From cbc5279a43abd01a9d7f9dd9c7c2e3e5ca3171ef Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 11 Sep 2014 15:51:28 -0400
Subject: [PATCH] More MLS trusted subject/object annotations.

dumpstate and lmkd need to act on apps running at any level.

Various file types need to be writable by apps running at any
level.

Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 device.te    | 10 +++++-----
 dumpstate.te |  2 +-
 file.te      | 16 ++++++++--------
 lmkd.te      |  2 +-
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/device.te b/device.te
index 42d15e3bb..9ca072f38 100644
--- a/device.te
+++ b/device.te
@@ -28,16 +28,16 @@ type nfc_device, dev_type;
 type ptmx_device, dev_type, mlstrustedobject;
 type kmsg_device, dev_type;
 type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type;
+type random_device, dev_type, mlstrustedobject;
 type sensors_device, dev_type;
 type serial_device, dev_type;
 type socket_device, dev_type;
 type owntty_device, dev_type, mlstrustedobject;
 type tty_device, dev_type;
-type urandom_device, dev_type;
+type urandom_device, dev_type, mlstrustedobject;
 type video_device, dev_type;
 type vcs_device, dev_type;
-type zero_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
 type fuse_device, dev_type;
 type iio_device, dev_type;
 type ion_device, dev_type, mlstrustedobject;
@@ -47,8 +47,8 @@ type watchdog_device, dev_type;
 type uhid_device, dev_type;
 type uio_device, dev_type;
 type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type;
-type usb_device, dev_type;
+type usbaccessory_device, dev_type, mlstrustedobject;
+type usb_device, dev_type, mlstrustedobject;
 type klog_device, dev_type;
 type properties_device, dev_type;
 
diff --git a/dumpstate.te b/dumpstate.te
index 63b323ace..e5ccb562d 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -1,5 +1,5 @@
 # dumpstate
-type dumpstate, domain;
+type dumpstate, domain, mlstrustedsubject;
 type dumpstate_exec, exec_type, file_type;
 
 init_daemon_domain(dumpstate)
diff --git a/file.te b/file.te
index 0721c3230..e50196c4d 100644
--- a/file.te
+++ b/file.te
@@ -12,7 +12,7 @@ type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_net, fs_type;
 type proc_sysrq, fs_type;
-type selinuxfs, fs_type;
+type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
@@ -62,11 +62,11 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/dalvik-cache/profiles
-type dalvikcache_profiles_data_file, file_type, data_file_type;
+type dalvikcache_profiles_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
-type shell_data_file, file_type, data_file_type;
+type shell_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/gps
 type gps_data_file, file_type, data_file_type;
 # /data/property
@@ -79,10 +79,10 @@ type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type;
+type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
 type net_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type;
+type radio_data_file, file_type, data_file_type, mlstrustedobject;
 type shared_relro_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
@@ -131,12 +131,12 @@ type fwmarkd_socket, file_type, mlstrustedobject;
 type gps_socket, file_type;
 type installd_socket, file_type;
 type lmkd_socket, file_type;
-type logd_debug, file_type;
-type logd_socket, file_type;
+type logd_debug, file_type, mlstrustedobject;
+type logd_socket, file_type, mlstrustedobject;
 type logdr_socket, file_type, mlstrustedobject;
 type logdw_socket, file_type, mlstrustedobject;
 type mdns_socket, file_type;
-type mdnsd_socket, file_type;
+type mdnsd_socket, file_type, mlstrustedobject;
 type mtpd_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
diff --git a/lmkd.te b/lmkd.te
index df8208f71..3243ddb5f 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -1,5 +1,5 @@
 # lmkd low memory killer daemon
-type lmkd, domain;
+type lmkd, domain, mlstrustedsubject;
 type lmkd_exec, exec_type, file_type;
 
 init_daemon_domain(lmkd)
-- 
GitLab