POLICY_FS_USE) $(addprefix $(LOCAL_PATH)/,genfs_contexts) $(LOCAL_POLICY_GENFS_CONTEXTS) $(addprefix $(LOCAL_PATH)/,port_contexts) $(LOCAL_POLICY_PORT_CONTEXTS))
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
@@ -53,7 +57,7 @@
file_contexts := $(intermediates)/file_contexts
$(file_contexts): $(LOCAL_PATH)/file_contexts $(LOCAL_POLICY_FC)
@mkdir -p $(dir $@)
- $(hide) cat $^ > $@
+ $(hide) m4 -s $^ > $@
file_contexts :=
##################################
@@ -80,9 +84,34 @@
property_contexts := $(intermediates)/property_contexts
$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
@mkdir -p $(dir $@)
- $(hide) cat $^ > $@
+ $(hide) m4 -s $^ > $@
property_contexts :=
##################################
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux-network.sh
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+LOCAL_MODULE_CLASS := EXECUTABLES
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
+
+include $(BUILD_PREBUILT)
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
+
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+
+include $(BUILD_PREBUILT)
+
+##################################
+
endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/NOTICE b/NOTICE
new file mode 100644
index 0000000..e4ebf52
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1,21 @@
+This configuration (sepolicy) is public domain, i.e. not copyrighted.
+
+Warranty Exclusion
+------------------
+You agree that this software is a
+non-commercially developed program that may contain "bugs" (as that
+term is used in the industry) and that it may not function as intended.
+The software is licensed "as is". NSA makes no, and hereby expressly
+disclaims all, warranties, express, implied, statutory, or otherwise
+with respect to the software, including noninfringement and the implied
+warranties of merchantability and fitness for a particular purpose.
+
+Limitation of Liability
+-----------------------
+In no event will NSA be liable for any damages, including loss of data,
+lost profits, cost of cover, or other special, incidental,
+consequential, direct or indirect damages arising from the software or
+the use thereof, however caused and on any theory of liability. This
+limitation will apply even if NSA has been advised of the possibility
+of such damage. You acknowledge that this is a reasonable allocation of
+risk.
diff --git a/access_vectors b/access_vectors
index 4b0c4b1..4de3463 100644
--- a/access_vectors
+++ b/access_vectors
@@ -445,6 +445,8 @@
mac_override # unused by SELinux
mac_admin # unused by SELinux
syslog
+ wake_alarm
+ block_suspend
}
#
diff --git a/app.te b/app.te
index 7e06c10..028bf45 100644
--- a/app.te
+++ b/app.te
@@ -4,41 +4,92 @@
#
#
-# Trusted apps.
+# Apps signed with the platform key.
#
-type trusted_app, domain;
-app_domain(trusted_app)
+type platform_app, domain;
+app_domain(platform_app)
+platform_app_domain(platform_app)
# Access the network.
-net_domain(trusted_app)
+net_domain(platform_app)
# Access bluetooth.
-bluetooth_domain(trusted_app)
+bluetooth_domain(platform_app)
# Read logs.
-allow trusted_app log_device:chr_file read;
-# Access /dev/mtp_usb.
-# XXX Split android.process.media into a separate domain?
-allow trusted_app mtp_device:chr_file rw_file_perms;
+allow platform_app log_device:chr_file read;
# Write to /cache.
-allow trusted_app cache_file:dir rw_dir_perms;
-allow trusted_app cache_file:file create_file_perms;
+allow platform_app cache_file:dir rw_dir_perms;
+allow platform_app cache_file:file create_file_perms;
# Read from /data/local.
-allow trusted_app shell_data_file:dir search;
-allow trusted_app shell_data_file:file { open getattr read };
-allow trusted_app shell_data_file:lnk_file read;
-# Access the sdcard.
-allow trusted_app sdcard:dir create_dir_perms;
-allow trusted_app sdcard:file create_file_perms;
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
# Populate /data/app/vmdl*.tmp file created by system server.
-allow trusted_app apk_tmp_file:file rw_file_perms;
+allow platform_app apk_tmp_file:file rw_file_perms;
+# Read/[open] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow platform_app qtaguid_proc:file { open };
+allow platform_app qtaguid_device:chr_file r_file_perms;
+
+# Apps signed with the media key.
+type media_app, domain;
+app_domain(media_app)
+platform_app_domain(media_app)
+# Access the network.
+net_domain(media_app)
+# Read logs.
+allow media_app log_device:chr_file read;
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file rw_file_perms;
+# Write to /cache.
+allow media_app cache_file:dir rw_dir_perms;
+allow media_app cache_file:file create_file_perms;
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow media_app qtaguid_proc:file rw_file_perms;
+allow media_app qtaguid_device:chr_file r_file_perms;
+
+# Apps signed with the shared key.
+type shared_app, domain;
+app_domain(shared_app)
+platform_app_domain(shared_app)
+# Access the network.
+net_domain(shared_app)
+# Access bluetooth.
+bluetooth_domain(shared_app)
+# Read logs.
+allow shared_app log_device:chr_file read;
+
+# Apps signed with the release key (testkey in AOSP).
+type release_app, domain;
+app_domain(release_app)
+platform_app_domain(release_app)
+# Access the network.
+net_domain(release_app)
+# Access bluetooth.
+bluetooth_domain(release_app)
+# Read logs.
+allow release_app log_device:chr_file read;
#
# An example of a specific domain for a specific app
# A domain for com.android.browser.
type browser_app, domain;
app_domain(browser_app)
+platform_app_domain(browser_app)
# Access the network.
net_domain(browser_app)
#
+# Rules for platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+# App sdcard file accesses
+allow platformappdomain sdcard:dir create_dir_perms;
+allow platformappdomain sdcard:file create_file_perms;
+# System data file accesses (e.g, shared objects from the lib directory)
+allow platformappdomain system_data_file:file { execute open };
+
+#
# Untrusted apps.
#
type untrusted_app, domain;
@@ -54,10 +105,12 @@
allow untrusted_app port_type:udp_socket name_bind;
allow untrusted_app port_type:tcp_socket name_bind;
unix_socket_connect(untrusted_app, dnsproxyd, netd)
+# Get route information.
+allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
}
# Bluetooth access.
bool app_bluetooth false;
-if (app_bluetooth) {
+if (app_bluetooth or android_cts) {
# No specific SELinux class for bluetooth sockets presently.
allow untrusted_app self:socket *;
}
@@ -69,8 +122,13 @@
}
# Native app support.
bool app_ndk false;
-if (app_ndk) {
-allow untrusted_app app_data_file:file execute;
+if (app_ndk or android_cts) {
+allow untrusted_app system_data_file:file { execute open };
+}
+# Read Logs
+bool app_read_logs false;
+if (app_read_logs or android_cts) {
+allow untrusted_app log_device:chr_file read;
}
#
@@ -86,13 +144,20 @@
# Notify zygote of death;
allow appdomain zygote:process sigchld;
-# Communicate over a FIFO to system processes.
+# Communicate over a FIFO or socket created by the system_server.
allow appdomain system:fifo_file rw_file_perms;
+allow appdomain system:unix_stream_socket { read write };
+
+# Communicate over a socket created by surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+# Read/write data files created by the platform apps.
+allow appdomain platform_app_data_file:file rw_file_perms;
+
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
@@ -103,6 +168,9 @@
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid_proc:file write;
+
# Use the Binder.
binder_use(appdomain)
# Perform binder IPC to binder services.
diff --git a/attributes b/attributes
index 1016ec6..ef4a170 100644
--- a/attributes
+++ b/attributes
@@ -58,3 +58,6 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+
+# Allow domains used for platform (signed by build key) apps.
+attribute platformappdomain;
diff --git a/cts.te b/cts.te
index 3600e94..3371410 100644
--- a/cts.te
+++ b/cts.te
@@ -27,6 +27,13 @@
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
+# Accesses to apk_tmp_file and shell_data_file
+allow appdomain apk_tmp_file:file rw_file_perms;
+allow appdomain shell_data_file:file r_file_perms;
+
+# Read permission over link file to devices.
+allow appdomain dev_type:lnk_file read;
+
# Read routing information.
allow netdomain self:netlink_route_socket { create read write nlmsg_read };
diff --git a/debuggerd.te b/debuggerd.te
index b85133b..653d003 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -4,10 +4,15 @@
init_daemon_domain(debuggerd)
typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill };
+allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:process ptrace;
+allow debuggerd rootfs:file r_file_perms;
+allow debuggerd system_data_file:dir create_dir_perms;
+allow debuggerd system_data_file:dir relabelfrom;
+allow debuggerd tombstone_data_file:dir relabelto;
allow debuggerd tombstone_data_file:dir create_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd domain:process { sigstop signal };
diff --git a/device.te b/device.te
index 6424db6..7818ce8 100644
--- a/device.te
+++ b/device.te
@@ -37,3 +37,17 @@
type video_device, dev_type;
type vcs_device, dev_type;
type zero_device, dev_type;
+type fuse_device, dev_type;
+type ion_device, dev_type;
+type gps_device, dev_type;
+type qtaguid_device, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
diff --git a/domain.te b/domain.te
index 2e9720e..6be7ddd 100644
--- a/domain.te
+++ b/domain.te
@@ -80,7 +80,7 @@
allow domain cache_file:lnk_file read;
# For /acct/uid/*/tasks.
-allow domain cgroup:dir search;
+allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;
# For /sys/qemu_trace files in the emulator.
@@ -96,5 +96,12 @@
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
-# Ignore /sys/kernel/debug
-dontaudit domain debugfs:dir search;
+# debugfs access
+bool debugfs true;
+if (debugfs) {
+allow domain debugfs:dir r_dir_perms;
+allow domain debugfs:file rw_file_perms;
+} else {
+dontaudit domain debugfs:dir r_dir_perms;
+dontaudit domain debugfs:file rw_file_perms;
+}
diff --git a/drmserver.te b/drmserver.te
index 624ae13..f30033a 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -11,6 +11,10 @@
binder_call(drmserver, appdomain)
binder_service(drmserver)
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
allow drmserver sdcard:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;
diff --git a/file.te b/file.te
index b6e3a5d..4afaefd 100644
--- a/file.te
+++ b/file.te
@@ -4,6 +4,7 @@
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type;
+type qtaguid_proc, fs_type, mlstrustedobject;
type selinuxfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, mlstrustedobject;
@@ -31,6 +32,7 @@
type tombstone_data_file, file_type, data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type;
+type asec_data_file, file_type, data_file_type;
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
@@ -47,14 +49,21 @@
type wifi_data_file, file_type, data_file_type;
type radio_data_file, file_type, data_file_type;
type nfc_data_file, file_type, data_file_type;
+type camera_calibration_file, file_type, data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
+type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type;
+type wallpaper_file, file_type, mlstrustedobject;
+
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# defice policy
+type bluetooth_efs_file, file_type;
# Socket types
type bluetooth_socket, file_type;
@@ -73,6 +82,9 @@
type wpa_socket, file_type;
type zygote_socket, file_type;
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index c610df3..ecf6e22 100644
--- a/file_contexts
+++ b/file_contexts
@@ -25,8 +25,10 @@
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/full u:object_r:full_device:s0
+/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/input(/.*) u:object_r:input_device:s0
+/dev/ion u:object_r:ion_device:s0
/dev/kmem u:object_r:kmem_device:s0
/dev/log(/.*)? u:object_r:log_device:s0
/dev/mem u:object_r:kmem_device:s0
@@ -45,6 +47,8 @@
/dev/nvmap u:object_r:nv_device:s0
/dev/nvhost-.* u:object_r:nv_device:s0
/dev/random u:object_r:random_device:s0
+/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
+/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/s3c-jpg u:object_r:camera_device:s0
/dev/s3c-mem u:object_r:camera_device:s0
/dev/s3c-mfc u:object_r:graphics_device:s0
@@ -73,6 +77,7 @@
/dev/urandom u:object_r:urandom_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
+/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
#############################
# System files
@@ -96,6 +101,7 @@
/system/bin/bluetoothd u:object_r:bluetoothd_exec:s0
/system/bin/wpa_supplicant u:object_r:wpa_exec:s0
/system/bin/qemud u:object_r:qemud_exec:s0
+/system/bin/sdcard u:object_r:sdcardd_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
#############################
@@ -117,6 +123,7 @@
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/camera(/.*)? u:object_r:camera_calibration_file:s0
# App sandboxes
/data/data/.* u:object_r:app_data_file:s0
# Wallpaper file.
@@ -134,3 +141,6 @@
#
/sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+#############################
+# asec containers
+/mnt/asec(/.*)? u:object_r:asec_data_file:s0
diff --git a/fs_use b/fs_use
new file mode 100644
index 0000000..6516046
--- /dev/null
+++ b/fs_use
@@ -0,0 +1,21 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
diff --git a/genfs_contexts b/genfs_contexts
new file mode 100644
index 0000000..ff633a7
--- /dev/null
+++ b/genfs_contexts
@@ -0,0 +1,14 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:sdcard:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:sdcard:s0
diff --git a/global_macros b/global_macros
index 15e09ed..6d71c0c 100644
--- a/global_macros
+++ b/global_macros
@@ -8,7 +8,7 @@
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
define(`devfile_class_set', `{ chr_file blk_file }')
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
diff --git a/hci_attach.te b/hci_attach.te
new file mode 100644
index 0000000..3cb0953
--- /dev/null
+++ b/hci_attach.te
@@ -0,0 +1,9 @@
+type hci_attach, domain;
+type hci_attach_exec, exec_type, file_type;
+
+init_daemon_domain(hci_attach)
+
+allow hci_attach kernel:system module_request;
+allow hci_attach hci_attach_dev:chr_file rw_file_perms;
+allow hci_attach bluetooth_efs_file:dir r_dir_perms;
+allow hci_attach bluetooth_efs_file:file r_file_perms;
diff --git a/initial_sid_contexts b/initial_sid_contexts
new file mode 100644
index 0000000..9819051
--- /dev/null
+++ b/initial_sid_contexts
@@ -0,0 +1,27 @@
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
diff --git a/installd.te b/installd.te
index 466125e..2a87eb7 100644
--- a/installd.te
+++ b/installd.te
@@ -10,7 +10,7 @@
allow installd dalvikcache_data_file:file create_file_perms;
allow installd data_file_type:dir create_dir_perms;
allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:file { getattr unlink };
+allow installd data_file_type:{ file lnk_file } { getattr unlink };
allow installd apk_data_file:file r_file_perms;
allow installd apk_tmp_file:file r_file_perms;
allow installd system_file:file x_file_perms;
diff --git a/keystore.te b/keystore.te
index 43c913a..6c4d610 100644
--- a/keystore.te
+++ b/keystore.te
@@ -5,3 +5,4 @@
init_daemon_domain(keystore)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
diff --git a/mac_permissions.xml b/mac_permissions.xml
new file mode 100644
index 0000000..50e9167
--- /dev/null
+++ b/mac_permissions.xml
@@ -0,0 +1,197 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+ Sample signer stanza for install policy
+
+ Rules:
+ * A signature is a hex encoded X.509 certificate and is required for each signer tag.
+ * A <signer signature="" > element may have multiple child elements:
+ allow-permission : produces a set of maximal allowed permissions (whitelist).
+ deny-permission : produces a blacklist of permissions to deny.
+ allow-all : a wildcard tag that will allow every permission requested.
+ package : a complex tag which itself defines allow, deny, and wildcard sub elements for
+ a specific package name protected by the signature
+ * Zero or more global <package name=""> tags are allowed. These tags allow a policy
+ to be set outside any signature for specific package names.
+ * Unknown tags at any level are skipped.
+ * Zero or more signer tags are allowed.
+ * Zero or more package tags are allowed per signer tag.
+ * A <package name=""> tag may not contain another <package name=""> tag. If found, it's skipped.
+ * A <default> tag is allowed that can contain install policy for all apps not signed with a
+ previously listed cert and not having a per package global policy.
+ * When multiple sub elements appear for a tag the following logic is used to
+ ultimately determine the type of enforcement:
+ ** A blacklist is used if at least one deny-permission tag is found
+ ** A whitelist is used if not a blacklist and at least one allow-permission tag is found
+ ** A wildcard (accept all permission) policy is used if not a blacklist and not a whitelist
+ and at least one allow-all tag is present.
+ ** If a <package name=""> sub element is found then that sub element's policy is used
+ according to the above logic and overrides any signature global policy type.
+ ** In order for a policy stanza to be enforced at least one of the above situations must
+ apply. Meaning, empty signer, default or package tags will not be accepted.
+ * Each signer/default/global package tag is allowed to contain one <seinfo value=""/> tag.
+ This tag represents additional info that each app can use in setting a SELinux security
+ context on the eventual process. Any <seinfo value=""/> tag found as a child of a
+ <package name=""> tag which is protected (sub element of signer or the default tag) is
+ ignored. It's possible that multiple seinfo tags are relevant for one app. In the event
+ that this happens, the seinfo tag that will be applied is the one for which the corresponding
+ policy stanza is used in the policy decision.
+ * Strict enforcing of any xml stanza is not enforced in most cases. This mainly applies to
+ duplicate tags which are allowed. In the event that a tag already exists, the original
+ tag is replaced.
+ * There are also no checks on the validity of permission names. Although valid android
+ permissions are expected, nothing prevents unknowns.
+ * Enforcement decisions:
+ - All signatures used to sign an app are checked for policy according to signer tags.
+ Only one of the signature policies has to pass however.
+ - In the event that none of the signature policies pass, or none even match, then
+ a global package policy is sought. If found, this policy mediates the install.
+ - The default tag is consulted last if needed.
+ - A local package policy always overrides any parent policy.
+ - If none of the cases apply then the app is denied.
+
+
+ Example global package policy
+ <package name="com.foo.com">
+ <allow-permission name="android.permission.INTERNET" />
+ <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
+ </package>
+
+ Sample stanzas are given below based on the AOSP developer keys.
+
+-->
+
+ <!-- Platform dev key with AOSP -->
+ <signer signature="308204a830820390a003020102020900b3998086d056cffa300d06092a864886f70d0101040500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303431353232343035305a170d3335303930313232343035305a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d003082010802820101009c780592ac0d5d381cdeaa65ecc8a6006e36480c6d7207b12011be50863aabe2b55d009adf7146d6f2202280c7cd4d7bdb26243b8a806c26b34b137523a49268224904dc01493e7c0acf1a05c874f69b037b60309d9074d24280e16bad2a8734361951eaf72a482d09b204b1875e12ac98c1aa773d6800b9eafde56d58bed8e8da16f9a360099c37a834a6dfedb7b6b44a049e07a269fccf2c5496f2cf36d64df90a3b8d8f34a3baab4cf53371ab27719b3ba58754ad0c53fc14e1db45d51e234fbbe93c9ba4edf9ce54261350ec535607bf69a2ff4aa07db5f7ea200d09a6c1b49e21402f89ed1190893aab5a9180f152e82f85a45753cf5fc19071c5eec827020103a381fc3081f9301d0603551d0e041604144fe4a0b3dd9cba29f71d7287c4e7c38f2086c2993081c90603551d230481c13081be80144fe4a0b3dd9cba29f71d7287c4e7c38f2086c299a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900b3998086d056cffa300c0603551d13040530030101ff300d06092a864886f70d01010405000382010100572551b8d93a1f73de0f6d469f86dad6701400293c88a0cd7cd778b73dafcc197fab76e6212e56c1c761cfc42fd733de52c50ae08814cefc0a3b5a1a4346054d829f1d82b42b2048bf88b5d14929ef85f60edd12d72d55657e22e3e85d04c831d613d19938bb8982247fa321256ba12d1d6a8f92ea1db1c373317ba0c037f0d1aff645aef224979fba6e7a14bc025c71b98138cef3ddfc059617cf24845cf7b40d6382f7275ed738495ab6e5931b9421765c491b72fb68e080dbdb58c2029d347c8b328ce43ef6a8b15533edfbe989bd6a48dd4b202eda94c6ab8dd5b8399203daae2ed446232e4fe9bd961394c6300e5138e3cfd285e6e4e483538cb8b1b357" >
+ <allow-all />
+ <seinfo value="platform" />
+ </signer>
+
+ <!-- Media dev key in AOSP -->
+ <signer signature="308204a830820390a003020102020900f2b98e6123572c4e300d06092a864886f70d0101040500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303431353233343035375a170d3335303930313233343035375a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d00308201080282010100ae250c5a16ef97fc2869ac651b3217cc36ba0e86964168d58a049f40ce85867123a3ffb4f6d949c33cf2da3a05c23eacaa57d803889b1759bcf59e7c6f21890ae25085b7ed56aa626c0989ef9ccd36362ca0e8d1b9603fd4d8328767926ccc090c68b775ae7ff30934cc369ef2855a2667df0c667fd0c7cf5d8eba655806737303bb624726eabaedfb72f07ed7a76ab3cb9a381c4b7dcd809b140d891f00213be401f58d6a06a61eadc3a9c2f1c6567285b09ae09342a66fa421eaf93adf7573a028c331d70601ab3af7cc84033ece7c772a3a5b86b0dbe9d777c3a48aa9801edcee2781589f44d9e4113979600576a99410ba81091259dad98c6c68ff784b8f020103a381fc3081f9301d0603551d0e04160414ca293caa8bc0ed3e542eef4205a2bff2b57e4d753081c90603551d230481c13081be8014ca293caa8bc0ed3e542eef4205a2bff2b57e4d75a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900f2b98e6123572c4e300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010084de9516d5e4a87217a73da8487048f53373a5f733f390d61bdf3cc9e5251625bfcaa7c3159cae275d172a9ae1e876d5458127ac542f68290dd510c0029d8f51e0ee156b7b7b5acdb394241b8ec78b74e5c42c5cafae156caf5bd199a23a27524da072debbe378464a533630b0e4d0ffb7e08ecb701fadb6379c74467f6e00c6ed888595380792038756007872c8e3007af423a57a2cab3a282869b64c4b7bd5fc187d0a7e2415965d5aae4e07a6df751b4a75e9793c918a612b81cd0b628aee0168dc44e47b10d3593260849d6adf6d727dc24444c221d3f9ecc368cad07999f2b8105bc1f20d38d41066cc1411c257a96ea4349f5746565507e4e8020a1a81" >
+ <allow-permission name="android.permission.ACCESS_ALL_DOWNLOADS" />
+ <allow-permission name="android.permission.ACCESS_CACHE_FILESYSTEM" />
+ <allow-permission name="android.permission.ACCESS_DOWNLOAD_MANAGER" />
+ <allow-permission name="android.permission.ACCESS_MTP" />
+ <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
+ <allow-permission name="android.permission.CONNECTIVITY_INTERNAL" />
+ <allow-permission name="android.permission.INTERNET" />
+ <allow-permission name="android.permission.MODIFY_NETWORK_ACCOUNTING" />
+ <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
+ <allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
+ <allow-permission name="android.permission.RECEIVE_WAP_PUSH" />
+ <allow-permission name="android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS" />
+ <allow-permission name="android.permission.UPDATE_DEVICE_STATS" />
+ <allow-permission name="android.permission.WAKE_LOCK" />
+ <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <allow-permission name="android.permission.WRITE_MEDIA_STORAGE" />
+ <allow-permission name="android.permission.WRITE_SETTINGS" />
+ <seinfo value="media" />
+ </signer>
+
+ <!-- shared dev key in AOSP -->
+ <signer signature="308204a830820390a003020102020900f2a73396bd38767a300d06092a864886f70d0101040500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303732333231353735395a170d3335313230393231353735395a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d00308201080282010100c8c2dbfd094a2df45c3ff1a32ed21805ec72fc58d017971bd0f6b52c262d70819d191967e158dfd3a2c7f1b3e0e80ce545d79d2848220211eb86f0fd8312d37b420c113750cc94618ae872f4886463bdc4627caa0c0483c86493e3515571170338bfdcc4cd6addd1c0a2f35f5cf24ed3e4043a3e58e2b05e664ccde12bcb67735fd6df1249c369e62542bc0a4729e53917f5c38ffa52d17b73c9c73798ddb18ed481590875547e66bfc5daca4c25a6eb960ed96923709da302ba646cb496b325e86c5c8b2e7a3377b2bbe4c7cf33254291163f689152ac088550c83c508f4bf5adf0aed5a2dca0583f9ab0ad17650db7eea4b23fdb45885547d0feab72183889020103a381fc3081f9301d0603551d0e04160414cb4c7e2cdbb3f0ada98dab79968d172e9dbb1ed13081c90603551d230481c13081be8014cb4c7e2cdbb3f0ada98dab79968d172e9dbb1ed1a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900f2a73396bd38767a300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010040a8d096997959e917a36c44246b6bac2bae05437ecd89794118f7834720352d1c6f8a39b0869942f4da65981faa2951d33971129ec1921d795671c527d6e249f252829faf5b591310311e2de096500d568ad4114a656dc34a8c6f610453afc1ea7992dba4aa7b3f8543a6e35c0728de77fe97eeac83771fd0ec90f8e4449434ee0b6045783e70c7a2e460249260e003cf7608dc352a4c9ef706def4b26050e978ae2fffd7a3323787014915eb3cc874fcc7a9ae930877c5c8c7d1c2e2a8ee863c89180d1855cedba400e7ba43cccaa7243d397e7c0e8e8e4d7d4f92b6bbead49c0cf018069eddca2e7e2fb4668d89dbbd7950d0cd254180fa1eaafc2a556f84" >
+ <allow-permission name="android.permission.ACCESS_COARSE_LOCATION" />
+ <allow-permission name="android.permission.ACCESS_FINE_LOCATION" />
+ <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
+ <allow-permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK" />
+ <allow-permission name="android.permission.BIND_APPWIDGET" />
+ <allow-permission name="android.permission.BIND_WALLPAPER" />
+ <allow-permission name="android.permission.CALL_PHONE" />
+ <allow-permission name="android.permission.CALL_PRIVILEGED" />
+ <allow-permission name="android.permission.CAMERA" />
+ <allow-permission name="android.permission.GET_ACCOUNTS" />
+ <allow-permission name="android.permission.GLOBAL_SEARCH" />
+ <allow-permission name="android.permission.INTERNET" />
+ <allow-permission name="android.permission.MANAGE_ACCOUNTS" />
+ <allow-permission name="android.permission.MODIFY_AUDIO_SETTINGS" />
+ <allow-permission name="android.permission.MODIFY_PHONE_STATE" />
+ <allow-permission name="android.permission.NFC" />
+ <allow-permission name="android.permission.PACKAGE_USAGE_STATS" />
+ <allow-permission name="android.permission.READ_CALL_LOG" />
+ <allow-permission name="android.permission.READ_CONTACTS"/>
+ <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
+ <allow-permission name="android.permission.READ_PHONE_STATE" />
+ <allow-permission name="android.permission.READ_PROFILE" />
+ <allow-permission name="android.permission.READ_SOCIAL_STREAM" />
+ <allow-permission name="android.permission.READ_SYNC_SETTINGS" />
+ <allow-permission name="android.permission.READ_SYNC_STATS" />
+ <allow-permission name="android.permission.READ_USER_DICTIONARY" />
+ <allow-permission name="android.permission.REBOOT" />
+ <allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
+ <allow-permission name="android.permission.RECORD_AUDIO" />
+ <allow-permission name="android.permission.SET_WALLPAPER" />
+ <allow-permission name="android.permission.SET_WALLPAPER_COMPONENT" />
+ <allow-permission name="android.permission.SET_WALLPAPER_HINTS" />
+ <allow-permission name="android.permission.SUBSCRIBED_FEEDS_READ" />
+ <allow-permission name="android.permission.SUBSCRIBED_FEEDS_WRITE" />
+ <allow-permission name="android.permission.USE_CREDENTIALS" />
+ <allow-permission name="android.permission.VIBRATE" />
+ <allow-permission name="android.permission.WAKE_LOCK" />
+ <allow-permission name="android.permission.WRITE_CALL_LOG" />
+ <allow-permission name="android.permission.WRITE_CONTACTS" />
+ <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <allow-permission name="android.permission.WRITE_PROFILE" />
+ <allow-permission name="android.permission.WRITE_SETTINGS" />
+ <allow-permission name="android.permission.WRITE_USER_DICTIONARY" />
+ <allow-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
+ <allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT" />
+ <allow-permission name="com.android.launcher.permission.READ_SETTINGS" />
+ <allow-permission name="com.android.launcher.permission.WRITE_SETTINGS" />
+ <allow-permission name="com.android.voicemail.permission.ADD_VOICEMAIL" />
+ <allow-permission name="com.android.voicemail.permission.READ_WRITE_ALL_VOICEMAIL" />
+ <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH" />
+ <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.cp" />
+ <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.mail" />
+ <seinfo value="shared" />
+ </signer>
+
+ <!-- release dev key in AOSP -->
+ <signer signature="308204a830820390a003020102020900936eacbe07f201df300d06092a864886f70d0101050500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303232393031333334365a170d3335303731373031333334365a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d00308201080282010100d6931904dec60b24b1edc762e0d9d8253e3ecd6ceb1de2ff068ca8e8bca8cd6bd3786ea70aa76ce60ebb0f993559ffd93e77a943e7e83d4b64b8e4fea2d3e656f1e267a81bbfb230b578c20443be4c7218b846f5211586f038a14e89c2be387f8ebecf8fcac3da1ee330c9ea93d0a7c3dc4af350220d50080732e0809717ee6a053359e6a694ec2cb3f284a0a466c87a94d83b31093a67372e2f6412c06e6d42f15818dffe0381cc0cd444da6cddc3b82458194801b32564134fbfde98c9287748dbf5676a540d8154c8bbca07b9e247553311c46b9af76fdeeccc8e69e7c8a2d08e782620943f99727d3c04fe72991d99df9bae38a0b2177fa31d5b6afee91f020103a381fc3081f9301d0603551d0e04160414485900563d272c46ae118605a47419ac09ca8c113081c90603551d230481c13081be8014485900563d272c46ae118605a47419ac09ca8c11a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900936eacbe07f201df300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007aaf968ceb50c441055118d0daabaf015b8a765a27a715a2c2b44f221415ffdace03095abfa42df70708726c2069e5c36eddae0400be29452c084bc27eb6a17eac9dbe182c204eb15311f455d824b656dbe4dc2240912d7586fe88951d01a8feb5ae5a4260535df83431052422468c36e22c2a5ef994d61dd7306ae4c9f6951ba3c12f1d1914ddc61f1a62da2df827f603fea5603b2c540dbd7c019c36bab29a4271c117df523cdbc5f3817a49e0efa60cbd7f74177e7a4f193d43f4220772666e4c4d83e1bd5a86087cf34f2dec21e245ca6c2bb016e683638050d2c430eea7c26a1c49d3760a58ab7f1a82cc938b4831384324bd0401fa12163a50570e684d" >
+ <seinfo value="release" />
+ <deny-permission name="android.permission.BRICK" />
+ <deny-permission name="android.permission.READ_LOGS" />
+ <deny-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS" />
+ <deny-permission name="com.android.browser.permission.WRITE_HISTORY_BOOKMARKS" />
+ <package name="com.android.browser" >
+ <allow-permission name="android.permission.ACCESS_COARSE_LOCATION"/>
+ <allow-permission name="android.permission.ACCESS_DOWNLOAD_MANAGER"/>
+ <allow-permission name="android.permission.ACCESS_FINE_LOCATION"/>
+ <allow-permission name="android.permission.ACCESS_NETWORK_STATE"/>
+ <allow-permission name="android.permission.ACCESS_WIFI_STATE"/>
+ <allow-permission name="android.permission.GET_ACCOUNTS"/>
+ <allow-permission name="android.permission.INTERNET" />
+ <allow-permission name="android.permission.MANAGE_ACCOUNTS" />
+ <allow-permission name="android.permission.NFC" />
+ <allow-permission name="android.permission.READ_CONTACTS" />
+ <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
+ <allow-permission name="android.permission.READ_PROFILE" />
+ <allow-permission name="android.permission.READ_SYNC_SETTINGS" />
+ <allow-permission name="android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS" />
+ <allow-permission name="android.permission.SET_WALLPAPER" />
+ <allow-permission name="android.permission.USE_CREDENTIALS"/>
+ <allow-permission name="android.permission.WAKE_LOCK"/>
+ <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <allow-permission name="android.permission.WRITE_SETTINGS" />
+ <allow-permission name="android.permission.WRITE_SYNC_SETTINGS" />
+ <allow-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
+ <allow-permission name="com.android.browser.permission.WRITE_HISTORY_BOOKMARKS"/>
+ <allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
+ </package>
+ </signer>
+
+ <!-- All other keys -->
+ <default>
+ <seinfo value="default" />
+ <deny-permission name="android.permission.ACCESS_COARSE_LOCATION" />
+ <deny-permission name="android.permission.ACCESS_FINE_LOCATION" />
+ <deny-permission name="android.permission.AUTHENTICATE_ACCOUNTS" />
+ <deny-permission name="android.permission.CALL_PHONE" />
+ <deny-permission name="android.permission.CAMERA" />
+ <deny-permission name="android.permission.READ_LOGS" />
+ <deny-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ </default>
+
+</policy>
diff --git a/mediaserver.te b/mediaserver.te
index 16bbefa..c8adf3a 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -9,9 +9,10 @@
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, appdomain)
+binder_transfer(mediaserver, surfaceflinger)
binder_service(mediaserver)
allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file { read getattr };
+allow mediaserver app_data_file:file r_file_perms;
r_dir_file(mediaserver, sdcard)
allow mediaserver sdcard:file write;
allow mediaserver camera_device:chr_file rw_file_perms;
@@ -24,3 +25,20 @@
allow mediaserver sysfs:file rw_file_perms;
# XXX Why?
allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver ion_device:chr_file rw_file_perms;
+
+# To use remote processor
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system:fifo_file r_file_perms;
+
+# Camera calibration
+allow mediaserver camera_calibration_file:dir r_dir_perms;
+allow mediaserver camera_calibration_file:file r_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file rw_file_perms;
+allow mediaserver qtaguid_device:chr_file r_file_perms;
+# Allow abstract socket connection
+allow mediaserver rild:unix_stream_socket connectto;
diff --git a/nfc.te b/nfc.te
index 72c2d69..9a354bb 100644
--- a/nfc.te
+++ b/nfc.te
@@ -10,3 +10,4 @@
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
+allow nfc sysfs:file write;
diff --git a/ocontexts b/ocontexts
deleted file mode 100644
index ddd57b6..0000000
--- a/ocontexts
+++ /dev/null
@@ -1,65 +0,0 @@
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
-
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard:s0
-
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0
diff --git a/port_contexts b/port_contexts
new file mode 100644
index 0000000..b473c0c
--- /dev/null
+++ b/port_contexts
@@ -0,0 +1,3 @@
+# portcon statements go here, e.g.
+# portcon tcp 80 u:object_r:http_port:s0
+
diff --git a/property_contexts b/property_contexts
index dc87c9b..a08ae80 100644
--- a/property_contexts
+++ b/property_contexts
@@ -45,3 +45,6 @@
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
ctl. u:object_r:ctl_default_prop:s0
+
+# mac middleware property
+persist.mac_enforcing_mode u:object_r:system_prop:s0
diff --git a/rild.te b/rild.te
index a0a4a37..9176348 100644
--- a/rild.te
+++ b/rild.te
@@ -12,11 +12,21 @@
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
allow rild radio_device:chr_file rw_file_perms;
+allow rild radio_device:blk_file r_file_perms;
allow rild qemu_device:chr_file rw_file_perms;
allow rild mtd_device:dir search;
allow rild efs_file:dir create_dir_perms;
allow rild efs_file:file create_file_perms;
allow rild shell_exec:file rx_file_perms;
+allow rild bluetooth_efs_file:file r_file_perms;
+allow rild bluetooth_efs_file:dir r_dir_perms;
+allow rild radio_data_file:dir r_dir_perms;
+allow rild radio_data_file:file rw_file_perms;
+allow rild radio_device:lnk_file r_file_perms;
+allow rild sdcard:dir r_dir_perms;
+allow rild system_data_file:dir create_dir_perms;
+allow rild system_data_file:file create_file_perms;
+allow rild system_file:file x_file_perms;
dontaudit rild self:capability sys_admin;
# XXX Label sysfs files with a specific type?
allow rild sysfs:file rw_file_perms;
@@ -24,3 +34,6 @@
# property service
allow rild rild_prop:property_service set;
allow rild radio_prop:property_service set;
+
+# Read/Write to uart driver (for GPS)
+allow rild gps_device:chr_file rw_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
new file mode 100644
index 0000000..84471d7
--- /dev/null
+++ b/sdcardd.te
@@ -0,0 +1,13 @@
+type sdcardd, domain;
+type sdcardd_exec, exec_type, file_type;
+
+init_daemon_domain(sdcardd)
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton;
+allow sdcardd sdcard:filesystem mount;
+allow sdcardd self:capability { setuid setgid dac_override };
+allow sdcardd system_data_file:dir create_dir_perms;
+allow sdcardd system_data_file:file create_file_perms;
+
diff --git a/seapp_contexts b/seapp_contexts
index c301792..71eca75 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -3,11 +3,11 @@
# user (string)
# seinfo (string)
# name (string)
+# sebool (string)
# isSystemServer=true can only be used once.
-# An unspecified boolean defaults to false.
+# An unspecified isSystemServer defaults to false.
# An unspecified string selector will match any value.
# A user string selector that ends in * will perform a prefix match.
-# seinfo= is only used when looking up app process security contexts.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
# Precedence rules:
@@ -17,6 +17,7 @@
# (4) Longer user= prefix before shorter user= prefix.
# (5) Specified seinfo= string before unspecified seinfo= string.
# (6) Specified name= string before unspecified name= string.
+# (7) Specified sebool= string before unspecified sebool= string.
#
# Outputs:
# domain (string)
@@ -33,5 +34,8 @@
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=app_* domain=untrusted_app type=app_data_file levelFromUid=true
-user=app_* seinfo=systemApp domain=trusted_app levelFromUid=true
-user=app_* seinfo=systemApp name=com.android.browser domain=browser_app levelFromUid=true
+user=app_* seinfo=platform domain=platform_app type=platform_app_data_file
+user=app_* seinfo=shared domain=shared_app type=platform_app_data_file
+user=app_* seinfo=media domain=media_app type=platform_app_data_file
+user=app_* seinfo=release domain=release_app type=platform_app_data_file
+user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
diff --git a/selinux-network.sh b/selinux-network.sh
new file mode 100755
index 0000000..d6fe527
--- /dev/null
+++ b/selinux-network.sh
@@ -0,0 +1,17 @@
+#!/system/bin/sh
+
+IPTABLES="/system/bin/iptables"
+
+#$IPTABLES -t security -A INPUT -i wlan0 -j SECMARK --selctx u:object_r:packet:s0
+#$IPTABLES -t security -A INPUT -i lo -j SECMARK --selctx u:object_r:lo_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0
+
+#$IPTABLES -t security -A OUTPUT -o wlan0 -j SECMARK --selctx u:object_r:packet:s0
+#$IPTABLES -t security -A OUTPUT -o lo -j SECMARK --selctx u:object_r:lo_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index bbefa14..10a57ee 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -23,5 +23,7 @@
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket *;
-# ctl interface
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
allow surfaceflinger ctl_default_prop:property_service set;
+
diff --git a/system.te b/system.te
index 6466e96..0740285 100644
--- a/system.te
+++ b/system.te
@@ -27,13 +27,29 @@
# Read SELinux enforcing status.
selinux_getenforce(system_app)
-bool settings_manage_selinux true;
-if (settings_manage_selinux) {
-# Allow settings app to set SELinux to enforcing
+bool manage_selinux true;
+if (manage_selinux) {
+# Set SELinux enforcing status.
selinux_setenforce(system_app)
-# Allow settings app to set SELinux booleans
+# Set SELinux booleans.
selinux_setbool(system_app)
+
+# Read syslog to display AVC messages.
+allow system_app kernel:system syslog_read;
+}
+
+bool manage_mac true;
+if (manage_mac) {
+# Set properties via the init property service.
+unix_socket_connect(system_app, property, init)
+
+# Set the persist.mac_enforcing_mode property.
+allow system_app system_prop:property_service set;
+
+# Run logcat and read the logs for MAC denials.
+allow system_app system_file:file x_file_perms;
+allow system_app log_device:chr_file read;
}
#
@@ -56,6 +72,9 @@
# XXX See if we can remove some of these.
allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
+# Trigger module auto-load.
+allow system kernel:system module_request;
+
# Use netlink uevent sockets.
allow system self:netlink_kobject_uevent_socket *;
@@ -64,14 +83,15 @@
# Set scheduling info for apps.
allow system appdomain:process setsched;
+allow system mediaserver:process setsched;
# Read /proc data for apps.
allow system appdomain:dir r_dir_perms;
allow system appdomain:{ file lnk_file } rw_file_perms;
# Write to /proc/net/xt_qtaguid/ctrl.
-# XXX Split /proc/net into its own type.
-allow system proc:file write;
+allow system qtaguid_proc:file rw_file_perms;
+allow system qtaguid_device:chr_file rw_file_perms;
# Notify init of death.
allow system init:process sigchld;
@@ -89,6 +109,9 @@
unix_socket_connect(system, bluetooth, bluetoothd)
unix_socket_send(system, wpa, wpa)
+# Communicate over a socket created by surfaceflinger.
+allow system surfaceflinger:unix_stream_socket { read write setopt };
+
# Perform Binder IPC.
tmpfs_domain(system)
binder_use(system)
@@ -118,6 +141,7 @@
# Access devices.
allow system device:dir r_dir_perms;
allow system device:chr_file rw_file_perms;
+allow system device:sock_file rw_file_perms;
allow system akm_device:chr_file rw_file_perms;
allow system accelerometer_device:chr_file rw_file_perms;
allow system alarm_device:chr_file rw_file_perms;
@@ -144,7 +168,11 @@
# Relabel wallpaper.
allow system system_data_file:file relabelfrom;
allow system wallpaper_file:file relabelto;
-allow system wallpaper_file:file r_file_perms;
+allow system wallpaper_file:file rw_file_perms;
+
+# Relabel /data/anr.
+allow system system_data_file:dir relabelfrom;
+allow system anr_data_file:dir relabelto;
# Property Service write
allow system system_prop:property_service set;
@@ -168,3 +196,13 @@
# XXX dontaudit candidate
allow system domain:dir r_dir_perms;
allow system domain:file r_file_perms;
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system gps_device:chr_file rw_file_perms;
+allow system gps_control:file rw_file_perms;
+
+# system Read/Write udp_socket of untrusted_app
+allow system appdomain:udp_socket { read write };
+# Allow abstract socket connection
+allow system rild:unix_stream_socket connectto;
diff --git a/te_macros b/te_macros
index 9146e22..6354496 100644
--- a/te_macros
+++ b/te_macros
@@ -109,6 +109,14 @@
')
#####################################
+# platform_app_domain(domain)
+# Allow permissions specific to platform apps.
+define(`platform_app_domain', `
+typeattribute $1 platformappdomain;
+typeattribute $1 mlstrustedsubject;
+')
+
+#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
diff --git a/ueventd.te b/ueventd.te
index 5e51332..81a660f 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -5,7 +5,7 @@
allow ueventd rootfs:file r_file_perms;
allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid };
+allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
@@ -16,3 +16,5 @@
allow ueventd dev_type:chr_file { create setattr unlink };
allow ueventd dev_type:blk_file { create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;
diff --git a/vold.te b/vold.te
index 403771f..86dbbb7 100644
--- a/vold.te
+++ b/vold.te
@@ -53,7 +53,7 @@
allow vold proc:file write;
# Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { write create add_name mounton };
+allow vold system_data_file:dir { open read write create add_name mounton };
# Property Service
allow vold vold_prop:property_service set;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 8860ef9..be1bf25 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -14,3 +14,7 @@
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system)
allow wpa random_device:chr_file r_file_perms;
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:sock_file wpa_socket;
+allow wpa wpa_socket:sock_file create_file_perms;
