diff --git a/app.te b/app.te
index 1afa4b5c0a6d566a2ac8212c88dba980bc9e8d12..a8d3d847fa1e89796192c409c7daf386dbe637ef 100644
--- a/app.te
+++ b/app.te
@@ -57,7 +57,6 @@ allow appdomain adbd:process sigchld;
allow appdomain devpts:chr_file { getattr read write ioctl };
# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
@@ -138,8 +137,6 @@ userdebug_or_eng(`
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
@@ -167,8 +164,7 @@ allow appdomain backup_data_file:file { read write getattr };
allow appdomain cache_backup_file:file { read write getattr };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:lnk_file getattr;
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow appdomain media_rw_data_file:file { read getattr };
@@ -235,8 +231,6 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain -isolated_app } ion_device:chr_file { write append };
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/bluetooth.te b/bluetooth.te
index 2b99c3e927db2c7587e5d62c5ffae7261b73f117..4b20a5828cf8fe27d6f722c03201759746976880 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -2,8 +2,6 @@
type bluetooth, domain, domain_deprecated;
app_domain(bluetooth)
net_domain(bluetooth)
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
wakelock_use(bluetooth);
@@ -21,15 +19,14 @@ r_dir_file(bluetooth, bluetooth_efs_file)
allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
# sysfs access.
-r_dir_file(bluetooth, sysfs_type)
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
allow bluetooth self:capability2 wake_alarm;
# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
+allow bluetooth self:packet_socket create_socket_perms;
allow bluetooth self:capability { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
+allow bluetooth self:tun_socket create_socket_perms;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
diff --git a/clatd.te b/clatd.te
index 8632087a1035046927df84192ebb906d24a79f2d..3cda6a2a3be3b1452b9aca85fe30649ff766803b 100644
--- a/clatd.te
+++ b/clatd.te
@@ -4,8 +4,6 @@ type clatd_exec, exec_type, file_type;
net_domain(clatd)
-r_dir_file(clatd, proc_net)
-
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
@@ -29,5 +27,5 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
allow clatd self:capability ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
+allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 1e84e8d3111ff38be989bd16da3f645dd29b755a..2b8d229f5f2f44aaeede5c6b29d88a314d12e831 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -58,7 +58,3 @@ read_logd(debuggerd)
# Check SELinux permissions.
selinux_check_access(debuggerd)
-
-# Read /data/dalvik-cache.
-allow debuggerd dalvikcache_data_file:dir { search getattr };
-allow debuggerd dalvikcache_data_file:file r_file_perms;
diff --git a/dex2oat.te b/dex2oat.te
index 8c80a32a87a2872cf99021038e5eaca602aef1be..fdf5536d080e8ac8946f8384ddaee4f38fd6d2e8 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -2,11 +2,6 @@
type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
-r_dir_file(dex2oat, apk_data_file)
-
-allow dex2oat tmpfs:file { read getattr };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
# the oat file is symlinked to the original file in /system.
diff --git a/dhcp.te b/dhcp.te
index a051b192d11d4a21157558957f2c9959d2b46068..a858e080faaa6bd28208f675781f243e18dbbb2e 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -7,7 +7,7 @@ net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
+allow dhcp self:packet_socket create_socket_perms;
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
diff --git a/dnsmasq.te b/dnsmasq.te
index c52640f1d765db9afc08211c0bcfb538fdd17fe4..e5e4198c0e43cdb481c5a2c8e40b05abc9cb9bcd 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -3,7 +3,6 @@ type dnsmasq, domain, domain_deprecated;
type dnsmasq_exec, exec_type, file_type;
net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:capability dac_override;
diff --git a/domain.te b/domain.te
index 98d08986dbca93d6905747a392f2cdc5e9727629..8c824989b0e99573b533ccbb8d195c6fa9144119 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,7 @@ r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
# Inherit or receive open files from others.
allow domain init:fd use;
@@ -146,25 +147,10 @@ allow domain debugfs_trace_marker:file w_file_perms;
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
-allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-
###
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
-neverallowxperm domain domain:socket_class_set ioctl { 0 };
-
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 5485f8d371cba30f0dd4e3ef265f585287116cd1..8b048795557b9d1e74067c9c51f11f2c9957a0b7 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -4,82 +4,52 @@
allow domain_deprecated kernel:fd use;
allow domain_deprecated tmpfs:file { read getattr };
allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow { domain_deprecated -init } kernel:fd use;
-auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
-auditallow domain_deprecated tmpfs:lnk_file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
-auditallow { domain_deprecated -appdomain -mediaextractor -mediaserver -netd -surfaceflinger } system_server:fd use;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:unix_stream_socket connectto;
allow domain_deprecated adbd:fd use;
allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket connectto;
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
# Device accesses.
allow domain_deprecated device:file read;
-auditallow domain_deprecated device:file read;
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
allow domain_deprecated system_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -sdcardd -system_server -tee } system_data_file:file { getattr read };
-auditallow { domain_deprecated -appdomain -init -logd -system_server -tee } system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:dir { getattr search };
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
# Read /data/dalvik-cache.
allow domain_deprecated dalvikcache_data_file:dir { search getattr };
allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -init -installd -system_server -zygote } dalvikcache_data_file:dir { search getattr };
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -installd -system_server -zygote } dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:dir { open read search ioctl lock };
-auditallow { domain_deprecated -appdomain -init -priv_app -system_server -vold } cache_file:dir getattr;
-auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:file { getattr read };
-auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file r_file_perms;
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -mediaserver -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
@@ -88,28 +58,11 @@ r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
r_dir_file(domain_deprecated, proc_net)
-#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:file r_file_perms;
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -kernel -logd -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow domain_deprecated inotify:dir r_dir_perms;
-auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -mediaextractor -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
-auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
# World readable asec image contents
allow domain_deprecated asec_public_file:file r_file_perms;
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
-auditallow domain_deprecated asec_public_file:file r_file_perms;
-auditallow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
index 06f186540ea540e01c3a989a183dc582a15412b8..9130e0b4caf919bcf6f785e73c7d652c2545e7bf 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -54,6 +54,3 @@ allow drmserver drmserver_service:service_manager { add find };
allow drmserver permission_service:service_manager find;
selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, system_file)
diff --git a/fingerprintd.te b/fingerprintd.te
index 09d39b187d179d04620420b6bbc98e3a20f02032..1c0ab1c9e8fd0fcdd6c6ce4bd19edb82df7d5d34 100644
--- a/fingerprintd.te
+++ b/fingerprintd.te
@@ -21,7 +21,3 @@ allow fingerprintd keystore:keystore_key { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);
allow fingerprintd permission_service:service_manager find;
-
-r_dir_file(fingerprintd, cgroup)
-r_dir_file(fingerprintd, sysfs_type)
-allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/fsck.te b/fsck.te
index 9f372ce257170b0828498bf75be1ae1c0b9340e8..d5a6db11b2b65fc4aac67bb36cfef9d7285334d8 100644
--- a/fsck.te
+++ b/fsck.te
@@ -25,8 +25,6 @@ allow fsck dm_device:blk_file rw_file_perms;
# swap device before setting the EXT2_MF_SWAP mount flag.
allow fsck swap_block_device:blk_file getattr;
-r_dir_file(fsck, proc)
-
###
### neverallow rules
###
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 98806dd1fb9450eb00c56a0be6b0d2a6cbc7018b..00faa205a54c9dfa8e507b72ba0db7485bd733c6 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -12,8 +12,6 @@ allow fsck_untrusted vold:fifo_file { read write getattr };
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
-r_dir_file(fsck_untrusted, proc)
-
###
### neverallow rules
###
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 3d9b60cd1f6d3375735302a926484423beb7f406..e394af332d82961293009f2bdd977f929e7394aa 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -6,7 +6,6 @@ init_daemon_domain(gatekeeperd)
binder_service(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
-allow gatekeeperd ion_device:chr_file r_file_perms;
# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };
@@ -28,6 +27,4 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms;
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
-r_dir_file(gatekeeperd, cgroup)
-
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/healthd.te b/healthd.te
index 0bf92c88820f8433df47f3b0014c09dd672bb505..2658ef84c2ae3e3a0447628469b1bcec847959c7 100644
--- a/healthd.te
+++ b/healthd.te
@@ -6,12 +6,11 @@ type healthd, domain, domain_deprecated;
allow healthd kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs_type)
-r_dir_file(healthd, rootfs)
+r_dir_file(healthd, sysfs)
allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
binder_use(healthd)
binder_service(healthd)
binder_call(healthd, system_server)
@@ -25,9 +24,6 @@ allow healthd sysfs_usb:file write;
allow healthd sysfs_batteryinfo:file r_file_perms;
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, sysfs_type)
-
###
### healthd: charger mode
###
diff --git a/hostapd.te b/hostapd.te
index 62f9cc72687567dba9221a9701c6243b47bf9f16..26140307a2a45526b3b6395a4235034674488825 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -16,9 +16,10 @@ allow hostapd proc_net:file { getattr open read };
# Various socket permissions.
allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
-allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
-allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hostapd self:packet_socket create_socket_perms_no_ioctl;
+allow hostapd self:netlink_socket create_socket_perms;
+allow hostapd self:netlink_generic_socket create_socket_perms;
+allow hostapd self:packet_socket create_socket_perms;
+
allow hostapd self:netlink_route_socket nlmsg_write;
# hostapd can read and write WiFi related data and configuration.
diff --git a/init.te b/init.te
index b5f9697eefdee630ebbfd6bdd613abe1de171743..d3f513246394c01f5a878ab6f8b981f3be322e92 100644
--- a/init.te
+++ b/init.te
@@ -29,8 +29,6 @@ allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
-allow init kernel:fd use;
-
# setrlimit
allow init self:capability sys_resource;
@@ -72,7 +70,6 @@ allow init sysfs:dir mounton;
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
-r_dir_file(init, cgroup)
allow init cpuctl_device:dir { create mounton };
# /config
@@ -203,11 +200,9 @@ allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
# Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
allow init proc:file w_file_perms;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(init, proc_net)
allow init proc_net:file w_file_perms;
allow init self:capability net_admin;
@@ -223,7 +218,10 @@ allow init self:capability sys_boot;
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file rw_file_perms;
+allow init sysfs_type:file w_file_perms;
+
+# disksize
+allow init sysfs_zram:file getattr;
# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, adbd)
@@ -296,8 +294,6 @@ allow init property_type:property_service set;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
allow init self:capability net_raw;
# This line seems suspect, as it should not really need to
@@ -354,15 +350,6 @@ unix_socket_connect(init, vold, vold)
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
-allow init apk_data_file:dir { getattr search };
-allow init dalvikcache_data_file:dir { search getattr };
-r_dir_file(init, system_file)
-allow init proc_meminfo:file r_file_perms;
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-
###
### neverallow rules
###
diff --git a/inputflinger.te b/inputflinger.te
index b6a5f0b2173560e8684c734731be36f016ac45fc..324f3f6cfdc87c26cc0720a79b58a7054c6cc0f4 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -13,5 +13,3 @@ wakelock_use(inputflinger)
allow inputflinger inputflinger_service:service_manager { add find };
allow inputflinger input_device:dir r_dir_perms;
allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
diff --git a/installd.te b/installd.te
index 317ae7cea99f4ca424bedd5d6fb2a6930e8a71f6..8f1baf6697866d1999731ff7202beb70ae59b421 100644
--- a/installd.te
+++ b/installd.te
@@ -13,7 +13,7 @@ allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+allow installd apk_data_file:lnk_file { create read unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
@@ -21,13 +21,10 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
-r_dir_file(installd, rootfs)
-
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
diff --git a/ioctl_macros b/ioctl_macros
index 122e1f0df4cea814d944d5cb2d6198aa48d5e1dc..f3840b8197e6e0032a887163cd474065a86fdb0f 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -21,7 +21,7 @@ SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
-SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCGIFBR SIOCSIFBR
SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
diff --git a/kernel.te b/kernel.te
index 3b77947092a27e7515d0029801acafb2a0d4cb04..bcd09352b6e01dab9c76499f5f7f8ba8cd6391a1 100644
--- a/kernel.te
+++ b/kernel.te
@@ -4,8 +4,9 @@ type kernel, domain, domain_deprecated, mlstrustedsubject;
allow kernel self:capability sys_nice;
# Root fs.
-r_dir_file(kernel, rootfs)
-r_dir_file(kernel, proc)
+allow kernel rootfs:dir r_dir_perms;
+allow kernel rootfs:file r_file_perms;
+allow kernel rootfs:lnk_file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/keystore.te b/keystore.te
index 3d7bd9210b975075af517797d6a9b78c5b8d0ae6..6676bd7272ce78503b849c4c1713de130daea2da 100644
--- a/keystore.te
+++ b/keystore.te
@@ -19,9 +19,6 @@ allow keystore sec_key_att_app_id_provider_service:service_manager find;
# Check SELinux permissions.
selinux_check_access(keystore)
-allow keystore ion_device:chr_file r_file_perms;
-r_dir_file(keystore, cgroup)
-
###
### Neverallow rules
###
diff --git a/logd.te b/logd.te
index 447fae5757e55cfcb1ce48273a3f45e5d00f6c0c..7665385b04a2dea270a644ebbfefea0f1ba94aa1 100644
--- a/logd.te
+++ b/logd.te
@@ -5,17 +5,15 @@ type logd_exec, exec_type, file_type;
init_daemon_domain(logd)
# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
r_dir_file(logd, proc)
-r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)
allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
allow logd self:capability2 syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd system_data_file:file r_file_perms;
# logpersist is only allowed on userdebug and eng builds
userdebug_or_eng(`
allow logd misc_logd_file:file create_file_perms;
diff --git a/mediaextractor.te b/mediaextractor.te
index 7b873d621f4e91db98b5ceef67332c94feb8ea25..3ebb5b70ffd8dcc7745958156f84f6da016218e4 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -13,11 +13,6 @@ binder_service(mediaextractor)
allow mediaextractor mediaextractor_service:service_manager add;
-allow mediaextractor system_server:fd use;
-
-r_dir_file(mediaextractor, cgroup)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
###
### neverallow rules
###
diff --git a/mediaserver.te b/mediaserver.te
index d6b68d27e73d3849152c04a63ed5b8b446f01473..5fbaa30305a47a70eadfd5760c7b604e58c9c55a 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -8,7 +8,6 @@ net_domain(mediaserver)
init_daemon_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaextractor, cgroup)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
@@ -124,9 +123,6 @@ allow mediaserver media_rw_data_file:file create_file_perms;
# Access to /data/preloads
allow mediaserver preloads_data_file:file { getattr read ioctl };
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver system_server:fd use;
-
###
### neverallow rules
###
diff --git a/mtp.te b/mtp.te
index 02d4b56335fe17ad35eaea9980f935fd4cec61fe..9677abd19a32a187ed39114c2d095abecd416156 100644
--- a/mtp.te
+++ b/mtp.te
@@ -6,7 +6,7 @@ init_daemon_domain(mtp)
net_domain(mtp)
# pptp policy
-allow mtp self:socket create_socket_perms_no_ioctl;
+allow mtp self:socket create_socket_perms;
allow mtp self:capability net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;
diff --git a/netd.te b/netd.te
index 976c43d9eec1579c1245497f2ce4864bd59f1bfe..c411f671bccc14436c2c861a954bfdbd69e91c21 100644
--- a/netd.te
+++ b/netd.te
@@ -4,11 +4,6 @@ type netd_exec, exec_type, file_type;
init_daemon_domain(netd)
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-allow netd system_server:fd use;
allow netd self:capability { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
@@ -19,19 +14,19 @@ allow netd self:capability { net_admin net_raw kill };
# for netd to operate.
dontaudit netd self:capability fsetid;
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_kobject_uevent_socket create_socket_perms;
allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_nflog_socket create_socket_perms;
+allow netd self:netlink_socket create_socket_perms;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms;
+allow netd self:netlink_netfilter_socket create_socket_perms;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net:file write;
# Enables PppController and interface enumeration (among others)
r_dir_file(netd, sysfs_type)
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index e0cc25720161b9686e14b825f6ab29ef5c37707c..c5b2533a19e2df85fc9f4e94ef37749f2e09fb0b 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -39,6 +39,8 @@ allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+allow postinstall_dexopt selinuxfs:dir r_dir_perms;
+
# Check validity of SELinux context before use.
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
diff --git a/ppp.te b/ppp.te
index 3fb6f2b06552f58b66bef30f38540b3d02ea4bf1..d7ed70d5defd370642b13c45312d906e719a7799 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,7 +6,7 @@ domain_auto_trans(mtp, ppp_exec, ppp)
net_domain(ppp)
-allow ppp mtp:socket rw_socket_perms_no_ioctl;
+allow ppp mtp:socket rw_socket_perms;
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
diff --git a/priv_app.te b/priv_app.te
index 04a050936d29280ff2f32ba61da0104f50385d38..85516a6e1eb7cca14c2939f56e69a4cfc520b891 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -82,10 +82,9 @@ allow priv_app fuse_device:chr_file { read write };
allow priv_app app_fuse_file:dir rw_dir_perms;
allow priv_app app_fuse_file:file rw_file_perms;
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
-r_dir_file(priv_app, rootfs)
+# /sys access
+allow priv_app sysfs_zram:dir search;
+allow priv_app sysfs_zram:file r_file_perms;
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
diff --git a/racoon.te b/racoon.te
index c3666bd8541ba66d966a846fc2de955112e7f74c..bf272d1e8f057ed279f8b1868ae7d6a5a2377434 100644
--- a/racoon.te
+++ b/racoon.te
@@ -13,8 +13,8 @@ allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
+allow racoon self:key_socket create_socket_perms;
+allow racoon self:tun_socket create_socket_perms;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
diff --git a/rild.te b/rild.te
index 0d834e19b7045cc651e2f923c119fbb20550dffc..c63f2e7292994a226d43b77cd847e967fa0c92f6 100644
--- a/rild.te
+++ b/rild.te
@@ -4,14 +4,11 @@ type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
net_domain(rild)
-allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
-
allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
allow rild self:capability { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
-allow rild cgroup:{ file lnk_file } r_file_perms;
allow rild radio_device:chr_file rw_file_perms;
allow rild radio_device:blk_file r_file_perms;
allow rild mtd_device:dir search;
@@ -37,16 +34,11 @@ auditallow rild system_radio_prop:property_service set;
allow rild tty_device:chr_file rw_file_perms;
# Allow rild to create and use netlink sockets.
-allow rild self:netlink_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_generic_socket create_socket_perms;
+allow rild self:netlink_kobject_uevent_socket create_socket_perms;
# Access to wake locks
wakelock_use(rild)
-r_dir_file(rild, proc)
-r_dir_file(rild, sysfs_type)
-r_dir_file(rild, system_file)
-
-# granting the ioctl permission for rild should be device specific
-allow rild self:socket create_socket_perms_no_ioctl;
+allow rild self:socket create_socket_perms;
diff --git a/servicemanager.te b/servicemanager.te
index 4f07a559492d4958284c708596636085f87894f7..84605d1acc6247d5c6f596927801a37fd1f095f4 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -13,7 +13,5 @@ init_daemon_domain(servicemanager)
allow servicemanager self:binder set_context_mgr;
allow servicemanager { domain -init }:binder transfer;
-r_dir_file(servicemanager, rootfs)
-
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c27f1caefd0ff3b5ec1226086237d82d2656187a..7364e5fa14172342698204d33ca23ea49962b711 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -31,7 +31,7 @@ allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
# Set properties.
set_prop(surfaceflinger, system_prop)
@@ -60,14 +60,6 @@ allow surfaceflinger gpu_service:service_manager { add find };
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger window_service:service_manager find;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger ion_device:chr_file r_file_perms;
-
# allow self to set SCHED_FIFO
allow surfaceflinger self:capability sys_nice;
diff --git a/system_app.te b/system_app.te
index b05bcb9f293ec8ba9b901b27c04fb5508632d1f7..3db5f211376fc16ce68bfe6bcef4586d7e89d8b0 100644
--- a/system_app.te
+++ b/system_app.te
@@ -72,6 +72,7 @@ allow system_app keystore:keystore_key {
};
# /sys access
-r_dir_file(system_app, sysfs_type)
+allow system_app sysfs_zram:dir search;
+allow system_app sysfs_zram:file r_file_perms;
control_logd(system_app)
diff --git a/system_server.te b/system_server.te
index 5ccc05f05a68e86c2fc28ddf80304e34805ec574..e9fa6610c4c7e1355827036eeae6d3912558d788 100644
--- a/system_server.te
+++ b/system_server.te
@@ -8,8 +8,8 @@ type system_server, domain, domain_deprecated, mlstrustedsubject;
tmpfs_domain(system_server)
# For art.
+allow system_server dalvikcache_data_file:file execute;
allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file { r_file_perms execute };
# Enable system server to check the foreign dex usage markers.
# We need search on top level directories so that we can get to the files
@@ -41,9 +41,6 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# These are the capabilities assigned by the zygote to the
@@ -74,17 +71,15 @@ allow system_server kernel:system module_request;
allow system_server self:capability2 wake_alarm;
# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_socket create_socket_perms;
+allow system_server self:netlink_generic_socket create_socket_perms;
# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
+# to the kernel.
+allow system_server self:socket create_socket_perms;
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
@@ -125,14 +120,14 @@ allow system_server proc_stat:file r_file_perms;
allow system_server debugfs:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
+allow system_server self:packet_socket create_socket_perms;
# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
# as raw sockets, but the kernel doesn't yet distinguish between the two.
allow system_server node:rawip_socket node_bind;
# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
+allow system_server self:tun_socket create_socket_perms;
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, installd, installd)
@@ -234,7 +229,7 @@ allow system_server keychain_data_file:lnk_file create_file_perms;
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
+allow system_server apk_data_file:file { create_file_perms link };
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
@@ -377,9 +372,7 @@ allow system_server { cache_file cache_recovery_file }:file { relabelfrom create
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
# Run system programs, e.g. dexopt. Needed? (b/28035297)
-allow system_server system_file:file rx_file_perms;
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
+allow system_server system_file:file x_file_perms;
auditallow system_server system_file:file execute_no_trans;
# LocationManager(e.g, GPS) needs to read and write
@@ -549,16 +542,6 @@ allow system_server update_engine:fifo_file write;
allow system_server preloads_data_file:file { r_file_perms unlink };
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-r_dir_file(system_server, cgroup)
-allow system_server ion_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc)
-r_dir_file(system_server, proc_meminfo)
-r_dir_file(system_server, proc_net)
-r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
-
-
###
### Neverallow rules
###
diff --git a/te_macros b/te_macros
index 7ed051848fc78ac1ed800b2a78a752552d7bfd01..d80fe771c879517f796dceed027306213e6ac1c7 100644
--- a/te_macros
+++ b/te_macros
@@ -78,7 +78,6 @@ define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write };
-allow $1 tmpfs:dir { getattr search };
')
#####################################
@@ -234,8 +233,7 @@ allow $1 self:capability2 block_suspend;
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
')
@@ -244,8 +242,7 @@ allow $1 self:netlink_selinux_socket { read write create getattr setattr lock re
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security check_context;
')
@@ -253,8 +250,7 @@ allow $1 kernel:security check_context;
# selinux_setenforce(domain)
# Allow domain to set SELinux to enforcing.
define(`selinux_setenforce', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security setenforce;
')
@@ -262,8 +258,7 @@ allow $1 kernel:security setenforce;
# selinux_setbool(domain)
# Allow domain to set SELinux booleans.
define(`selinux_setbool', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security setbool;
')
diff --git a/tee.te b/tee.te
index 3d4cc2fba744a18f1b0283ba668283ccd3cc78a6..8ea6b95bc7e47e01a5f6faa121e5dd9a05c72b30 100644
--- a/tee.te
+++ b/tee.te
@@ -11,9 +11,5 @@ allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
+allow tee self:netlink_socket create_socket_perms;
+allow tee self:netlink_generic_socket create_socket_perms;
diff --git a/ueventd.te b/ueventd.te
index d4880fad140caaba4d85277171870bd82d6cc8b3..6a44367ec72cd8c3a633f33122befd95b28facf5 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -9,10 +9,8 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
-r_dir_file(ueventd, sysfs_type)
-r_dir_file(ueventd, rootfs)
-allow ueventd sysfs:file w_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
+allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_usb:file rw_file_perms;
allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
@@ -23,13 +21,10 @@ allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
diff --git a/uncrypt.te b/uncrypt.te
index 308e0f6294eb27cde62bb926e319772723e4aa5d..d2bad539cee99e50cae185a6839c3126ff5393c2 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -36,5 +36,3 @@ allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
diff --git a/untrusted_app.te b/untrusted_app.te
index b968728b2ec617f608096290f80263e3a65b1304..5b573a723d80c3f153858755a93314e47b515aaf 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,6 +90,9 @@ userdebug_or_eng(`
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app self:process ptrace;
+# access /proc/net/xt_qtguid/stats
+r_dir_file(untrusted_app, proc_net)
+
# Cts: HwRngTest
allow untrusted_app sysfs_hwrandom:dir search;
allow untrusted_app sysfs_hwrandom:file r_file_perms;
diff --git a/vold.te b/vold.te
index c7a9ab5c45c125330b3af03897af76d92ad6779c..75b6f36660954f759629a1a5fcbd91c7872b1b15 100644
--- a/vold.te
+++ b/vold.te
@@ -16,18 +16,8 @@ allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
r_dir_file(vold, proc)
r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs_type)
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow vold sysfs_usb:file w_file_perms;
-
-# coldboot of /sys/block
-allow vold sysfs_zram_uevent:file rw_file_perms;
-
+r_dir_file(vold, sysfs)
r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
@@ -84,7 +74,7 @@ allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vold self:netlink_kobject_uevent_socket create_socket_perms;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
allow vold loop_device:blk_file create_file_perms;
@@ -97,6 +87,9 @@ allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill };
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file rw_file_perms;
+
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
@@ -106,8 +99,6 @@ allow vold fsck_exec:file { r_file_perms execute };
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
-allow vold ion_device:chr_file r_file_perms;
-
#
# Rules to support encrypted fs support.
#
@@ -186,6 +177,10 @@ allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
+# coldboot of /sys/block
+allow vold sysfs_zram:dir r_dir_perms;
+allow vold sysfs_zram_uevent:file rw_file_perms;
+
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
diff --git a/wpa.te b/wpa.te
index dfb73dc2efee6659c8feb2c05f83ab701c8d6622..a49e041e30e1ead534a39aecdf98ba33a372264b 100644
--- a/wpa.te
+++ b/wpa.te
@@ -5,20 +5,14 @@ type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
net_domain(wpa)
-# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
-allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(wpa, sysfs_type)
-r_dir_file(wpa, proc_net)
allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
allow wpa self:netlink_route_socket nlmsg_write;
-allow wpa self:netlink_socket create_socket_perms_no_ioctl;
-allow wpa self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:netlink_generic_socket create_socket_perms;
allow wpa self:packet_socket create_socket_perms;
-allowxperm wpa self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server)
diff --git a/zygote.te b/zygote.te
index 9ce5a4e9d45deed85c2f33da975db0ba340d6bcb..3efa04d9e07b556bcf252fd37390169c06578c79 100644
--- a/zygote.te
+++ b/zygote.te
@@ -38,7 +38,6 @@ allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
allow zygote self:capability sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
@@ -74,10 +73,11 @@ allow zygote zygote_exec:file rx_file_perms;
r_dir_file(zygote, proc_net)
# Root fs.
-r_dir_file(zygote, rootfs)
+allow zygote rootfs:file r_file_perms;
# System file accesses.
-r_dir_file(zygote, system_file)
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
@@ -85,9 +85,6 @@ userdebug_or_eng(`
allow zygote method_trace_data_file:file { create w_file_perms };
')
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
###
### neverallow rules
###