Merge "Only allow toolbox exec where /system exec was already allowed."

adbd.te

@@ -49,6 +49,10 @@ set_prop(adbd, ffs_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
+# XXX Run toolbox.  Might not be needed.
+allow adbd toolbox_exec:file rx_file_perms;
+auditallow adbd toolbox_exec:file rx_file_perms;
+
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 binder_use(adbd)

app.te

@@ -74,6 +74,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
+allow appdomain toolbox_exec:file rx_file_perms;
 
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;

dhcp.te

@@ -11,6 +11,9 @@ allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow dhcp toolbox_exec:file rx_file_perms;
+auditallow dhcp toolbox_exec:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
 

domain.te

@@ -109,10 +109,6 @@ allow domain system_file:file r_file_perms;
 allow domain system_file:file execute;
 allow domain system_file:lnk_file r_file_perms;
 
-# Run toolbox.
-# Kernel, init, and mediaserver never run anything without changing domains.
-allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
-
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:file { getattr read };

dumpstate.te

@@ -21,6 +21,7 @@ allow dumpstate self:capability kill;
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow dumpstate system_file:file execute_no_trans;
+allow dumpstate toolbox_exec:file rx_file_perms;
 
 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };

gpsd.te

@@ -18,6 +18,7 @@ allow gpsd gps_device:chr_file rw_file_perms;
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+allow gpsd toolbox_exec:file rx_file_perms;
 
 ###
 ### neverallow

install_recovery.te

@@ -13,6 +13,10 @@ allow install_recovery shell_exec:file rx_file_perms;
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
 
+# XXX Execute toolbox.  Might not be needed.
+allow install_recovery toolbox_exec:file rx_file_perms;
+auditallow install_recovery toolbox_exec:file rx_file_perms;
+
 # Update the recovery block device based off a diff of the boot block device
 allow install_recovery block_device:dir search;
 allow install_recovery boot_block_device:blk_file r_file_perms;

netd.te

@@ -20,6 +20,9 @@ allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd self:netlink_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow netd toolbox_exec:file rx_file_perms;
+auditallow netd toolbox_exec:file rx_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.

perfprofd.te

@@ -48,7 +48,7 @@ userdebug_or_eng(`
   allow perfprofd exec_type:file r_file_perms;
 
   # simpleperf is going to execute "sleep"
-  allow perfprofd toolbox_exec:file x_file_perms;
+  allow perfprofd toolbox_exec:file rx_file_perms;
 
   # needed for simpleperf on some kernels
   allow perfprofd self:capability ipc_lock;

ppp.te

@@ -11,6 +11,9 @@ allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
 allow ppp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow ppp toolbox_exec:file rx_file_perms;
+auditallow ppp toolbox_exec:file rx_file_perms;
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
 allow ppp mtp:fd use;

racoon.te

@@ -19,6 +19,9 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow racoon toolbox_exec:file rx_file_perms;
+auditallow racoon toolbox_exec:file rx_file_perms;
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
 

recovery.te

@@ -15,6 +15,7 @@ recovery_only(`
   # Run helpers from / or /system without changing domain.
   allow recovery rootfs:file execute_no_trans;
   allow recovery system_file:file execute_no_trans;
+  allow recovery toolbox_exec:file rx_file_perms;
 
   # Mount filesystems.
   allow recovery rootfs:dir mounton;

rild.te

@@ -23,6 +23,9 @@ allow rild sdcard_type:dir r_dir_perms;
 allow rild system_data_file:dir r_dir_perms;
 allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow rild toolbox_exec:file rx_file_perms;
+auditallow rild toolbox_exec:file rx_file_perms;
 
 # property service
 set_prop(rild, radio_prop)

shell.te

@@ -38,6 +38,7 @@ allow shell console_device:chr_file rw_file_perms;
 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file rw_file_perms;
 allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;
 

system_server.te

@@ -311,6 +311,10 @@ allow system_server cache_file:fifo_file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
 
+# XXX Run toolbox.  Might not be needed.
+allow system_server toolbox_exec:file rx_file_perms;
+auditallow system_server toolbox_exec:file rx_file_perms;
+
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_device:chr_file rw_file_perms;

vold.te

@@ -24,6 +24,9 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow vold toolbox_exec:file rx_file_perms;
+auditallow vold toolbox_exec:file rx_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold block_device:blk_file create_file_perms;
 auditallow vold block_device:blk_file create_file_perms;