commit 0ff85767a30885a65a61aa9b854c8b929cc6b33e
author Nick Kralevich <nnk@google.com> Wed Oct 29 17:11:35 2014 +0000
committer Android Git Automerger <android-git-automerger@android.com> Wed Oct 29 17:11:35 2014 +0000
tree 0c36ac9908c2c9362b21438cbe35f4638e84ecd8
parent 709aa70d9dcb46aea8824c0559df4cfeee8b18a4
parent 4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9

am 4d9648e3: am b519949d: system_server: assert app data files never opened directly

* commit '4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9':
  system_server: assert app data files never opened directly

adbd.te

diff --git a/adbd.te b/adbd.te
index c21e703..f5a1c83 100644
--- a/adbd.te
+++ b/adbd.te
@@ -73,6 +73,10 @@
 allow adbd app_data_file:sock_file write;
 allow adbd appdomain:unix_stream_socket connectto;
 
+# b/18078338 - allow read access to executable types on /system
+# to assist with debugging OTA issues.
+allow adbd exec_type:file r_file_perms;
+
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;

recovery.te

diff --git a/recovery.te b/recovery.te
index 75a024c..204c096 100644
--- a/recovery.te
+++ b/recovery.te
@@ -29,7 +29,7 @@
 
   # We may be asked to set an SELinux label for a type not known to the
   # currently loaded policy. Allow it.
-  allow recovery unlabeled:file { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
 
   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux

system_server.te

diff --git a/system_server.te b/system_server.te
index ae14ab3..63a7ed0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -76,6 +76,10 @@
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
 
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow system_server kernel:process setsched;
+
 # Set scheduling info for apps.
 allow system_server appdomain:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };

zygote.te

diff --git a/zygote.te b/zygote.te
index 5ee4eb8..4c6276c 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,9 +21,6 @@
 # Read system data.
 allow zygote system_data_file:dir r_dir_perms;
 allow zygote system_data_file:file r_file_perms;
-# Read system security data.
-allow zygote keychain_data_file:dir r_dir_perms;
-allow zygote keychain_data_file:file r_file_perms;
 # Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;