am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec
* commit '437f713936148eb0cf3eb277eab72b07a1d533ca':
system_server: neverallow dex2oat exec
diff --git a/adbd.te b/adbd.te
index f5cebd2..96c2b87 100644
--- a/adbd.te
+++ b/adbd.te
@@ -73,6 +73,10 @@
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
+# b/18078338 - allow read access to executable types on /system
+# to assist with debugging OTA issues.
+allow adbd exec_type:file r_file_perms;
+
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
diff --git a/dex2oat.te b/dex2oat.te
index 5fded36..f7de25d 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -12,3 +12,4 @@
# locked APKs.
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
+allow dex2oat oemfs:file read;
diff --git a/recovery.te b/recovery.te
index 61c42b1..87b6b5b 100644
--- a/recovery.te
+++ b/recovery.te
@@ -50,6 +50,8 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
+ access_kmsg(recovery)
+
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
allow recovery functionfs:dir search;
diff --git a/service_contexts b/service_contexts
index 3eee034..afc8585 100644
--- a/service_contexts
+++ b/service_contexts
@@ -103,7 +103,7 @@
statusbar u:object_r:statusbar_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
-telecom u:object_r:radio_service:s0
+telecom u:object_r:system_server_service:s0
telephony.registry u:object_r:registry_service:s0
textservices u:object_r:textservices_service:s0
trust u:object_r:trust_service:s0
diff --git a/system_server.te b/system_server.te
index bfe5b89..51e40eb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -76,6 +76,10 @@
# Kill apps.
allow system_server appdomain:process { sigkill signal };
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow system_server kernel:process setsched;
+
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
diff --git a/tools/README b/tools/README
index 1ffe409..899b981 100644
--- a/tools/README
+++ b/tools/README
@@ -50,4 +50,4 @@
sepolicy-analyze
A tool for performing various kinds of analysis on a sepolicy
- file.
\ No newline at end of file
+ file.
diff --git a/untrusted_app.te b/untrusted_app.te
index ae65719..77dafea 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -47,6 +47,14 @@
allow untrusted_app shell_data_file:file r_file_perms;
allow untrusted_app shell_data_file:dir r_dir_perms;
+# b/18504118: Allow reads from /data/anr/traces.txt
+# TODO: We shouldn't be allowing all untrusted_apps to read
+# this file. This is only needed for the GMS feedback agent.
+# See also b/18340553. GMS runs as untrusted_app, and
+# it's too late to change the domain it runs in.
+# This line needs to be deleted.
+allow untrusted_app anr_data_file:file r_file_perms;
+
#
# Rules migrated from old app domains coalesced into untrusted_app.
# This includes what used to be media_app, shared_app, and release_app.
diff --git a/zygote.te b/zygote.te
index 67660b3..adbea06 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,9 +21,6 @@
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
-# Read system security data.
-allow zygote keychain_data_file:dir r_dir_perms;
-allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;