Stephen Smalley committed b5a313a Merge

Merge branch 'master' into seandroid

Comments (0)

Files changed (4)

 # Communicate with system_server.
 allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt };
-binder_call(appdomain, system_server)
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
-binder_call(appdomain, surfaceflinger)
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
-# Allow applications to communicate with drmserver over binder
-binder_call(appdomain, drmserver)
-# Allow applications to communicate with mediaserver over binder
-binder_call(appdomain, mediaserver)
 # Allow apps to use the USB Accessory interface.
-binder_call(racoon, servicemanager)
 binder_call(racoon, keystore)
 allow racoon tun_device:chr_file r_file_perms;
-# Perform binder IPC to any app domain.
-binder_call(system_app, appdomain)
 # Read and write system data files.
 # May want to split into separate types.
 allow system_app system_data_file:dir create_dir_perms;
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
 # system server gets network and bluetooth permissions.
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
-binder_call(system_server, healthd)
 binder_call(system_server, dumpstate)