Merge "Clean up, unify, and deduplicate app domain rules."

app.te

@@ -42,7 +42,7 @@ allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 allow appdomain appdomain:fifo_file rw_file_perms;
 
 # Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
@@ -69,7 +69,7 @@ allow appdomain anr_data_file:file { open append };
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
@@ -89,14 +89,11 @@ binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
@@ -112,6 +109,10 @@ allow appdomain download_file:file r_file_perms;
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow appdomain media_rw_data_file:file { read getattr };
 
+# Access SDcard.
+allow appdomain sdcard_type:dir create_dir_perms;
+allow appdomain sdcard_type:file create_file_perms;
+
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #

bluetooth.te

@@ -43,10 +43,6 @@ unix_socket_connect(bluetooth, property, init)
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 
-# bluetooth file transfers
-allow bluetooth sdcard_internal:dir create_dir_perms;
-allow bluetooth sdcard_internal:file create_file_perms;
-
 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;
 

isolated_app.te

@@ -12,12 +12,3 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-allow isolated_app dalvikcache_data_file:file execute;
-allow isolated_app apk_data_file:dir getattr;

media_app.te

@@ -10,20 +10,15 @@ binder_service(media_app)
 net_domain(media_app)
 # Access /dev/mtp_usb.
 allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir (in particular, file_contexts for restorecon).
-allow media_app rootfs:file r_file_perms;
+# Create download files.
 allow media_app download_file:dir rw_dir_perms;
 allow media_app download_file:file create_file_perms;
 # Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
 allow media_app platform_app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;
+
+# inherits from platformappdomain.te

nfc.te

@@ -13,6 +13,3 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
-
-allow nfc sdcard_type:dir create_dir_perms;
-allow nfc sdcard_type:file create_file_perms;

platform_app.te

@@ -10,10 +10,7 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
+# Read from /data/local/tmp or /data/data/com.android.shell.
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
@@ -26,20 +23,5 @@ allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
 # Access download files.
 allow platform_app download_file:file rw_file_perms;
-# Allow BackupManagerService to backup all app domains
-allow platform_app appdomain:fifo_file write;
 
-#
-# Rules for all platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
+# inherits from platformappdomain.te

platformappdomain.te

+#
+# Rules for all platform app domains.
+# These rules are inherited by any domain that includes platform_app_domain().
+# Presently this consists of the four app domains corresponding to apps
+# signed by one of the four build keys: platform_app, shared_app, media_app,
+# release_app.  These app domains use platform_app_data_file rather
+# than app_data_file for their /data/data directories (as specified via
+# type= in seapp_contexts) and have greater permissions to specific
+# directories owned by groups that are restricted to apps with
+# Android permissions that are signature|system.
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;
+# Write to /cache.
+allow platformappdomain cache_file:dir create_dir_perms;
+allow platformappdomain cache_file:file create_file_perms;

release_app.te

@@ -11,6 +11,4 @@ net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
 
-# Write to /cache.
-allow release_app cache_file:dir rw_dir_perms;
-allow release_app cache_file:file create_file_perms;
+# inherits from platformappdomain.te

shared_app.te

@@ -10,3 +10,5 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
+
+# inherits from platformappdomain.te

shelldomain.te

@@ -5,10 +5,6 @@ allow shelldomain shell_data_file:dir create_dir_perms;
 allow shelldomain shell_data_file:file create_file_perms;
 allow shelldomain shell_data_file:file rx_file_perms;
 
-# Access sdcard.
-allow shelldomain sdcard_type:dir create_dir_perms;
-allow shelldomain sdcard_type:file create_file_perms;
-
 # adb bugreport
 unix_socket_connect(shelldomain, dumpstate, dumpstate)
 
@@ -29,13 +25,3 @@ allow shelldomain shell_prop:property_service set;
 allow shelldomain ctl_dumpstate_prop:property_service set;
 allow shelldomain debug_prop:property_service set;
 allow shelldomain powerctl_prop:property_service set;
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shelldomain, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shelldomain app_data_file:dir search;
-
-# ps and ps -Z output for app processes.
-r_dir_file(shelldomain, appdomain)
-allow shelldomain appdomain:process getattr;

system_app.te

@@ -20,12 +20,6 @@ allow system_app wallpaper_file:file r_file_perms;
 # Write to dalvikcache.
 allow system_app dalvikcache_data_file:file { write setattr };
 
-# Read SELinux enforcing status.
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;

untrusted_app.te

@@ -32,14 +32,6 @@ allow untrusted_app app_data_file:file rx_file_perms;
 
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
-# Internal SDCard rw access.
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-
-# External SDCard rw access.
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-
 # ASEC
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;