Merge upstream sepolicy into AOSP

Change-Id: Ia292607cbd06514a8ac3b0ad49eaefcdce12ef16

Android.mk

@@ -16,6 +16,10 @@ LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET
 LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
 LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
 LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_FS_USE := $(wildcard $(addsuffix sepolicy.fs_use, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PORT_CONTEXTS := $(wildcard $(addsuffix sepolicy.port_contexts, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_GENFS_CONTEXTS := $(wildcard $(addsuffix sepolicy.genfs_contexts, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_INITIAL_SID_CONTEXTS := $(wildcard $(addsuffix sepolicy.initial_sid_contexts, $(LOCAL_POLICY_DIRS)))
 
 ##################################
 include $(CLEAR_VARS)
@@ -31,7 +35,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
 sepolicy_policy.conf := $(intermediates)/policy.conf
 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te) $(LOCAL_POLICY_TE) $(addprefix $(LOCAL_PATH)/, roles users ocontexts))
+$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te) $(LOCAL_POLICY_TE) $(addprefix $(LOCAL_PATH)/, roles users initial_sid_contexts) $(LOCAL_POLICY_INITIAL_SID_CONTEXTS) $(addprefix $(LOCAL_PATH)/,fs_use) $(LOCAL_POLICY_FS_USE) $(addprefix $(LOCAL_PATH)/,genfs_contexts) $(LOCAL_POLICY_GENFS_CONTEXTS) $(addprefix $(LOCAL_PATH)/,port_contexts) $(LOCAL_POLICY_PORT_CONTEXTS))
 	@mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
 
@@ -53,7 +57,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
 file_contexts := $(intermediates)/file_contexts
 $(file_contexts): $(LOCAL_PATH)/file_contexts $(LOCAL_POLICY_FC)
 	@mkdir -p $(dir $@)
-	$(hide) cat $^ > $@
+	$(hide) m4 -s $^ > $@
 
 file_contexts :=
 ##################################
@@ -80,9 +84,34 @@ include $(BUILD_SYSTEM)/base_rules.mk
 property_contexts := $(intermediates)/property_contexts
 $(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
 	@mkdir -p $(dir $@)
-	$(hide) cat $^ > $@
+	$(hide) m4 -s $^ > $@
 
 property_contexts :=
 ##################################
 
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux-network.sh
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+LOCAL_MODULE_CLASS := EXECUTABLES
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
+
+include $(BUILD_PREBUILT)
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
+
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+
+include $(BUILD_PREBUILT)
+
+##################################
+
 endif #ifeq ($(HAVE_SELINUX),true)

NOTICE

+This configuration (sepolicy) is public domain, i.e. not copyrighted.
+
+Warranty Exclusion
+------------------
+You agree that this software is a
+non-commercially developed program that may contain "bugs" (as that
+term is used in the industry) and that it may not function as intended.
+The software is licensed "as is". NSA makes no, and hereby expressly
+disclaims all, warranties, express, implied, statutory, or otherwise
+with respect to the software, including noninfringement and the implied
+warranties of merchantability and fitness for a particular purpose.
+
+Limitation of Liability
+-----------------------
+In no event will NSA be liable for any damages, including loss of data,
+lost profits, cost of cover, or other special, incidental,
+consequential, direct or indirect damages arising from the software or
+the use thereof, however caused and on any theory of liability. This
+limitation will apply even if NSA has been advised of the possibility
+of such damage. You acknowledge that this is a reasonable allocation of
+risk.

access_vectors

@@ -445,6 +445,8 @@ class capability2
 	mac_override	# unused by SELinux
 	mac_admin	# unused by SELinux
 	syslog
+	wake_alarm
+	block_suspend
 }
 
 #

app.te

@@ -4,40 +4,91 @@
 #
 
 #
-# Trusted apps.
+# Apps signed with the platform key.
 #
-type trusted_app, domain;
-app_domain(trusted_app)
+type platform_app, domain;
+app_domain(platform_app)
+platform_app_domain(platform_app)
 # Access the network.
-net_domain(trusted_app)
+net_domain(platform_app)
 # Access bluetooth.
-bluetooth_domain(trusted_app)
+bluetooth_domain(platform_app)
 # Read logs.
-allow trusted_app log_device:chr_file read;
-# Access /dev/mtp_usb.
-# XXX Split android.process.media into a separate domain?
-allow trusted_app mtp_device:chr_file rw_file_perms;
+allow platform_app log_device:chr_file read;
 # Write to /cache.
-allow trusted_app cache_file:dir rw_dir_perms;
-allow trusted_app cache_file:file create_file_perms;
+allow platform_app cache_file:dir rw_dir_perms;
+allow platform_app cache_file:file create_file_perms;
 # Read from /data/local.
-allow trusted_app shell_data_file:dir search;
-allow trusted_app shell_data_file:file { open getattr read };
-allow trusted_app shell_data_file:lnk_file read;
-# Access the sdcard.
-allow trusted_app sdcard:dir create_dir_perms;
-allow trusted_app sdcard:file create_file_perms;
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
-allow trusted_app apk_tmp_file:file rw_file_perms;
+allow platform_app apk_tmp_file:file rw_file_perms;
+# Read/[open] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow platform_app qtaguid_proc:file { open };
+allow platform_app qtaguid_device:chr_file r_file_perms;
+
+# Apps signed with the media key.
+type media_app, domain;
+app_domain(media_app)
+platform_app_domain(media_app)
+# Access the network.
+net_domain(media_app)
+# Read logs.
+allow media_app log_device:chr_file read;
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file rw_file_perms;
+# Write to /cache.
+allow media_app cache_file:dir rw_dir_perms;
+allow media_app cache_file:file create_file_perms;
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow media_app qtaguid_proc:file rw_file_perms;
+allow media_app qtaguid_device:chr_file r_file_perms;
+
+# Apps signed with the shared key.
+type shared_app, domain;
+app_domain(shared_app)
+platform_app_domain(shared_app)
+# Access the network.
+net_domain(shared_app)
+# Access bluetooth.
+bluetooth_domain(shared_app)
+# Read logs.
+allow shared_app log_device:chr_file read;
+
+# Apps signed with the release key (testkey in AOSP).
+type release_app, domain;
+app_domain(release_app)
+platform_app_domain(release_app)
+# Access the network.
+net_domain(release_app)
+# Access bluetooth.
+bluetooth_domain(release_app)
+# Read logs.
+allow release_app log_device:chr_file read;
 
 #
 # An example of a specific domain for a specific app
 # A domain for com.android.browser.
 type browser_app, domain;
 app_domain(browser_app)
+platform_app_domain(browser_app)
 # Access the network.
 net_domain(browser_app)
 
+#
+# Rules for platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+# App sdcard file accesses
+allow platformappdomain sdcard:dir create_dir_perms;
+allow platformappdomain sdcard:file create_file_perms;
+# System data file accesses (e.g, shared objects from the lib directory)
+allow platformappdomain system_data_file:file { execute open };
+
 #
 # Untrusted apps.
 #
@@ -54,10 +105,12 @@ allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
 allow untrusted_app port_type:udp_socket name_bind;
 allow untrusted_app port_type:tcp_socket name_bind;
 unix_socket_connect(untrusted_app, dnsproxyd, netd)
+# Get route information.
+allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
 }
 # Bluetooth access.
 bool app_bluetooth false;
-if (app_bluetooth) {
+if (app_bluetooth or android_cts) {
 # No specific SELinux class for bluetooth sockets presently.
 allow untrusted_app self:socket *;
 }
@@ -69,8 +122,13 @@ allow untrusted_app sdcard:file create_file_perms;
 }
 # Native app support.
 bool app_ndk false;
-if (app_ndk) {
-allow untrusted_app app_data_file:file execute;
+if (app_ndk or android_cts) {
+allow untrusted_app system_data_file:file { execute open };
+}
+# Read Logs
+bool app_read_logs false;
+if (app_read_logs or android_cts) {
+allow untrusted_app log_device:chr_file read;
 }
 
 #
@@ -86,13 +144,20 @@ allow appdomain zygote_tmpfs:file read;
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
-# Communicate over a FIFO to system processes.
+# Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
+allow appdomain system:unix_stream_socket { read write };
+
+# Communicate over a socket created by surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
+# Read/write data files created by the platform apps.
+allow appdomain platform_app_data_file:file rw_file_perms;
+
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 
@@ -103,6 +168,9 @@ allow appdomain wallpaper_file:file { read write };
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
 
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid_proc:file write;
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.

attributes

@@ -58,3 +58,6 @@ attribute bluetoothdomain;
 
 # All domains used for binder service domains.
 attribute binderservicedomain;
+
+# Allow domains used for platform (signed by build key) apps.
+attribute platformappdomain;

cts.te

@@ -27,6 +27,13 @@ allow appdomain fs_type:dir_file_class_set getattr;
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
 
+# Accesses to apk_tmp_file and shell_data_file
+allow appdomain apk_tmp_file:file rw_file_perms;
+allow appdomain shell_data_file:file r_file_perms;
+
+# Read permission over link file to devices.
+allow appdomain dev_type:lnk_file read;
+
 # Read routing information.
 allow netdomain self:netlink_route_socket { create read write nlmsg_read };
 

debuggerd.te

@@ -4,10 +4,15 @@ type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
 typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill };
+allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;
+allow debuggerd rootfs:file r_file_perms;
+allow debuggerd system_data_file:dir create_dir_perms;
+allow debuggerd system_data_file:dir relabelfrom;
+allow debuggerd tombstone_data_file:dir relabelto;
 allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd domain:process { sigstop signal };

device.te

@@ -37,3 +37,17 @@ type urandom_device, dev_type;
 type video_device, dev_type;
 type vcs_device, dev_type;
 type zero_device, dev_type;
+type fuse_device, dev_type;
+type ion_device, dev_type;
+type gps_device, dev_type;
+type qtaguid_device, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for 
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;

domain.te

@@ -80,7 +80,7 @@ allow domain cache_file:file { getattr read };
 allow domain cache_file:lnk_file read;
 
 # For /acct/uid/*/tasks.
-allow domain cgroup:dir search;
+allow domain cgroup:dir { search write };
 allow domain cgroup:file w_file_perms;
 
 # For /sys/qemu_trace files in the emulator.
@@ -96,5 +96,12 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
 
-# Ignore /sys/kernel/debug
-dontaudit domain debugfs:dir search;
+# debugfs access
+bool debugfs true;
+if (debugfs) {
+allow domain debugfs:dir r_dir_perms;
+allow domain debugfs:file rw_file_perms;
+} else {
+dontaudit domain debugfs:dir r_dir_perms;
+dontaudit domain debugfs:file  rw_file_perms;
+}

drmserver.te

@@ -11,6 +11,10 @@ binder_call(drmserver, system)
 binder_call(drmserver, appdomain)
 binder_service(drmserver)
 
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
 allow drmserver sdcard:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;

file.te

@@ -4,6 +4,7 @@ type pipefs, fs_type;
 type sockfs, fs_type;
 type rootfs, fs_type;
 type proc, fs_type;
+type qtaguid_proc, fs_type, mlstrustedobject;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
@@ -31,6 +32,7 @@ type anr_data_file, file_type, data_file_type, mlstrustedobject;
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
 type apk_data_file, file_type, data_file_type;
+type asec_data_file, file_type, data_file_type;
 type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
@@ -47,14 +49,21 @@ type systemkeys_data_file, file_type, data_file_type;
 type wifi_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
+type camera_calibration_file, file_type, data_file_type;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
-type wallpaper_file, file_type;
+type wallpaper_file, file_type, mlstrustedobject;
+
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# defice policy
+type bluetooth_efs_file, file_type;
 
 # Socket types
 type bluetooth_socket, file_type;
@@ -73,6 +82,9 @@ type vold_socket, file_type;
 type wpa_socket, file_type;
 type zygote_socket, file_type;
 
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;

file_contexts

@@ -25,8 +25,10 @@
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/full		u:object_r:full_device:s0
+/dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
 /dev/input(/.*)		u:object_r:input_device:s0
+/dev/ion		u:object_r:ion_device:s0
 /dev/kmem		u:object_r:kmem_device:s0
 /dev/log(/.*)?		u:object_r:log_device:s0
 /dev/mem		u:object_r:kmem_device:s0
@@ -45,6 +47,8 @@
 /dev/nvmap		u:object_r:nv_device:s0
 /dev/nvhost-.*		u:object_r:nv_device:s0
 /dev/random		u:object_r:random_device:s0
+/dev/rpmsg-omx[0-9]	u:object_r:rpmsg_device:s0
+/dev/rproc_user	u:object_r:rpmsg_device:s0
 /dev/s3c-jpg		u:object_r:camera_device:s0
 /dev/s3c-mem		u:object_r:camera_device:s0
 /dev/s3c-mfc		u:object_r:graphics_device:s0
@@ -73,6 +77,7 @@
 /dev/urandom		u:object_r:urandom_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
+/dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
 #############################
 # System files
@@ -96,6 +101,7 @@
 /system/bin/bluetoothd	u:object_r:bluetoothd_exec:s0
 /system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
 /system/bin/qemud	u:object_r:qemud_exec:s0
+/system/bin/sdcard      u:object_r:sdcardd_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
 #############################
@@ -117,6 +123,7 @@
 /data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
 /data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
 /data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
+/data/misc/camera(/.*)?	u:object_r:camera_calibration_file:s0
 # App sandboxes
 /data/data/.*		u:object_r:app_data_file:s0
 # Wallpaper file.
@@ -134,3 +141,6 @@
 #
 /sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+#############################
+# asec containers
+/mnt/asec(/.*)?         u:object_r:asec_data_file:s0

fs_use

+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+

genfs_contexts

+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:sdcard:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:sdcard:s0

global_macros

@@ -8,7 +8,7 @@ define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file
 define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`devfile_class_set', `{ chr_file blk_file }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')

hci_attach.te

+type hci_attach, domain;
+type hci_attach_exec, exec_type, file_type;
+
+init_daemon_domain(hci_attach)
+
+allow hci_attach kernel:system module_request;
+allow hci_attach hci_attach_dev:chr_file rw_file_perms;
+allow hci_attach bluetooth_efs_file:dir r_dir_perms;
+allow hci_attach bluetooth_efs_file:file r_file_perms;

ocontexts → initial_sid_contexts

@@ -25,41 +25,3 @@ sid kmod u:object_r:unlabeled:s0
 sid policy u:object_r:unlabeled:s0
 sid scmp_packet u:object_r:unlabeled:s0
 sid devnull u:object_r:null_device:s0
-
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard:s0
-
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0

installd.te

@@ -10,7 +10,7 @@ allow installd system_data_file:lnk_file create;
 allow installd dalvikcache_data_file:file create_file_perms;
 allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:file { getattr unlink };
+allow installd data_file_type:{ file lnk_file } { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;

keystore.te

@@ -5,3 +5,4 @@ type keystore_exec, exec_type, file_type;
 init_daemon_domain(keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };