am b7934922: allow run-as to access /data/local/tmp
* commit 'b793492288b8272aeda12e1b139c060397e7cd7e':
allow run-as to access /data/local/tmp
diff --git a/app.te b/app.te
index b9027fe..e2eac0f 100644
--- a/app.te
+++ b/app.te
@@ -90,7 +90,7 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
# Use the Binder.
binder_use(appdomain)
diff --git a/dex2oat.te b/dex2oat.te
index 2df9947..5fded36 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -3,6 +3,8 @@
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
+# Read symlinks in /data/dalvik-cache
+allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
# Read already open asec_apk_file file descriptors passed by installd.
diff --git a/domain.te b/domain.te
index cb1c4f3..c978ffa 100644
--- a/domain.te
+++ b/domain.te
@@ -59,6 +59,10 @@
# allow "gdbserver --attach" to work for su.
allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
')
###
diff --git a/file.te b/file.te
index 6ac6002..9e56d7f 100644
--- a/file.te
+++ b/file.te
@@ -43,6 +43,8 @@
type unlabeled, file_type;
# Default type for anything under /system.
type system_file, file_type;
+# /cores for coredumps on userdebug / eng builds
+type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type;
# /data/.layout_version or other installd-created files that
diff --git a/file_contexts b/file_contexts
index fce051b..62802e0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -219,6 +219,9 @@
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+# coredump directory for userdebug/eng devices
+/cores(/.*)? u:object_r:coredump_file:s0
+
# Wallpaper file for other users
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
#############################
diff --git a/isolated_app.te b/isolated_app.te
index a156838..a035901 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,6 +13,9 @@
app_domain(isolated_app)
net_domain(isolated_app)
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:file { rw_file_perms execute };
+
# read and write access to app_data_file is already
# granted via app.te. Allow execute.
# Needed to allow dlopen() from Chrome renderer processes.
diff --git a/radio.te b/radio.te
index d0018ea..7d90706 100644
--- a/radio.te
+++ b/radio.te
@@ -17,6 +17,9 @@
allow radio alarm_device:chr_file rw_file_perms;
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
# Property service
allow radio radio_prop:property_service set;
allow radio net_radio_prop:property_service set;
diff --git a/zygote.te b/zygote.te
index 5ee4eb8..adbea06 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,12 +21,11 @@
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
-# Read system security data.
-allow zygote keychain_data_file:dir r_dir_perms;
-allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
+# Create symlinks in /data/dalvik-cache
+allow zygote dalvikcache_data_file:lnk_file create_file_perms;
# Write to /data/resource-cache
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;