Update sepolicy from CM
Change-Id: I897d33e3626038f6d1adf986791ac2ddd4cf2f83
diff --git a/sepolicy/auditd.te b/sepolicy/auditd.te
new file mode 100644
index 0000000..01d5a06
--- /dev/null
+++ b/sepolicy/auditd.te
@@ -0,0 +1,3 @@
+allow logd auditd_log:dir rw_dir_perms;
+allow logd auditd_log:file create_file_perms;
+
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 95a9c38..3a20199 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,2 +1,4 @@
# Support asec containers getting mounted
allow file_type rootfs:filesystem associate;
+
+type auditd_log, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 0d40913..9e7f998 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,6 +1,14 @@
+/cache/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+
+# Auditd is a logging daemon. Put it into logd's context
+/system/bin/auditd u:object_r:logd_exec:s0
+/data/misc/audit(/.*)? u:object_r:auditd_log:s0
+
#############################
-# performance-related sysfs files
+# performance-related sysfs files (CM)
/sys/kernel/mm/ksm(/.*)? -- u:object_r:sysfs_writable:s0
-/sys/devices/system/cpu.*/cpufreq(/.*)? -- u:object_r:sysfs_writable:s0
+/sys/devices/system/cpu.*/cpufreq(/.*)? -- u:object_r:sysfs_devices_system_cpu:s0
/sys/block/mmcblk0/queue/scheduler -- u:object_r:sysfs_writable:s0
+/data/hostapd(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_data_file:s0
diff --git a/sepolicy/fs_use b/sepolicy/fs_use
deleted file mode 100644
index 849d1b4..0000000
--- a/sepolicy/fs_use
+++ /dev/null
@@ -1,3 +0,0 @@
-# Label inodes via getxattr.
-#fs_use_xattr f2fs u:object_r:labeledfs:s0;
-
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..4ad0b3e
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,4 @@
+allow netd self:capability { setuid sys_module setgid };
+allow netd self:packet_socket create_socket_perms;
+allow netd radio_data_file:dir rw_dir_perms;
+allow netd radio_data_file:file create_file_perms;
diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
index 2e3ae4a..408017f 100644
--- a/sepolicy/sepolicy.mk
+++ b/sepolicy/sepolicy.mk
@@ -1,5 +1,6 @@
#
# This policy configuration will be used by all products that
+# inherit from CM
#
BOARD_SEPOLICY_DIRS += \
@@ -8,9 +9,12 @@
BOARD_SEPOLICY_UNION += \
file.te \
file_contexts \
- fs_use \
genfs_contexts \
- installd.te \
seapp_contexts \
+ auditd.te \
+ installd.te \
+ netd.te \
+ system.te \
+ ueventd.te \
vold.te \
mac_permissions.xml
diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..4c6de38
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1 @@
+allow system_server wallpaper_file:file relabelto;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..396e266
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1,13 @@
+# ueventd needs to relabel files that pop in and out of sysfs
+allow ueventd sysfs:file relabelfrom;
+
+# ueventd will set permissions on cpufreq nodes
+allow ueventd sysfs_devices_system_cpu:file setattr;
+
+# ueventd loads wifi firmware on a ton of devices
+allow ueventd wifi_data_file:dir r_dir_perms;
+allow ueventd wifi_data_file:file r_file_perms;
+
+# ueventd loads audio firmware on many devices
+allow ueventd audio_data_file:dir r_dir_perms;
+allow ueventd audio_data_file:file r_file_perms;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 1334180..ae52a5f 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -2,15 +2,11 @@
allow vold sdcard_external:file create_file_perms;
# Allow vold to change context for mounted ext4 sdcard
-#relabelto_domain(vold)
allow vold labeledfs:filesystem { relabelfrom };
+allow vold sdcard_external:filesystem { relabelfrom };
# Allow vold to access fuse for fuse-based fs
allow vold fuse_device:chr_file rw_file_perms;
# NTFS-3g wants to drop permission
allow vold self:capability { setgid setuid };
-
-# Allow vold to relabel sdcard fs mounts
-allow vold unlabeled:filesystem { relabelfrom };
-allow vold sdcard_external:filesystem { relabelfrom relabelto };