From c83d0087e457787fc0441d959a20d56fc5200048 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 7 Mar 2012 14:59:01 -0500
Subject: [PATCH] Policy changes to support running the latest CTS.

---
 adbd.te       | 7 ++++---
 app.te        | 9 +++------
 debuggerd.te  | 1 +
 domain.te     | 6 +++++-
 drmserver.te  | 6 ++++++
 file.te       | 2 ++
 file_contexts | 1 +
 shell.te      | 7 ++++---
 system.te     | 8 ++++----
 te_macros     | 3 ---
 ueventd.te    | 3 ---
 11 files changed, 30 insertions(+), 23 deletions(-)

diff --git a/adbd.te b/adbd.te
index 4d1e65573..cc2920b34 100644
--- a/adbd.te
+++ b/adbd.te
@@ -23,9 +23,10 @@ unix_socket_connect(adbd, vold, vold)
 # Talk to init via the property socket.
 unix_socket_connect(adbd, property, init)
 
-# Read properties.
-allow adbd kernel:fd use;
-allow adbd tmpfs:file read;
+# Run sh in its own domain.
+domain_auto_trans(adbd, shell_exec, shell)
+# Do not sanitize the environment of the shell.
+allow adbd shell:process noatsecure;
 
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
diff --git a/app.te b/app.te
index 976b6bcf4..6cc499aa3 100644
--- a/app.te
+++ b/app.te
@@ -30,9 +30,6 @@ allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
 # It would be better if this was labeled differently.
 allow trusted_app apk_data_file:file write;
-# Perform binder IPC to any app domain.
-binder_call(trusted_app, appdomain)
-binder_transfer(trusted_app, appdomain)
 
 #
 # An example of a specific domain for a specific app
@@ -105,6 +102,6 @@ binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
 binder_transfer(appdomain, binderservicedomain)
-# Perform binder IPC to apps in the trusted_app domain.
-binder_call(appdomain, trusted_app)
-binder_transfer(appdomain, trusted_app)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+binder_transfer(appdomain, appdomain)
diff --git a/debuggerd.te b/debuggerd.te
index f808ea9b9..b85133b9d 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -12,3 +12,4 @@ allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd domain:process { sigstop signal };
 allow debuggerd exec_type:file r_file_perms;
+allow debuggerd log_device:chr_file r_file_perms;
diff --git a/domain.te b/domain.te
index 55c9ecd4c..2e9720e14 100644
--- a/domain.te
+++ b/domain.te
@@ -3,6 +3,10 @@
 # Allow reaping by init.
 allow domain init:process sigchld;
 
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file read;
+
 # binder adjusts the nice value during IPC.
 allow domain self:capability sys_nice;
 
@@ -29,7 +33,7 @@ allow domain debuggerd:unix_stream_socket connectto;
 
 # Root fs.
 allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:lnk_file read;
+allow domain rootfs:lnk_file { read getattr };
 
 # Device accesses.
 allow domain device:dir search;
diff --git a/drmserver.te b/drmserver.te
index 5b46ea88c..624ae1327 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -8,3 +8,9 @@ typeattribute drmserver mlstrustedsubject;
 # Perform Binder IPC to system server.
 binder_use(drmserver)
 binder_call(drmserver, system)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+allow drmserver sdcard:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
diff --git a/file.te b/file.te
index 11c3ef649..dc9e76821 100644
--- a/file.te
+++ b/file.te
@@ -22,6 +22,8 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type;
 # /data/anr - ANR traces
 type anr_data_file, file_type, data_file_type;
 # /data/tombstones - core dumps
diff --git a/file_contexts b/file_contexts
index 92c6bb0f4..79a3124b1 100644
--- a/file_contexts
+++ b/file_contexts
@@ -101,6 +101,7 @@
 # Data files
 #
 /data(/.*)?		u:object_r:system_data_file:s0
+/data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
diff --git a/shell.te b/shell.te
index a66eaf49f..56250ab58 100644
--- a/shell.te
+++ b/shell.te
@@ -1,6 +1,7 @@
 type shell, domain;
 type shell_exec, file_type;
 domain_auto_trans(adbd, shell_exec, shell)
+allow adbd shell:process noatsecure;
 domain_auto_trans(init, shell_exec, shell)
 allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
@@ -13,9 +14,9 @@ allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 
-# Read properties.
-allow shell kernel:fd use;
-allow shell tmpfs:file read;
+# Access sdcard.
+allow shell sdcard:dir rw_dir_perms;
+allow shell sdcard:file rw_file_perms;
 
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file write;
diff --git a/system.te b/system.te
index ef0d12e5a..47e1eeba1 100644
--- a/system.te
+++ b/system.te
@@ -141,7 +141,7 @@ allow system cache_file:file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system system_file:file x_file_perms;
 
-# Silently deny any /proc accesses that are not allowed.
-# This suppresses noise from walking the process list.
-dontaudit system domain:dir r_dir_perms;
-dontaudit system domain:file r_file_perms;
+# Allow reading of /proc/pid data for other domains.
+# XXX dontaudit candidate
+allow system domain:dir r_dir_perms;
+allow system domain:file r_file_perms;
diff --git a/te_macros b/te_macros
index 75f294c00..9146e220b 100644
--- a/te_macros
+++ b/te_macros
@@ -97,9 +97,6 @@ allow $1 $1_tmpfs:file { read execute execmod };
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
 tmpfs_domain($1)
-# Read properties.
-allow $1 kernel:fd use;
-allow $1 tmpfs:file read;
 ')
 
 #####################################
diff --git a/ueventd.te b/ueventd.te
index 89dd9ee93..5e513322c 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -16,6 +16,3 @@ allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket *;
-# Read properties.
-allow ueventd kernel:fd use;
-allow ueventd tmpfs:file read;
-- 
GitLab