Address various denials introduced by JB/4.1.

1c735165 · Stephen Smalley · c331d0fe · 1c735165 · 1c735165 · 1c735165
Commit 1c735165 authored 12 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -40,8 +40,8 @@ allow media_app mtp_device:chr_file rw_file_perms;
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
 # Access sdcard.
-allow media_app sdcard:dir rw_dir_perms;
-allow media_app sdcard:file rw_file_perms;
+allow media_app sdcard:dir create_dir_perms;
+allow media_app sdcard:file create_file_perms;

 # Apps signed with the shared key.
 type shared_app, domain;
@@ -119,8 +119,12 @@ allow appdomain zygote_tmpfs:file read;
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;

-# Communicate over a FIFO to system processes.
+# Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
+allow appdomain system:unix_stream_socket { read write };
+
+# Communicate over a socket created by surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };

 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;

--- a/sdcardd.te
+++ b/sdcardd.te
@@ -7,7 +7,7 @@ allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;
 allow sdcardd sdcard:filesystem mount;
-allow sdcardd self:capability { setuid setgid };
+allow sdcardd self:capability { setuid setgid dac_override };
 allow sdcardd system_data_file:dir  create_dir_perms;
 allow sdcardd system_data_file:file create_file_perms;

--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -23,5 +23,7 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket *;

-# ctl interface
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
 allow surfaceflinger ctl_default_prop:property_service set;
+
--- a/system.te
+++ b/system.te
@@ -107,6 +107,9 @@ unix_socket_connect(system, gps, gpsd)
 unix_socket_connect(system, bluetooth, bluetoothd)
 unix_socket_send(system, wpa, wpa)

+# Communicate over a socket created by surfaceflinger.
+allow system surfaceflinger:unix_stream_socket { read write setopt };
+
 # Perform Binder IPC.
 tmpfs_domain(system)
 binder_use(system)

--- a/vold.te
+++ b/vold.te
@@ -53,7 +53,7 @@ allow vold kernel:system module_request;
 allow vold proc:file write;

 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { write create add_name mounton };
+allow vold system_data_file:dir { open read write create add_name mounton };

 # Property Service
 allow vold vold_prop:property_service set;