From 1c7351652c69bc571b8edfa4a8874b58c73568aa Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 12 Jul 2012 13:26:15 -0400
Subject: [PATCH] Address various denials introduced by JB/4.1.

---
 app.te            | 10 +++++++---
 sdcardd.te        |  2 +-
 surfaceflinger.te |  4 +++-
 system.te         |  3 +++
 vold.te           |  2 +-
 5 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/app.te b/app.te
index 2ea00f1d0..c55f4e07f 100644
--- a/app.te
+++ b/app.te
@@ -40,8 +40,8 @@ allow media_app mtp_device:chr_file rw_file_perms;
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
 # Access sdcard.
-allow media_app sdcard:dir rw_dir_perms;
-allow media_app sdcard:file rw_file_perms;
+allow media_app sdcard:dir create_dir_perms;
+allow media_app sdcard:file create_file_perms;
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -119,8 +119,12 @@ allow appdomain zygote_tmpfs:file read;
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
-# Communicate over a FIFO to system processes.
+# Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
+allow appdomain system:unix_stream_socket { read write };
+
+# Communicate over a socket created by surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
diff --git a/sdcardd.te b/sdcardd.te
index 21b867322..84471d795 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -7,7 +7,7 @@ allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;
 allow sdcardd sdcard:filesystem mount;
-allow sdcardd self:capability { setuid setgid };
+allow sdcardd self:capability { setuid setgid dac_override };
 allow sdcardd system_data_file:dir  create_dir_perms;
 allow sdcardd system_data_file:file create_file_perms;
 
diff --git a/surfaceflinger.te b/surfaceflinger.te
index bbefa142c..10a57ee93 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -23,5 +23,7 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket *;
 
-# ctl interface
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
 allow surfaceflinger ctl_default_prop:property_service set;
+
diff --git a/system.te b/system.te
index 1a94c7527..04ff84c0e 100644
--- a/system.te
+++ b/system.te
@@ -107,6 +107,9 @@ unix_socket_connect(system, gps, gpsd)
 unix_socket_connect(system, bluetooth, bluetoothd)
 unix_socket_send(system, wpa, wpa)
 
+# Communicate over a socket created by surfaceflinger.
+allow system surfaceflinger:unix_stream_socket { read write setopt };
+
 # Perform Binder IPC.
 tmpfs_domain(system)
 binder_use(system)
diff --git a/vold.te b/vold.te
index 403771fec..86dbbb7a7 100644
--- a/vold.te
+++ b/vold.te
@@ -53,7 +53,7 @@ allow vold kernel:system module_request;
 allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { write create add_name mounton };
+allow vold system_data_file:dir { open read write create add_name mounton };
 
 # Property Service
 allow vold vold_prop:property_service set;
-- 
GitLab