From 1fdee11df2552e29da0c48e3432f26f7a93e3bff Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Fri, 13 Sep 2013 15:59:04 -0700
Subject: [PATCH] 1/2: Rename domain "system" to "system_server".
This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.
Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.
Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
---
app.te | 6 +++---
domain.te | 2 +-
seapp_contexts | 2 +-
system.te | 38 --------------------------------------
system_server.te | 41 +++++++++++++++++++++++++++++++++++++++++
zygote.te | 4 ++--
6 files changed, 48 insertions(+), 45 deletions(-)
delete mode 100644 system.te
create mode 100644 system_server.te
diff --git a/app.te b/app.te
index c620d52ce..689ff95de 100644
--- a/app.te
+++ b/app.te
@@ -20,9 +20,9 @@ allow appdomain zygote_tmpfs:file read;
allow appdomain zygote:process sigchld;
# Communicate with system_server.
-allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write setopt };
-binder_call(appdomain, system)
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt };
+binder_call(appdomain, system_server)
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
diff --git a/domain.te b/domain.te
index 215c1a3cf..632123782 100644
--- a/domain.te
+++ b/domain.te
@@ -20,7 +20,7 @@ allow domain self:{ unix_dgram_socket unix_stream_socket } *;
# Inherit or receive open files from others.
allow domain init:fd use;
-allow domain system:fd use;
+allow domain system_server:fd use;
# Connect to adbd and use a socket transferred from it.
allow domain adbd:unix_stream_socket connectto;
diff --git a/seapp_contexts b/seapp_contexts
index 41d3dd845..2049b8aa7 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -32,7 +32,7 @@
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
-isSystemServer=true domain=system
+isSystemServer=true domain=system_server
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
diff --git a/system.te b/system.te
deleted file mode 100644
index f29367cef..000000000
--- a/system.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system, domain;
-permissive system;
-unconfined_domain(system);
-relabelto_domain(system);
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system self:capability {
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_module
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
-};
-
-# Create a socket for receiving info from wpa.
-type_transition system wifi_data_file:sock_file system_wpa_socket;
-allow system self:zygote { specifyids specifyrlimits specifyseinfo };
-
-allow system backup_data_file:dir relabelto;
-allow system cache_backup_file:dir relabelto;
-allow system anr_data_file:dir relabelto;
-allow system system_data_file:dir relabelto;
-allow system apk_data_file:file relabelto;
-allow system apk_tmp_file:file relabelto;
-allow system cache_backup_file:file relabelto;
-allow system apk_private_tmp_file:file relabelto;
-allow system wallpaper_file:file relabelto;
diff --git a/system_server.te b/system_server.te
new file mode 100644
index 000000000..6b7909952
--- /dev/null
+++ b/system_server.te
@@ -0,0 +1,41 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain;
+permissive system_server;
+unconfined_domain(system_server);
+relabelto_domain(system_server);
+
+# TODO: Remove the temporary alias below once the renaming of system to system_server is complete in all repositories.
+typealias system_server alias system;
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:capability {
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_module
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+};
+
+# Create a socket for receiving info from wpa.
+type_transition system_server wifi_data_file:sock_file system_wpa_socket;
+allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
+
+allow system_server backup_data_file:dir relabelto;
+allow system_server cache_backup_file:dir relabelto;
+allow system_server anr_data_file:dir relabelto;
+allow system_server system_data_file:dir relabelto;
+allow system_server apk_data_file:file relabelto;
+allow system_server apk_tmp_file:file relabelto;
+allow system_server cache_backup_file:file relabelto;
+allow system_server apk_private_tmp_file:file relabelto;
+allow system_server wallpaper_file:file relabelto;
diff --git a/zygote.te b/zygote.te
index 5b6162fe0..ddda88c8d 100644
--- a/zygote.te
+++ b/zygote.te
@@ -9,13 +9,13 @@ allow zygote self:capability { dac_override setgid setuid fowner };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
-allow zygote system:process dyntransition;
+allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
# Allow zygote to read + write app data dirs (b/10455872 and b/10498304)
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { r_file_perms write };
# Move children into the peer process group.
-allow zygote system:process { getpgid setpgid };
+allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
--
GitLab