Policy changes to support running the latest CTS.

adbd.te

@@ -23,9 +23,10 @@ unix_socket_connect(adbd, vold, vold)
 # Talk to init via the property socket.
 unix_socket_connect(adbd, property, init)
 
-# Read properties.
-allow adbd kernel:fd use;
-allow adbd tmpfs:file read;
+# Run sh in its own domain.
+domain_auto_trans(adbd, shell_exec, shell)
+# Do not sanitize the environment of the shell.
+allow adbd shell:process noatsecure;
 
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?

app.te

@@ -30,9 +30,6 @@ allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
 # It would be better if this was labeled differently.
 allow trusted_app apk_data_file:file write;
-# Perform binder IPC to any app domain.
-binder_call(trusted_app, appdomain)
-binder_transfer(trusted_app, appdomain)
 
 #
 # An example of a specific domain for a specific app
@@ -105,6 +102,6 @@ binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
 binder_transfer(appdomain, binderservicedomain)
-# Perform binder IPC to apps in the trusted_app domain.
-binder_call(appdomain, trusted_app)
-binder_transfer(appdomain, trusted_app)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+binder_transfer(appdomain, appdomain)

debuggerd.te

@@ -12,3 +12,4 @@ allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd domain:process { sigstop signal };
 allow debuggerd exec_type:file r_file_perms;
+allow debuggerd log_device:chr_file r_file_perms;

domain.te

@@ -3,6 +3,10 @@
 # Allow reaping by init.
 allow domain init:process sigchld;
 
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file read;
+
 # binder adjusts the nice value during IPC.
 allow domain self:capability sys_nice;
 
@@ -29,7 +33,7 @@ allow domain debuggerd:unix_stream_socket connectto;
 
 # Root fs.
 allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:lnk_file read;
+allow domain rootfs:lnk_file { read getattr };
 
 # Device accesses.
 allow domain device:dir search;

drmserver.te

@@ -8,3 +8,9 @@ typeattribute drmserver mlstrustedsubject;
 # Perform Binder IPC to system server.
 binder_use(drmserver)
 binder_call(drmserver, system)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+allow drmserver sdcard:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;

file.te

@@ -22,6 +22,8 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type;
 # /data/anr - ANR traces
 type anr_data_file, file_type, data_file_type;
 # /data/tombstones - core dumps

file_contexts

@@ -101,6 +101,7 @@
 # Data files
 #
 /data(/.*)?		u:object_r:system_data_file:s0
+/data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0

shell.te

 type shell, domain;
 type shell_exec, file_type;
 domain_auto_trans(adbd, shell_exec, shell)
+allow adbd shell:process noatsecure;
 domain_auto_trans(init, shell_exec, shell)
 allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
@@ -13,9 +14,9 @@ allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 
-# Read properties.
-allow shell kernel:fd use;
-allow shell tmpfs:file read;
+# Access sdcard.
+allow shell sdcard:dir rw_dir_perms;
+allow shell sdcard:file rw_file_perms;
 
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file write;

system.te

@@ -141,7 +141,7 @@ allow system cache_file:file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system system_file:file x_file_perms;
 
-# Silently deny any /proc accesses that are not allowed.
-# This suppresses noise from walking the process list.
-dontaudit system domain:dir r_dir_perms;
-dontaudit system domain:file r_file_perms;
+# Allow reading of /proc/pid data for other domains.
+# XXX dontaudit candidate
+allow system domain:dir r_dir_perms;
+allow system domain:file r_file_perms;

te_macros

@@ -97,9 +97,6 @@ allow $1 $1_tmpfs:file { read execute execmod };
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
 tmpfs_domain($1)
-# Read properties.
-allow $1 kernel:fd use;
-allow $1 tmpfs:file read;
 ')
 
 #####################################

ueventd.te

@@ -16,6 +16,3 @@ allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket *;
-# Read properties.
-allow ueventd kernel:fd use;
-allow ueventd tmpfs:file read;