Merge "Catch nonexistent BOARD_SEPOLICY_UNION policy files."
diff --git a/domain.te b/domain.te
index b13ad75..6d755a7 100644
--- a/domain.te
+++ b/domain.te
@@ -147,6 +147,9 @@
### neverallow rules
###
+neverallow domain self:capability2 mac_override;
+neverallow { domain -recovery } self:capability2 mac_admin;
+
# Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet.
diff --git a/dumpstate.te b/dumpstate.te
index fbf9ce9..5977422 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -73,3 +73,16 @@
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir create_dir_perms;
allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+# Dalvik Compiler JIT.
+allow dumpstate ashmem_device:chr_file execute;
+allow dumpstate dumpstate_tmpfs:file execute;
+allow dumpstate self:process execmem;
+# For art.
+allow dumpstate dalvikcache_data_file:file execute;
diff --git a/file.te b/file.te
index e255ae9..d6a4d56 100644
--- a/file.te
+++ b/file.te
@@ -71,7 +71,6 @@
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
typealias audio_data_file alias audio_firmware_file;
-typealias camera_data_file alias camera_calibration_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/recovery.te b/recovery.te
index eb2a2b0..abcf0cf 100644
--- a/recovery.te
+++ b/recovery.te
@@ -4,6 +4,8 @@
unconfined_domain(recovery)
relabelto_domain(recovery)
+allow recovery self:capability2 mac_admin;
+
allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
allow recovery unlabeled:filesystem mount;
diff --git a/system_server.te b/system_server.te
index 06bca76..1971912 100644
--- a/system_server.te
+++ b/system_server.te
@@ -104,6 +104,7 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
binder_call(system_server, healthd)
+binder_call(system_server, dumpstate)
binder_service(system_server)
# Read /proc/pid files for Binder clients.
diff --git a/unconfined.te b/unconfined.te
index 9facc2e..8d424f3 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,8 @@
# The use of this template is discouraged.
######################################################
-allow unconfineddomain self:capability_class_set *;
+allow unconfineddomain self:capability *;
+allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
allow unconfineddomain kernel:system *;
allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };