am 61c80d5e: Update policy for Android 4.2 / latest master.
* commit '61c80d5ec8632cadcf754eed0986b23284217c06':
Update policy for Android 4.2 / latest master.
diff --git a/adbd.te b/adbd.te
index d3f9905..f924149 100644
--- a/adbd.te
+++ b/adbd.te
@@ -4,7 +4,7 @@
allow adbd adb_device:chr_file rw_file_perms;
allow adbd qemu_device:chr_file rw_file_perms;
allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
-allow adbd rootfs:file entrypoint;
+allow adbd rootfs:file { read entrypoint };
allow adbd init:process sigchld;
allow adbd self:tcp_socket *;
allow adbd self:unix_stream_socket *;
diff --git a/bluetooth.te b/bluetooth.te
index f43543c..ac7233f 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,4 +1,23 @@
-# Domains that can create and use bluetooth sockets.
+# bluetooth subsystem
+type bluetooth, domain;
+app_domain(bluetooth)
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+
+# bluetooth factory file accesses.
+r_dir_file(bluetooth, bluetooth_efs_file)
+
+# Device accesses.
+allow bluetooth hci_attach_dev:chr_file rw_file_perms;
+allow bluetooth input_device:chr_file write;
+
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+dontaudit bluetooth self:capability net_admin;
+
+# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
allow bluetoothdomain self:socket *;
diff --git a/file.te b/file.te
index 70100a9..6bbda3a 100644
--- a/file.te
+++ b/file.te
@@ -9,6 +9,7 @@
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, mlstrustedobject;
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type inotify, fs_type, mlstrustedobject;
type devpts, fs_type;
@@ -69,6 +70,7 @@
type bluetooth_efs_file, file_type;
# Socket types
+type adbd_socket, file_type;
type bluetooth_socket, file_type;
type dbus_socket, file_type;
type dnsproxyd_socket, file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 713da79..43e532a 100644
--- a/file_contexts
+++ b/file_contexts
@@ -55,6 +55,7 @@
/dev/s3c-mfc u:object_r:graphics_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/bluetooth u:object_r:bluetooth_socket:s0
/dev/socket/dbus_bluetooth u:object_r:bluetooth_socket:s0
/dev/socket/dbus u:object_r:dbus_socket:s0
@@ -127,6 +128,7 @@
# Misc data
/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
@@ -150,6 +152,8 @@
#
/sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/keystore.te b/keystore.te
index 20e7222..c44d254 100644
--- a/keystore.te
+++ b/keystore.te
@@ -3,6 +3,8 @@
# keystore daemon
init_daemon_domain(keystore)
+binder_use(keystore)
+binder_service(keystore)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/seapp_contexts b/seapp_contexts
index f63da7c..258477a 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -33,6 +33,7 @@
#
isSystemServer=true domain=system
user=system domain=system_app type=system_data_file
+user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=_app domain=untrusted_app type=app_data_file levelFromUid=true
diff --git a/system.te b/system.te
index bace071..85b4347 100644
--- a/system.te
+++ b/system.te
@@ -82,8 +82,8 @@
allow system appdomain:process { sigkill signal };
# Set scheduling info for apps.
-allow system appdomain:process setsched;
-allow system mediaserver:process setsched;
+allow system appdomain:process { getsched setsched };
+allow system mediaserver:process { getsched setsched };
# Read /proc data for apps.
allow system appdomain:dir r_dir_perms;
diff --git a/zygote.te b/zygote.te
index 0601707..3350ce3 100644
--- a/zygote.te
+++ b/zygote.te
@@ -29,3 +29,9 @@
# Read /seapp_contexts, presently on the rootfs.
allow zygote rootfs:file r_file_perms;
+# Setting up /storage/emulated.
+allow zygote rootfs:dir mounton;
+allow zygote sdcard:dir { write search setattr create add_name mounton };
+dontaudit zygote self:capability fsetid;
+allow zygote tmpfs:dir { write create add_name setattr mounton };
+allow zygote tmpfs:filesystem mount;
