From 750426f921cec34d9fbddb1cdcfeca1e4a3639ca Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 14 Jul 2014 16:25:44 -0700
Subject: [PATCH 1/5] fix system_server dex2oat exec

Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
---
 system_server.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/system_server.te b/system_server.te
index d7453ad2..9afd8afb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -14,6 +14,7 @@ allow system_server system_server_tmpfs:file execute;
 
 # For art.
 allow system_server dalvikcache_data_file:file execute;
+allow system_server dex2oat_exec:file rx_file_perms;
 
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;

From a53f4295babde8d336f16937c08e14c9947c77da Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Wed, 16 Jul 2014 09:42:06 -0700
Subject: [PATCH 2/5] Remove auditallow from system_server.

system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

(cherry picked from commit 5a25fbf7ca281d2b372def95b92b400a073604b6)

Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f
---
 system_server.te | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/system_server.te b/system_server.te
index 5e217d42..9d973dbb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,15 +364,6 @@ allow system_server system_server_service:service_manager add;
 
 # Audited locally.
 service_manager_local_audit_domain(system_server)
-auditallow system_server {
-    service_manager_type
-    -healthd_service
-    -keystore_service
-    -mediaserver_service
-    -radio_service
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;
 
 allow system_server keystore:keystore_key {
 	test

From 080faeff93a61db77ddaf9147b7d55d3bdd7e4e9 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 16 Jul 2014 09:38:06 -0700
Subject: [PATCH 3/5] dex2oat: fix forward locked apps

dex2oat can't access file descriptors associated with asec_apk_files.
This breaks installing forward locked apps, and generates the following
denial:

  type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

Steps to reproduce:

  $ adb install -r -l SimpleJNI.apk

Expected:

  app installs

Actual:

  app fails to install.

Bug: 16328233

(cherry picked from commit 5259c5e61625c4bd45b96c1712977dc2cde9e555)

Change-Id: I1969b9ae8d2187f4860587f7ff42d16139657b5b
---
 dex2oat.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dex2oat.te b/dex2oat.te
index 51acc86b..164e89c4 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -4,3 +4,6 @@ type dex2oat_exec, exec_type, file_type;
 
 allow dex2oat dalvikcache_data_file:file write;
 allow dex2oat installd:fd use;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+allow dex2oat asec_apk_file:file read;

From 76b155a26aa90f02be9ca428b8bda8b4d39bb6fb Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 16 Jul 2014 11:45:51 -0700
Subject: [PATCH 4/5] lmkd: allow lmkd to lock itself in memory

addresses the following denial:

  type=1400 audit(1.871:3): avc:  denied  { ipc_lock } for  pid=1406 comm="lmkd" capability=14  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability

Bug: 16236289

(cherry picked from commit 6a1405d7457dee096a4d25e79844dfe62297943f)

Change-Id: I560f1e52eac9360d10d81fc8a9f60eba907a8466
---
 lmkd.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lmkd.te b/lmkd.te
index b1ffca41..771c7805 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -6,6 +6,12 @@ init_daemon_domain(lmkd)
 
 allow lmkd self:capability { dac_override sys_resource kill };
 
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:capability ipc_lock;
+
 ## Open and write to /proc/PID/oom_score_adj
 ## TODO: maybe scope this down?
 r_dir_file(lmkd, appdomain)

From 6bedc1adbaa82e1fc156adf00757b732dc7a7696 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 27 Aug 2014 10:14:18 -0700
Subject: [PATCH 5/5] Allow appdomain read perms on apk_data_files.

Address:
type=1400 audit(0.0:103): avc: denied { read } for name="arm" dev="mmcblk0p28" ino=195471 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 16204150
Change-Id: I8bf0172b26b780c110c0d95c691785143acd7dd2
---
 app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app.te b/app.te
index e2421524..3439c95e 100644
--- a/app.te
+++ b/app.te
@@ -142,6 +142,7 @@ allow appdomain shared_relro_file:dir search;
 allow appdomain shared_relro_file:file r_file_perms;
 
 # Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
 allow appdomain apk_data_file:file { rx_file_perms execmod };
 
 # /data/resource-cache