tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge ephemeral data and apk files into app am: 4c40d7344c am: 95804f17e7

Browse source 
am: 812213ae66

Change-Id: I38671a9200d7b76dc7b748848f8134df6e2ef267
This commit is contained in:
Chad Brubaker 2017-02-06 18:40:11 +00:00 committed by android-build-merger
commit 0100293716
12 changed files with 18 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
private/ephemeral_app.te
View file

@ -14,14 +14,6 @@
net_domain(ephemeral_app) net_domain(ephemeral_app)
app_domain(ephemeral_app) app_domain(ephemeral_app)
# App sandbox file accesses.
allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
# Allow apps to read/execute installed binaries
allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
# Allow ephemeral apps to read/write files in visible storage if provided fds # Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
@ -36,7 +28,7 @@ allow ephemeral_app app_api_service:service_manager find;
### ###
# Executable content should never be loaded from an ephemeral app home directory. # Executable content should never be loaded from an ephemeral app home directory.
neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans }; neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
# Receive or send uevent messages. # Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

4
private/file_contexts
View file

@ -304,10 +304,6 @@
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 /data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0 /data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0 /data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/app-ephemeral(/.*)? u:object_r:ephemeral_apk_data_file:s0
/data/app-ephemeral/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-ephemeral/vmdl[^/]+\.tmp(/.*)? u:object_r:ephemeral_apk_tmp_file:s0
/data/app-ephemeral/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 /data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0 /data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0 /data/media(/.*)? u:object_r:media_rw_data_file:s0

10
private/platform_app.te
View file

@ -14,10 +14,10 @@ bluetooth_domain(platform_app)
allow platform_app shell_data_file:dir search; allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read }; allow platform_app shell_data_file:file { open getattr read };
allow platform_app icon_file:file { open getattr read }; allow platform_app icon_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files # Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server. # created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms; allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms; allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search; allow platform_app apk_private_data_file:dir search;
# ASEC # ASEC
allow platform_app asec_apk_file:dir create_dir_perms; allow platform_app asec_apk_file:dir create_dir_perms;
@ -56,8 +56,4 @@ allow platform_app vr_manager_service:service_manager find;
allow platform_app preloads_data_file:file r_file_perms; allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms; allow platform_app preloads_data_file:dir r_dir_perms;
# Access to ephemeral APKs
allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
allow platform_app ephemeral_apk_data_file:file r_file_perms;
read_runtime_log_tags(platform_app) read_runtime_log_tags(platform_app)

2
private/seapp_contexts
View file

@ -94,6 +94,6 @@ user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user user=_app domain=untrusted_app type=app_data_file levelFrom=user

1
private/webview_zygote.te
View file

@ -79,7 +79,6 @@ neverallow webview_zygote {
nfc_data_file nfc_data_file
radio_data_file radio_data_file
shell_data_file shell_data_file
ephemeral_data_file
}:file { rwx_file_perms }; }:file { rwx_file_perms };
neverallow webview_zygote { neverallow webview_zygote {

4
public/adbd.te
View file

@ -82,8 +82,8 @@ userdebug_or_eng(`
') ')
# ndk-gdb invokes adb forward to forward the gdbserver socket. # ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd { app_data_file ephemeral_data_file }:dir search; allow adbd app_data_file:dir search;
allow adbd { app_data_file ephemeral_data_file }:sock_file write; allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto; allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so. # ndk-gdb invokes adb pull of app_process, linker, and libc.so.

4
public/dex2oat.te
View file

@ -2,7 +2,7 @@
type dex2oat, domain, domain_deprecated; type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type; type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file}) r_dir_file(dex2oat, apk_data_file)
allow dex2oat tmpfs:file { read getattr }; allow dex2oat tmpfs:file { read getattr };
@ -19,7 +19,7 @@ allow dex2oat installd:fd use;
allow dex2oat asec_apk_file:file read; allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read; allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read; allow dex2oat oemfs:file read;
allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read; allow dex2oat apk_tmp_file:file read;
allow dex2oat user_profile_data_file:file { getattr read lock }; allow dex2oat user_profile_data_file:file { getattr read lock };
# Allow dex2oat to compile app's secondary dex files which were reported back to # Allow dex2oat to compile app's secondary dex files which were reported back to

1
public/domain.te
View file

@ -309,7 +309,6 @@ neverallow {
-dalvikcache_data_file -dalvikcache_data_file
-system_data_file # shared libs in apks -system_data_file # shared libs in apks
-apk_data_file -apk_data_file
-ephemeral_apk_data_file
}:file no_x_file_perms; }:file no_x_file_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;

2
public/drmserver.te
View file

@ -21,7 +21,7 @@ allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms; allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms; allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms; allow drmserver tee_device:chr_file rw_file_perms;
allow drmserver { app_data_file ephemeral_data_file}:file { read write getattr }; allow drmserver app_data_file:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr }; allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file) r_dir_file(drmserver, efs_file)

4
public/file.te
View file

@ -103,9 +103,6 @@ type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps # /data/app-private - forward-locked apps
type apk_private_data_file, file_type, data_file_type; type apk_private_data_file, file_type, data_file_type;
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/app-ephemeral - ephemeral apps
type ephemeral_apk_data_file, file_type, data_file_type;
type ephemeral_apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache # /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type; type dalvikcache_data_file, file_type, data_file_type;
# /data/ota # /data/ota
@ -181,7 +178,6 @@ type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
# /data/data subdirectories - app sandboxes # /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type; type app_data_file, file_type, data_file_type;
type ephemeral_data_file, file_type, data_file_type;
# /data/data subdirectory for system UID apps. # /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, mlstrustedobject; type system_app_data_file, file_type, data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4. # Compatibility with type name used in Android 4.3 and 4.4.

12
public/installd.te
View file

@ -9,13 +9,13 @@ allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file { relabelto link }; allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes # Allow movement of APK files between volumes
allow installd {apk_data_file ephemeral_apk_data_file}:dir { create_dir_perms relabelfrom }; allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd {apk_data_file ephemeral_apk_data_file}:file { create_file_perms relabelfrom link }; allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd {apk_data_file ephemeral_apk_data_file}:lnk_file { create r_file_perms unlink }; allow installd apk_data_file:lnk_file { create r_file_perms unlink };
allow installd asec_apk_file:file r_file_perms; allow installd asec_apk_file:file r_file_perms;
allow installd {apk_tmp_file ephemeral_apk_tmp_file}:file { r_file_perms unlink }; allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd {apk_tmp_file ephemeral_apk_tmp_file}:dir { relabelfrom create_dir_perms }; allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms; allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms; allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms; allow installd cgroup:dir create_dir_perms;
@ -88,7 +88,6 @@ allow installd {
radio_data_file radio_data_file
shell_data_file shell_data_file
app_data_file app_data_file
ephemeral_data_file
}:dir { create_dir_perms relabelfrom relabelto }; }:dir { create_dir_perms relabelfrom relabelto };
allow installd { allow installd {
@ -98,7 +97,6 @@ allow installd {
radio_data_file radio_data_file
shell_data_file shell_data_file
app_data_file app_data_file
ephemeral_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto }; }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Similar for the files under /data/misc/profiles/ # Similar for the files under /data/misc/profiles/

12
public/system_server.te
View file

@ -272,12 +272,6 @@ allow system_server apk_private_data_file:file create_file_perms;
allow system_server apk_private_tmp_file:dir create_dir_perms; allow system_server apk_private_tmp_file:dir create_dir_perms;
allow system_server apk_private_tmp_file:file create_file_perms; allow system_server apk_private_tmp_file:file create_file_perms;
# Manage /data/app-ephemeral
allow system_server ephemeral_apk_data_file:dir create_dir_perms;
allow system_server ephemeral_apk_data_file:file create_file_perms;
allow system_server ephemeral_apk_tmp_file:dir create_dir_perms;
allow system_server ephemeral_apk_tmp_file:file create_file_perms;
# Manage files within asec containers. # Manage files within asec containers.
allow system_server asec_apk_file:dir create_dir_perms; allow system_server asec_apk_file:dir create_dir_perms;
allow system_server asec_apk_file:file create_file_perms; allow system_server asec_apk_file:file create_file_perms;
@ -326,7 +320,7 @@ allow system_server zoneinfo_data_file:file create_file_perms;
# Walk /data/data subdirectories. # Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields. # Types extracted from seapp_contexts type= fields.
allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file ephemeral_data_file }:dir { getattr read search }; allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and # Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2. # for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms; allow system_server unlabeled:dir r_dir_perms;
@ -349,8 +343,8 @@ allow system_server media_rw_data_file:dir { search getattr open read };
allow system_server media_rw_data_file:file { getattr read write append }; allow system_server media_rw_data_file:file { getattr read write append };
# Relabel apk files. # Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file }:{ dir file } { relabelfrom relabelto }; allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file ephemeral_apk_data_file}:{ dir file } { relabelfrom relabelto }; allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper. # Relabel wallpaper.
allow system_server system_data_file:file relabelfrom; allow system_server system_data_file:file relabelfrom;