Merge commit 'd0b1a44e' into HEAD

Android.mk

@@ -11,7 +11,7 @@ include $(CLEAR_VARS)
 # is frozen, we should flip this to true. This forces any currently
 # permissive domains into unconfined+enforcing.
 #
-FORCE_PERMISSIVE_TO_UNCONFINED:=false
+FORCE_PERMISSIVE_TO_UNCONFINED:=true
 
 ifeq ($(TARGET_BUILD_VARIANT),user)
   # User builds are always forced unconfined+enforcing

app.te

@@ -53,6 +53,12 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 allow appdomain system_data_file:dir r_dir_perms;
 allow appdomain system_data_file:file { execute execute_no_trans open execmod };
 
+# Keychain and user-trusted credentials
+allow appdomain keychain_data_file:dir r_dir_perms;
+allow appdomain keychain_data_file:file r_file_perms;
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
 # Access to OEM provided data and apps
 allow appdomain oemfs:dir r_dir_perms;
 allow appdomain oemfs:file rx_file_perms;

bootanim.te

@@ -11,6 +11,10 @@ allow bootanim gpu_device:chr_file rw_file_perms;
 
 # /oem access
 allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
 
 # Audited locally.
 service_manager_local_audit_domain(bootanim)

drmserver.te

@@ -47,6 +47,10 @@ allow drmserver radio_data_file:file { read getattr };
 
 allow drmserver drmserver_service:service_manager add;
 
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
 # Audited locally.
 service_manager_local_audit_domain(drmserver)
 auditallow drmserver {

file.te

@@ -82,9 +82,11 @@ type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
+type keychain_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
 type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type;
 type net_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type, mlstrustedobject;

file_contexts

@@ -210,12 +210,14 @@
 /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
 /data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
+/data/misc/keychain(/.*)?       u:object_r:keychain_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
 /data/misc/net(/.*)?            u:object_r:net_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
+/data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
 /data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
 /data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0

installd.te

@@ -37,6 +37,12 @@ allow installd media_rw_data_file:file { getattr unlink };
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;
 
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 allow installd install_data_file:file create_file_perms;

kernel.te

@@ -38,6 +38,13 @@ allow kernel self:security setcheckreqprot;
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
 allow kernel sdcard_type:file { read write };
 
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+#  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel app_data_file:file read;
+
 ###
 ### neverallow rules
 ###

mediaserver.te

@@ -80,6 +80,10 @@ allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver mediaserver_service:service_manager add;
 
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
 # Audited locally.
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {

service_contexts

@@ -37,6 +37,7 @@ drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:system_server_service:s0
 entropy                                   u:object_r:system_server_service:s0
 ethernet                                  u:object_r:system_server_service:s0
+fingerprint                               u:object_r:system_server_service:s0
 gfxinfo                                   u:object_r:system_server_service:s0
 hardware                                  u:object_r:system_server_service:s0
 hdmi_control                              u:object_r:system_server_service:s0
@@ -47,7 +48,7 @@ iphonesubinfo_msim                        u:object_r:radio_service:s0
 iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
-imms                                      u:object_r:system_app_service:s0
+imms                                      u:object_r:system_server_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0
@@ -87,6 +88,7 @@ radio.phonesubinfo                        u:object_r:radio_service:s0
 radio.phone                               u:object_r:radio_service:s0
 radio.sms                                 u:object_r:radio_service:s0
 restrictions                              u:object_r:system_server_service:s0
+rttmanager                                u:object_r:system_server_service:s0
 samplingprofiler                          u:object_r:system_server_service:s0
 scheduling_policy                         u:object_r:system_server_service:s0
 search                                    u:object_r:system_server_service:s0
@@ -100,7 +102,7 @@ sip                                       u:object_r:radio_service:s0
 statusbar                                 u:object_r:system_server_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 task                                      u:object_r:system_server_service:s0
-telecomm                                  u:object_r:radio_service:s0
+telecom                                   u:object_r:radio_service:s0
 telephony.registry                        u:object_r:system_server_service:s0
 textservices                              u:object_r:system_server_service:s0
 trust                                     u:object_r:system_server_service:s0

system_app.te

@@ -12,10 +12,16 @@ binder_service(system_app)
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:file create_file_perms;
 
+# Read /data/misc/keychain subdirectory.
+allow system_app keychain_data_file:dir r_dir_perms;
+allow system_app keychain_data_file:file r_file_perms;
+
 # Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/keychain.
+# /data/system/cache and /data/misc/user.
 allow system_app system_data_file:dir create_dir_perms;
 allow system_app system_data_file:file create_file_perms;
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
 # Audit writes to these directories and files so we can identify
 # and possibly move these directories into their own type in the future.
 auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };

system_server.te

@@ -14,7 +14,6 @@ allow system_server system_server_tmpfs:file execute;
 
 # For art.
 allow system_server dalvikcache_data_file:file execute;
-allow system_server dex2oat_exec:file rx_file_perms;
 
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
@@ -71,6 +70,9 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms;
 
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
 
@@ -171,6 +173,8 @@ allow system_server tun_device:chr_file rw_file_perms;
 # Manage system data files.
 allow system_server system_data_file:dir create_dir_perms;
 allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
 
 # Manage /data/app.
 allow system_server apk_data_file:dir create_dir_perms;
@@ -395,7 +399,7 @@ allow system_server frp_block_device:blk_file rw_file_perms;
 allow system_server cgroup:dir { remove_name rmdir };
 
 # /oem access
-allow system_server oemfs:dir search;
+r_dir_file(system_server, oemfs)
 
 ###
 ### Neverallow rules

zygote.te

@@ -21,6 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
 # Read system data.
 allow zygote system_data_file:dir r_dir_perms;
 allow zygote system_data_file:file r_file_perms;
+# Read system security data.
+allow zygote keychain_data_file:dir r_dir_perms;
+allow zygote keychain_data_file:file r_file_perms;
 # Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;