From 217f8afc188d4e1f393b0fa36a7dda2d6e0273ca Mon Sep 17 00:00:00 2001
From: Geremy Condra <gcondra@google.com>
Date: Thu, 5 Sep 2013 15:36:30 -0700
Subject: [PATCH] Fix more long-tail denials.

For additional context-

The denials related to init_tmpfs are of the form:

denied  { read } for  pid=12315 comm=""dboxed_process0"" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=""tmpfs"" ino=9464 scontext=u:r:isolated_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

(the path above is "/dev/ashmem/dalvik-heap (deleted)")

The denials related to executing things from the dalvik cache are of the form:

enied  { execute } for  pid=3565 comm=""dboxed_process0"" path=""/data/dalvik-cache/system@app@Chrome.apk@classes.dex"" dev=""mmcblk0p28"" ino=105983 scontext=u:r:isolated_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

The denials related to isolated_app and the init socket are:

denied  { getattr } for  pid=3824 comm=""Binder_2"" path=""socket:[14059]"" dev=""sockfs"" ino=14059 scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

The getopt denials for the aforementioned socket are:

denied  { getopt } for  pid=3824 comm=""Binder_2"" path=""/dev/socket/dumpstate"" scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

Change-Id: I3c57702e2af5a779a7618da9aa40930e7f12ee49
---
 isolated_app.te | 6 ++++++
 kernel.te       | 1 +
 system.te       | 5 +++++
 3 files changed, 12 insertions(+)

diff --git a/isolated_app.te b/isolated_app.te
index 77f14d323..1b33484c5 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,3 +21,9 @@ r_dir_file(appdomain, isolated_app)
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
 allow isolated_app appdomain:unix_stream_socket { read write };
+
+allow isolated_app dalvikcache_data_file:file execute;
+allow isolated_app apk_data_file:dir getattr;
+
+allow isolated_app init:unix_stream_socket { read write getattr getopt };
+allow isolated_app init_tmpfs:file read;
diff --git a/kernel.te b/kernel.te
index 023e45790..e313587b8 100644
--- a/kernel.te
+++ b/kernel.te
@@ -6,3 +6,4 @@ unconfined_domain(kernel)
 relabelto_domain(kernel)
 
 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow kernel unlabeled:filesystem mount;
diff --git a/system.te b/system.te
index 24d4a676b..b096b68b8 100644
--- a/system.te
+++ b/system.te
@@ -14,5 +14,10 @@ allow system self:zygote { specifyids specifyrlimits specifyseinfo };
 
 allow system backup_data_file:dir relabelto;
 allow system cache_backup_file:dir relabelto;
+allow system anr_data_file:dir relabelto;
+allow system system_data_file:dir relabelto;
 allow system apk_data_file:file relabelto;
 allow system apk_tmp_file:file relabelto;
+allow system cache_backup_file:file relabelto;
+allow system apk_private_tmp_file:file relabelto;
+allow system wallpaper_file:file relabelto;
-- 
GitLab