This website requires JavaScript.
Explore
Help
Register
Sign In
tequilaOS
/
platform_system_sepolicy
Watch
2
Star
0
Fork
You've already forked platform_system_sepolicy
0
Code
Issues
Pull requests
Projects
Releases
Packages
Wiki
Activity
387f7e3a75
platform_system_sepolicy
/
public
/
priv_app.te
6 lines
85 B
Text
Raw
Normal View
History
Unescape
Escape
Add priv_app domain to global seapp_context Assign priviliged apps not signed with the platform key to the priv_app domain. Bug: 22033466 Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc
2015-10-05 18:15:04 +02:00
###
### A domain for further sandboxing privileged apps.
###
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 20:23:34 +01:00
Move priv_app policy to private This leaves the existence of priv_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from priv_app_current attribute (as expected) except for allow priv_app_current update_engine_current:binder transfer; which is caused by public update_engine.te rules and will go away once update_engine rules go private. Bug: 31364497 Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
2017-01-06 00:44:32 +01:00
type priv_app, domain;
Reference in a new issue
Copy permalink