diff --git a/Android.mk b/Android.mk
index 351e81a194b660472bcf5a63a8fd2c9e19ef3756..6d6aee205435d7ddc5a35b90e15baccf168d8298 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,7 +11,7 @@ include $(CLEAR_VARS)
# is frozen, we should flip this to true. This forces any currently
# permissive domains into unconfined+enforcing.
#
-FORCE_PERMISSIVE_TO_UNCONFINED:=false
+FORCE_PERMISSIVE_TO_UNCONFINED:=true
ifeq ($(TARGET_BUILD_VARIANT),user)
# User builds are always forced unconfined+enforcing
diff --git a/app.te b/app.te
index ea74cb07358b418eec18126457933fe8e4d6cc66..2e0a9ee970faadfeb20b27514a5fed5c38674ae1 100644
--- a/app.te
+++ b/app.te
@@ -53,6 +53,12 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open execmod };
+# Keychain and user-trusted credentials
+allow appdomain keychain_data_file:dir r_dir_perms;
+allow appdomain keychain_data_file:file r_file_perms;
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
diff --git a/bootanim.te b/bootanim.te
index 759229553aa2e9ca335f63be94b81a2a406595a7..e0e25b9672b31ff903b20add3e26f5726ea99f81 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -11,6 +11,10 @@ allow bootanim gpu_device:chr_file rw_file_perms;
# /oem access
allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
# Audited locally.
service_manager_local_audit_domain(bootanim)
diff --git a/drmserver.te b/drmserver.te
index 2a146b6bb78ebc3b6498217c1f95abbc779d1156..ba7e62fc28f572a1cb96841a7fca07d9c9377400 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -47,6 +47,10 @@ allow drmserver radio_data_file:file { read getattr };
allow drmserver drmserver_service:service_manager add;
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
# Audited locally.
service_manager_local_audit_domain(drmserver)
auditallow drmserver {
diff --git a/file.te b/file.te
index 5c91cf0e0c839c782f9722368898ca379a0c642f..3cd2c79024918bf2ed419fa9faa4e1ae8367080d 100644
--- a/file.te
+++ b/file.te
@@ -82,9 +82,11 @@ type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type;
+type keychain_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type;
type media_data_file, file_type, data_file_type;
type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type;
type net_data_file, file_type, data_file_type;
type nfc_data_file, file_type, data_file_type;
type radio_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 1d81cbfa1a39556d10d2ef2f776476fd38a2571d..c5e66521e6dabf15169655032f0cbc2171fd5ce6 100644
--- a/file_contexts
+++ b/file_contexts
@@ -210,12 +210,14 @@
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
diff --git a/installd.te b/installd.te
index 6257edeb6fb719daa9d4c448fd5336abdd3cf1a2..6b1b2b8e1ccb6cf1f747da74393f8740993568f6 100644
--- a/installd.te
+++ b/installd.te
@@ -37,6 +37,12 @@ allow installd media_rw_data_file:file { getattr unlink };
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
allow installd install_data_file:file create_file_perms;
diff --git a/kernel.te b/kernel.te
index d5a75b4d6e50783d5cca0a54b46c818fe5573bc6..3a802650600d539c0e40f82dff08cf9799a599fe 100644
--- a/kernel.te
+++ b/kernel.te
@@ -38,6 +38,13 @@ allow kernel self:security setcheckreqprot;
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel sdcard_type:file { read write };
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel app_data_file:file read;
+
###
### neverallow rules
###
diff --git a/mediaserver.te b/mediaserver.te
index 3eb078d4b0dbc9620f4e666c8d552d28fce229d8..711f4df7e5f2c4dc4a626cf940a25df0bc0be089 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,6 +80,10 @@ allow mediaserver tee:unix_stream_socket connectto;
allow mediaserver mediaserver_service:service_manager add;
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
# Audited locally.
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
diff --git a/service_contexts b/service_contexts
index e96178bbc02fd8db02ea7b3f1d3ac6817ec2d7f1..8585fcfa4e4651eec4ddc563b6a4d994a29a7f4b 100644
--- a/service_contexts
+++ b/service_contexts
@@ -37,6 +37,7 @@ drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:system_server_service:s0
entropy u:object_r:system_server_service:s0
ethernet u:object_r:system_server_service:s0
+fingerprint u:object_r:system_server_service:s0
gfxinfo u:object_r:system_server_service:s0
hardware u:object_r:system_server_service:s0
hdmi_control u:object_r:system_server_service:s0
@@ -47,7 +48,7 @@ iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
-imms u:object_r:system_app_service:s0
+imms u:object_r:system_server_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
@@ -87,6 +88,7 @@ radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
restrictions u:object_r:system_server_service:s0
+rttmanager u:object_r:system_server_service:s0
samplingprofiler u:object_r:system_server_service:s0
scheduling_policy u:object_r:system_server_service:s0
search u:object_r:system_server_service:s0
@@ -100,7 +102,7 @@ sip u:object_r:radio_service:s0
statusbar u:object_r:system_server_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:system_server_service:s0
-telecomm u:object_r:radio_service:s0
+telecom u:object_r:radio_service:s0
telephony.registry u:object_r:system_server_service:s0
textservices u:object_r:system_server_service:s0
trust u:object_r:system_server_service:s0
diff --git a/system_app.te b/system_app.te
index fcf0f16b9a1414333adaa70a88b0c99b8f8ace43..6fe8106a8efa6f10952bf64a54ab0e2246a25fc6 100644
--- a/system_app.te
+++ b/system_app.te
@@ -12,10 +12,16 @@ binder_service(system_app)
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:file create_file_perms;
+# Read /data/misc/keychain subdirectory.
+allow system_app keychain_data_file:dir r_dir_perms;
+allow system_app keychain_data_file:file r_file_perms;
+
# Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/keychain.
+# /data/system/cache and /data/misc/user.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
# Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
diff --git a/system_server.te b/system_server.te
index 020f2ab0c706c323cadd2e92a384a9d3b66d52d7..f17f8d3178efd7ae68817cafb654104145c99c8f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -14,7 +14,6 @@ allow system_server system_server_tmpfs:file execute;
# For art.
allow system_server dalvikcache_data_file:file execute;
-allow system_server dex2oat_exec:file rx_file_perms;
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -71,6 +70,9 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms;
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
# Kill apps.
allow system_server appdomain:process { sigkill signal };
@@ -171,6 +173,8 @@ allow system_server tun_device:chr_file rw_file_perms;
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
@@ -395,7 +399,7 @@ allow system_server frp_block_device:blk_file rw_file_perms;
allow system_server cgroup:dir { remove_name rmdir };
# /oem access
-allow system_server oemfs:dir search;
+r_dir_file(system_server, oemfs)
###
### Neverallow rules
diff --git a/zygote.te b/zygote.te
index 4c6276c8c5057653a517d3bd9552e82482e1c8b9..5ee4eb8e955a4a903bd83585282c8f124d30408d 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,6 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
+# Read system security data.
+allow zygote keychain_data_file:dir r_dir_perms;
+allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;