commit e829ec3da00da355471bc7f293af24b2fee1f10a
author Nick Kralevich <nnk@google.com> Wed Aug 27 19:54:24 2014 +0000
committer Android Git Automerger <android-git-automerger@android.com> Wed Aug 27 19:54:24 2014 +0000
tree 2da56374dd25a9ef0d17939f42ac8d3e181cf1b3
parent c6f9d44ddf211e18351b365404f481d60e993aca
parent 4c6b13508d1786a3a835ba5427f37e963c2c7506

am 4c6b1350: support kernel writes to external SDcards

* commit '4c6b13508d1786a3a835ba5427f37e963c2c7506':
  support kernel writes to external SDcards

Android.mk

diff --git a/Android.mk b/Android.mk
index 351e81a..6d6aee2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,7 +11,7 @@
 # is frozen, we should flip this to true. This forces any currently
 # permissive domains into unconfined+enforcing.
 #
-FORCE_PERMISSIVE_TO_UNCONFINED:=false
+FORCE_PERMISSIVE_TO_UNCONFINED:=true
 
 ifeq ($(TARGET_BUILD_VARIANT),user)
   # User builds are always forced unconfined+enforcing

app.te

diff --git a/app.te b/app.te
index a2cd016..d597206 100644
--- a/app.te
+++ b/app.te
@@ -142,6 +142,7 @@
 allow appdomain shared_relro_file:file r_file_perms;
 
 # Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
 allow appdomain apk_data_file:file { rx_file_perms execmod };
 
 # /data/resource-cache

service_contexts

diff --git a/service_contexts b/service_contexts
index e96178b..e1f1298 100644
--- a/service_contexts
+++ b/service_contexts
@@ -37,6 +37,7 @@
 dropbox                                   u:object_r:system_server_service:s0
 entropy                                   u:object_r:system_server_service:s0
 ethernet                                  u:object_r:system_server_service:s0
+fingerprint                               u:object_r:system_server_service:s0
 gfxinfo                                   u:object_r:system_server_service:s0
 hardware                                  u:object_r:system_server_service:s0
 hdmi_control                              u:object_r:system_server_service:s0
@@ -47,7 +48,7 @@
 iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
-imms                                      u:object_r:system_app_service:s0
+imms                                      u:object_r:system_server_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0
@@ -87,6 +88,7 @@
 radio.phone                               u:object_r:radio_service:s0
 radio.sms                                 u:object_r:radio_service:s0
 restrictions                              u:object_r:system_server_service:s0
+rttmanager                                u:object_r:system_server_service:s0
 samplingprofiler                          u:object_r:system_server_service:s0
 scheduling_policy                         u:object_r:system_server_service:s0
 search                                    u:object_r:system_server_service:s0

system_server.te

diff --git a/system_server.te b/system_server.te
index 9d3dfa1..8b252c5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -14,7 +14,6 @@
 
 # For art.
 allow system_server dalvikcache_data_file:file execute;
-allow system_server dex2oat_exec:file rx_file_perms;
 
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
@@ -71,6 +70,9 @@
 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms;
 
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };