Merge "Revert "Various minor policy fixes based on CTS.""
diff --git a/adbd.te b/adbd.te
index 074f35b..f924149 100644
--- a/adbd.te
+++ b/adbd.te
@@ -15,9 +15,6 @@
allow adbd labeledfs:filesystem remount;
allow adbd shell_data_file:dir rw_dir_perms;
allow adbd shell_data_file:file create_file_perms;
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
allow adbd graphics_device:dir search;
allow adbd graphics_device:chr_file r_file_perms;
allow adbd log_device:chr_file r_file_perms;
diff --git a/app.te b/app.te
index 6a4c0b7..cb8091b 100644
--- a/app.te
+++ b/app.te
@@ -118,7 +118,6 @@
if (app_bluetooth or android_cts) {
# No specific SELinux class for bluetooth sockets presently.
allow untrusted_app self:socket *;
-allow untrusted_app bluetooth:unix_stream_socket { read write shutdown };
}
# Internal SDCard rw access.
bool app_internal_sdcard_rw true;
@@ -162,7 +161,7 @@
# Communicate over a FIFO or socket created by the system_server.
allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write setopt };
+allow appdomain system:unix_stream_socket { read write };
# Communicate over a socket created by surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
diff --git a/dhcp.te b/dhcp.te
index 10ab788..0c533eb 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -4,15 +4,16 @@
type dhcp_system_file, file_type, data_file_type;
init_daemon_domain(dhcp)
-net_domain(dhcp)
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms;
-allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
+allow dhcp cgroup:dir { create add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw };
+allow dhcp self:packet_socket { create setopt bind write read };
+allow dhcp self:netlink_route_socket { write nlmsg_write read create bind };
+allow dhcp self:udp_socket { create ioctl };
+allow dhcp shell_exec:file { read open execute };
+allow dhcp system_file:file execute_no_trans;
allow dhcp proc:file write;
+allow dhcp property_socket:sock_file write ;
allow dhcp system_prop:property_service set ;
allow dhcp dhcp_system_file:file rx_file_perms;
allow dhcp dhcp_system_file:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
index 9ef3189..dcf3cc9 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -18,8 +18,4 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver platform_app_data_file:file { read write getattr };
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
diff --git a/file_contexts b/file_contexts
index d81d5a4..0d2db38 100644
--- a/file_contexts
+++ b/file_contexts
@@ -153,7 +153,7 @@
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/vmdl.*\.tmp u:object_r:apk_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local(/.*)? u:object_r:shell_data_file:s0
# Misc data
/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
diff --git a/mediaserver.te b/mediaserver.te
index 9a0ef1d..0696331 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -17,8 +17,7 @@
allow mediaserver kernel:system module_request;
allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver platform_app_data_file:file { getattr read };
+allow mediaserver app_data_file:file r_file_perms;
allow mediaserver sdcard_type:file write;
allow mediaserver camera_device:chr_file rw_file_perms;
allow mediaserver graphics_device:chr_file rw_file_perms;
diff --git a/shell.te b/shell.te
index 2f1dd43..bf9ee44 100644
--- a/shell.te
+++ b/shell.te
@@ -5,7 +5,6 @@
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
@@ -18,7 +17,7 @@
allow shell sdcard_type:file create_file_perms;
r_dir_file(shell, apk_data_file)
-allow shell dalvikcache_data_file:file { write setattr };
+allow shell dalvikcache_data_file:file write;
# Run logcat.
allow shell log_device:chr_file r_file_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index a383ec1..30b1816 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -28,7 +28,3 @@
allow surfaceflinger system_prop:property_service set;
allow surfaceflinger ctl_default_prop:property_service set;
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger platform_app_data_file:file { read write };
-allow surfaceflinger app_data_file:file { read write };
diff --git a/system.te b/system.te
index a2a576c..62240fe 100644
--- a/system.te
+++ b/system.te
@@ -66,9 +66,6 @@
# XXX See if we can remove some of these.
allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system self:capability sys_ptrace;
-
# Trigger module auto-load.
allow system kernel:system module_request;