platform_system_sepolicy/private/system_server.te

# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";

allow system_server zygote_tmpfs:file read;

# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
type_transition system_server wpa_socket:sock_file system_wpa_socket;

# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`# type_transition must be private policy the domain_trans rules could stay`
			`# public, but conceptually should go with this`
			`# Define a type for tmpfs-backed ashmem regions.`
			`tmpfs_domain(system_server)`
			`# Create a socket for connections from debuggerd.`
			`type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";`
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317 2016-10-12 23:58:09 +02:00
			`allow system_server zygote_tmpfs:file read;`

			`# Create a socket for receiving info from wpa.`
			`type_transition system_server wifi_data_file:sock_file system_wpa_socket;`
			`type_transition system_server wpa_socket:sock_file system_wpa_socket;`

			`# TODO: deal with tmpfs_domain pub/priv split properly`
Whitespace fix Because I'm nitpicky. Test: policy compiles Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29 2016-12-10 05:14:31 +01:00			`neverallow system_server system_server_tmpfs:file execute;`