Stephen Smalley  committed f0ac7a7 Merge

Merge branch 'master' into seandroid

  • Participants
  • Parent commits 6a1e284, c17d30a
  • Branches seandroid, seandroid-4.4

Comments (0)

Files changed (5)

File binderservicedomain.te

 # Rules common to all binder service domains
-# Alow dumpstate to collect information from binder services
+# Allow dumpstate to collect information from binder services
 allow binderservicedomain dumpstate:fd use;
 allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+# Allow dumpsys to work from adb shell
+allow binderservicedomain devpts:chr_file rw_file_perms;
 type ping, domain;
 type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
+domain_auto_trans(dumpstate, ping_exec, ping)
 allow ping self:capability net_raw;
 allow ping self:rawip_socket create_socket_perms;
 allow ping netd:unix_stream_socket connectto;
 allow ping devpts:chr_file rw_file_perms;
 allow ping shell:fd use;
+allow ping dumpstate:fd use;
+allow ping dumpstate:unix_stream_socket { read write };

File shelldomain.te

 allow shelldomain zygote_exec:file rx_file_perms;
 r_dir_file(shelldomain, apk_data_file)
-allow shelldomain dalvikcache_data_file:file { write setattr };
 # Set properties.
 unix_socket_connect(shelldomain, property, init)
 allow shelldomain shell_prop:property_service set;
 allow shelldomain ctl_dumpstate_prop:property_service set;
+allow shelldomain debug_prop:property_service set;
+allow shelldomain powerctl_prop:property_service set;
 # ndk-gdb invokes adb shell ps to find the app PID.
 r_dir_file(shelldomain, non_system_app_set)

File system_server.te

+allow system_server self:capability2 block_suspend;
 # Triggered by /proc/pid accesses, not allowed.
 dontaudit system_server self:capability sys_ptrace;
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
 # Rules to support encrypted fs support.
 allow vold asec_apk_file:dir { rw_dir_perms setattr };
 allow vold asec_apk_file:file { r_file_perms setattr };
+# Handle wake locks (used for device encryption)
+allow vold sysfs_wake_lock:file rw_file_perms;
+allow vold self:capability2 block_suspend;