Commits

Stephen Smalley committed 32a3177 Merge

Merge branch 'seandroid' into seandroid-4.4

Comments (0)

Files changed (5)

binderservicedomain.te

 # Rules common to all binder service domains
 
-# Alow dumpstate to collect information from binder services
+# Allow dumpstate to collect information from binder services
 allow binderservicedomain dumpstate:fd use;
 allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+
+# Allow dumpsys to work from adb shell
+allow binderservicedomain devpts:chr_file rw_file_perms;
 type ping, domain;
 type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
+domain_auto_trans(dumpstate, ping_exec, ping)
 
 allow ping self:capability net_raw;
 allow ping self:rawip_socket create_socket_perms;
 allow ping netd:unix_stream_socket connectto;
 allow ping devpts:chr_file rw_file_perms;
 allow ping shell:fd use;
+
+allow ping dumpstate:fd use;
+allow ping dumpstate:unix_stream_socket { read write };
 allow shelldomain zygote_exec:file rx_file_perms;
 
 r_dir_file(shelldomain, apk_data_file)
-allow shelldomain dalvikcache_data_file:file { write setattr };
 
 # Set properties.
 unix_socket_connect(shelldomain, property, init)
 allow shelldomain shell_prop:property_service set;
 allow shelldomain ctl_dumpstate_prop:property_service set;
+allow shelldomain debug_prop:property_service set;
+allow shelldomain powerctl_prop:property_service set;
 
 # ndk-gdb invokes adb shell ps to find the app PID.
 r_dir_file(shelldomain, non_system_app_set)
     sys_tty_config
 };
 
+allow system_server self:capability2 block_suspend;
+
 # Triggered by /proc/pid accesses, not allowed.
 dontaudit system_server self:capability sys_ptrace;
 
 
 write_klog(vold)
 
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
+
 #
 # Rules to support encrypted fs support.
 #
 security_access_policy(vold)
 allow vold asec_apk_file:dir { rw_dir_perms setattr };
 allow vold asec_apk_file:file { r_file_perms setattr };
+
+# Handle wake locks (used for device encryption)
+allow vold sysfs_wake_lock:file rw_file_perms;
+allow vold self:capability2 block_suspend;