am 77d4731e
: Make all domains unconfined.
* commit '77d4731e9d30c8971e076e2469d6957619019921': Make all domains unconfined.
This commit is contained in:
commit
0f60427d2e
41 changed files with 58 additions and 1264 deletions
43
adbd.te
43
adbd.te
|
@ -1,41 +1,8 @@
|
|||
# adbd seclabel is specified in init.rc since
|
||||
# it lives in the rootfs and has no unique file type.
|
||||
type adbd, domain, mlstrustedsubject;
|
||||
allow adbd adb_device:chr_file rw_file_perms;
|
||||
allow adbd qemu_device:chr_file rw_file_perms;
|
||||
allow adbd self:capability { net_raw setgid setuid setpcap dac_override sys_boot sys_admin };
|
||||
allow adbd rootfs:file { r_file_perms entrypoint };
|
||||
allow adbd init:process sigchld;
|
||||
allow adbd self:tcp_socket *;
|
||||
allow adbd self:unix_stream_socket *;
|
||||
allow adbd node:tcp_socket node_bind;
|
||||
allow adbd port:tcp_socket name_bind;
|
||||
allow adbd devpts:chr_file rw_file_perms;
|
||||
allow adbd cgroup:dir { write add_name create };
|
||||
allow adbd labeledfs:filesystem remount;
|
||||
allow adbd shell_data_file:dir rw_dir_perms;
|
||||
allow adbd shell_data_file:file create_file_perms;
|
||||
allow adbd sdcard_type:dir create_dir_perms;
|
||||
allow adbd sdcard_type:file create_file_perms;
|
||||
|
||||
allow adbd graphics_device:dir search;
|
||||
allow adbd graphics_device:chr_file r_file_perms;
|
||||
# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain?
|
||||
allow adbd system_file:file rx_file_perms;
|
||||
unix_socket_connect(adbd, vold, vold)
|
||||
# Talk to init via the property socket.
|
||||
unix_socket_connect(adbd, property, init)
|
||||
|
||||
# Run sh in its own domain.
|
||||
type adbd, domain;
|
||||
permissive adbd;
|
||||
unconfined_domain(adbd)
|
||||
domain_auto_trans(adbd, shell_exec, shell)
|
||||
# Do not sanitize the environment of the shell.
|
||||
allow adbd shell:process noatsecure;
|
||||
|
||||
# XXX Mostly to access system properties and keys- maybe those should be their own type?
|
||||
allow adbd system_data_file:file create_file_perms;
|
||||
allow adbd system_data_file:dir create_dir_perms;
|
||||
|
||||
# Perform binder IPC to surfaceflinger (screencap)
|
||||
# XXX Run screencap in a separate domain?
|
||||
binder_use(adbd)
|
||||
binder_call(adbd, surfaceflinger)
|
||||
# this is an entrypoint
|
||||
allow adbd rootfs:file entrypoint;
|
||||
|
|
149
app.te
149
app.te
|
@ -14,21 +14,7 @@ platform_app_domain(platform_app)
|
|||
net_domain(platform_app)
|
||||
# Access bluetooth.
|
||||
bluetooth_domain(platform_app)
|
||||
# Write to /cache.
|
||||
allow platform_app cache_file:dir rw_dir_perms;
|
||||
allow platform_app cache_file:file create_file_perms;
|
||||
# Read from /data/local.
|
||||
allow platform_app shell_data_file:dir search;
|
||||
allow platform_app shell_data_file:file { open getattr read };
|
||||
allow platform_app shell_data_file:lnk_file read;
|
||||
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
||||
# created by system server.
|
||||
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
|
||||
allow platform_app apk_private_data_file:dir search;
|
||||
# ASEC
|
||||
allow platform_app asec_apk_file:dir create_dir_perms;
|
||||
allow platform_app asec_apk_file:file create_file_perms;
|
||||
allow platform_app download_file:file rw_file_perms;
|
||||
unconfined_domain(platform_app)
|
||||
|
||||
# Apps signed with the media key.
|
||||
type media_app, domain;
|
||||
|
@ -37,22 +23,7 @@ app_domain(media_app)
|
|||
platform_app_domain(media_app)
|
||||
# Access the network.
|
||||
net_domain(media_app)
|
||||
# Access /dev/mtp_usb.
|
||||
allow media_app mtp_device:chr_file rw_file_perms;
|
||||
# Write to /cache.
|
||||
allow media_app cache_file:dir rw_dir_perms;
|
||||
allow media_app cache_file:file create_file_perms;
|
||||
# Stat /cache/lost+found
|
||||
allow media_app unlabeled:file getattr;
|
||||
allow media_app unlabeled:dir getattr;
|
||||
# Stat /cache/backup
|
||||
allow media_app cache_backup_file:file getattr;
|
||||
allow media_app cache_backup_file:dir getattr;
|
||||
# Read files in the rootdir
|
||||
allow media_app rootfs:file r_file_perms;
|
||||
# Allow platform apps to mark platform app data files as download files
|
||||
allow media_app platform_app_data_file:dir relabelfrom;
|
||||
allow media_app download_file:dir relabelto;
|
||||
unconfined_domain(media_app)
|
||||
|
||||
# Apps signed with the shared key.
|
||||
type shared_app, domain;
|
||||
|
@ -63,8 +34,7 @@ platform_app_domain(shared_app)
|
|||
net_domain(shared_app)
|
||||
# Access bluetooth.
|
||||
bluetooth_domain(shared_app)
|
||||
# ASEC
|
||||
r_dir_file(shared_app, asec_apk_file)
|
||||
unconfined_domain(shared_app)
|
||||
|
||||
# Apps signed with the release key (testkey in AOSP).
|
||||
type release_app, domain;
|
||||
|
@ -75,6 +45,7 @@ platform_app_domain(release_app)
|
|||
net_domain(release_app)
|
||||
# Access bluetooth.
|
||||
bluetooth_domain(release_app)
|
||||
unconfined_domain(release_app)
|
||||
|
||||
# Services with isolatedProcess=true in their manifest.
|
||||
# In order for isolated_apps to interact with apps that have levelFromUid=true
|
||||
|
@ -82,18 +53,7 @@ bluetooth_domain(release_app)
|
|||
type isolated_app, domain, mlstrustedsubject;
|
||||
permissive isolated_app;
|
||||
app_domain(isolated_app)
|
||||
|
||||
#
|
||||
# Rules for platform app domains.
|
||||
#
|
||||
|
||||
# App sandbox file accesses.
|
||||
allow platformappdomain platform_app_data_file:dir create_dir_perms;
|
||||
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
|
||||
# App sdcard file accesses
|
||||
allow platformappdomain sdcard_type:dir create_dir_perms;
|
||||
allow platformappdomain sdcard_type:file create_file_perms;
|
||||
|
||||
unconfined_domain(isolated_app)
|
||||
|
||||
#
|
||||
# Untrusted apps.
|
||||
|
@ -103,101 +63,4 @@ permissive untrusted_app;
|
|||
app_domain(untrusted_app)
|
||||
net_domain(untrusted_app)
|
||||
bluetooth_domain(untrusted_app)
|
||||
allow untrusted_app tun_device:chr_file rw_file_perms;
|
||||
|
||||
# Internal SDCard rw access.
|
||||
bool app_internal_sdcard_rw true;
|
||||
if (app_internal_sdcard_rw) {
|
||||
allow untrusted_app sdcard_internal:dir create_dir_perms;
|
||||
allow untrusted_app sdcard_internal:file create_file_perms;
|
||||
}
|
||||
# External SDCard rw access.
|
||||
bool app_external_sdcard_rw true;
|
||||
if (app_external_sdcard_rw) {
|
||||
allow untrusted_app sdcard_external:dir create_dir_perms;
|
||||
allow untrusted_app sdcard_external:file create_file_perms;
|
||||
}
|
||||
|
||||
#
|
||||
# Rules for all app domains.
|
||||
#
|
||||
|
||||
# Allow apps to connect to the keystore
|
||||
unix_socket_connect(appdomain, keystore, keystore)
|
||||
|
||||
# Receive and use open file descriptors inherited from zygote.
|
||||
allow appdomain zygote:fd use;
|
||||
|
||||
# Read system properties managed by zygote.
|
||||
allow appdomain zygote_tmpfs:file read;
|
||||
|
||||
# Notify zygote of death;
|
||||
allow appdomain zygote:process sigchld;
|
||||
|
||||
# Communicate over a FIFO or socket created by the system_server.
|
||||
allow appdomain system:fifo_file rw_file_perms;
|
||||
allow appdomain system:unix_stream_socket { read write setopt };
|
||||
|
||||
# Communicate over a socket created by surfaceflinger.
|
||||
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
|
||||
|
||||
# App sandbox file accesses.
|
||||
allow appdomain app_data_file:dir create_dir_perms;
|
||||
allow appdomain app_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
# Read/write data files created by the platform apps if they
|
||||
# were passed to the app via binder or local IPC. Do not allow open.
|
||||
allow appdomain platform_app_data_file:file { getattr read write };
|
||||
|
||||
# lib subdirectory of /data/data dir is system-owned.
|
||||
allow appdomain system_data_file:dir r_dir_perms;
|
||||
allow appdomain system_data_file:file { execute open };
|
||||
|
||||
# Execute the shell or other system executables.
|
||||
allow appdomain shell_exec:file rx_file_perms;
|
||||
allow appdomain system_file:file rx_file_perms;
|
||||
|
||||
# Read/write wallpaper file (opened by system).
|
||||
allow appdomain wallpaper_file:file { read write };
|
||||
|
||||
# Write to /data/anr/traces.txt.
|
||||
allow appdomain anr_data_file:dir search;
|
||||
allow appdomain anr_data_file:file { open append };
|
||||
|
||||
# Write to /proc/net/xt_qtaguid/ctrl file.
|
||||
allow appdomain qtaguid_proc:file rw_file_perms;
|
||||
# Everybody can read the xt_qtaguid resource tracking misc dev.
|
||||
# So allow all apps to read from /dev/xt_qtaguid.
|
||||
allow appdomain qtaguid_device:chr_file r_file_perms;
|
||||
|
||||
# Use the Binder.
|
||||
binder_use(appdomain)
|
||||
# Perform binder IPC to binder services.
|
||||
binder_call(appdomain, binderservicedomain)
|
||||
# Perform binder IPC to other apps.
|
||||
binder_call(appdomain, appdomain)
|
||||
|
||||
# Appdomain interaction with isolated apps
|
||||
r_dir_file(appdomain, isolated_app)
|
||||
|
||||
# Already connected, unnamed sockets being passed over some other IPC
|
||||
# hence no sock_file or connectto permission. This appears to be how
|
||||
# Chrome works, may need to be updated as more apps using isolated services
|
||||
# are examined.
|
||||
allow appdomain isolated_app:unix_stream_socket { read write };
|
||||
allow isolated_app appdomain:unix_stream_socket { read write };
|
||||
|
||||
# Backup ability for every app. BMS opens and passes the fd
|
||||
# to any app that has backup ability. Hence, no open permissions here.
|
||||
allow { appdomain isolated_app } backup_data_file:file { read write };
|
||||
allow { appdomain isolated_app } cache_backup_file:file { read write };
|
||||
# Backup ability using 'adb backup'
|
||||
allow { appdomain isolated_app } system_data_file:lnk_file getattr;
|
||||
|
||||
# Allow all applications to read downloaded files
|
||||
allow appdomain download_file:file r_file_perms;
|
||||
file_type_auto_trans(appdomain, download_file, download_file)
|
||||
|
||||
# ASEC
|
||||
allow untrusted_app asec_apk_file:dir { getattr };
|
||||
allow untrusted_app asec_apk_file:file r_file_perms;
|
||||
unconfined_domain(untrusted_app)
|
||||
|
|
52
assert.te
52
assert.te
|
@ -1,52 +0,0 @@
|
|||
# Policy assertions.
|
||||
# These neverallow rules are checked by checkpolicy at policy build time.
|
||||
# checkpolicy will refuse to generate the kernel policy if any of these
|
||||
# assertions fail.
|
||||
|
||||
# Superuser capabilities.
|
||||
# Only exception is sys_nice for binder, might not be necessary.
|
||||
neverallow { appdomain -bluetooth } self:capability ~sys_nice;
|
||||
neverallow bluetooth self:capability ~{ sys_nice net_admin };
|
||||
neverallow appdomain self:capability2 *;
|
||||
|
||||
# Block device access.
|
||||
neverallow appdomain dev_type:blk_file { read write };
|
||||
|
||||
# Kernel memory access.
|
||||
neverallow appdomain kmem_device:chr_file { read write };
|
||||
|
||||
# Setting SELinux enforcing status or booleans.
|
||||
# Conditionally allowed to system_app for SEAndroidManager.
|
||||
neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
|
||||
|
||||
# Load security policy.
|
||||
neverallow appdomain kernel:security load_policy;
|
||||
|
||||
# Privileged netlink socket interfaces.
|
||||
neverallow appdomain self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *;
|
||||
|
||||
# Access to /proc/pid entries for any non-app domain.
|
||||
# Violated by cts.te rules so commented out for now.
|
||||
#neverallow appdomain { domain - appdomain }:dir search;
|
||||
#neverallow appdomain { domain - appdomain }:lnk_file read;
|
||||
#neverallow appdomain { domain - appdomain }:file { read write };
|
||||
|
||||
# ptrace access to non-app domains.
|
||||
neverallow appdomain { domain -appdomain }:process ptrace;
|
||||
|
||||
# Transition to a non-app domain.
|
||||
# Shell excluded since it has a transition to runas.
|
||||
neverallow { appdomain -shell } ~appdomain:process { transition dyntransition };
|
||||
|
||||
# Map low memory.
|
||||
neverallow appdomain self:memprotect mmap_zero;
|
||||
|
||||
# Write to /system.
|
||||
neverallow appdomain system_file:dir_file_class_set write;
|
||||
|
||||
# Write to system-owned parts of /data.
|
||||
# This is the default type for anything under /data not otherwise
|
||||
# specified in file_contexts. Define a different type for portions
|
||||
# that should be writable by apps.
|
||||
# Exception for system_app for Settings.
|
||||
neverallow { appdomain -system_app } system_data_file:dir_file_class_set write;
|
35
bluetooth.te
35
bluetooth.te
|
@ -2,37 +2,4 @@
|
|||
type bluetooth, domain;
|
||||
permissive bluetooth;
|
||||
app_domain(bluetooth)
|
||||
|
||||
# Data file accesses.
|
||||
allow bluetooth bluetooth_data_file:dir create_dir_perms;
|
||||
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
# bluetooth factory file accesses.
|
||||
r_dir_file(bluetooth, bluetooth_efs_file)
|
||||
|
||||
# Device accesses.
|
||||
allow bluetooth { hci_attach_dev }:chr_file rw_file_perms;
|
||||
allow bluetooth input_device:chr_file write;
|
||||
|
||||
# sysfs access.
|
||||
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
|
||||
allow bluetooth self:capability net_admin;
|
||||
|
||||
# Other domains that can create and use bluetooth sockets.
|
||||
# SELinux does not presently define a specific socket class for
|
||||
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
|
||||
allow bluetoothdomain self:socket *;
|
||||
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
|
||||
|
||||
# tethering
|
||||
allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
|
||||
allow bluetooth efs_file:dir search;
|
||||
|
||||
# Talk to init over the property socket.
|
||||
unix_socket_connect(bluetooth, property, init)
|
||||
|
||||
# Property Service
|
||||
allow bluetooth bluetooth_prop:property_service set;
|
||||
|
||||
# proc access.
|
||||
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
|
||||
unconfined_domain(bluetooth)
|
||||
|
|
|
@ -4,8 +4,4 @@ permissive bluetoothd;
|
|||
type bluetoothd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(bluetoothd)
|
||||
allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin };
|
||||
allow bluetoothd self:socket *;
|
||||
allow bluetoothd bluetoothd_data_file:dir create_dir_perms;
|
||||
allow bluetoothd bluetoothd_data_file:file create_file_perms;
|
||||
unix_socket_connect(bluetoothd, dbus, dbusd)
|
||||
unconfined_domain(bluetoothd)
|
||||
|
|
39
cts.te
39
cts.te
|
@ -1,39 +0,0 @@
|
|||
#
|
||||
# Rules to allow the Android CTS to run.
|
||||
# Do not enable in production policy.
|
||||
#
|
||||
|
||||
bool android_cts false;
|
||||
if (android_cts) {
|
||||
# For TestDeviceSetup (RootProcessScanner).
|
||||
# Reads /proc/pid/status and statm entries to check that
|
||||
# no unexpected root processes are running.
|
||||
# Also for android.security.cts.VoldExploitTest.
|
||||
# Requires ability to read /proc/pid/cmdline of vold.
|
||||
allow appdomain domain:dir r_dir_perms;
|
||||
allow appdomain domain:{ file lnk_file } r_file_perms;
|
||||
|
||||
# Will still fail when trying to read other app /proc/pid
|
||||
# entries due to MLS constraints. Just silence the denials.
|
||||
dontaudit appdomain appdomain:dir r_dir_perms;
|
||||
dontaudit appdomain appdomain:file r_file_perms;
|
||||
|
||||
# For android.permission.cts.FileSystemPermissionTest.
|
||||
# Walk the file tree, stat any file in order to check file permissions.
|
||||
allow appdomain fs_type:dir r_dir_perms;
|
||||
allow appdomain dev_type:dir r_dir_perms;
|
||||
allow appdomain file_type:dir_file_class_set getattr;
|
||||
allow appdomain dev_type:dir_file_class_set getattr;
|
||||
allow appdomain fs_type:dir_file_class_set getattr;
|
||||
|
||||
# Tries to open /dev/alarm for writing but expects failure.
|
||||
dontaudit appdomain alarm_device:chr_file write;
|
||||
|
||||
# For android.security.cts.VoldExploitTest.
|
||||
# Tries to create and use a netlink kobject uevent socket
|
||||
# to test for a vulnerable vold.
|
||||
dontaudit appdomain self:netlink_kobject_uevent_socket create;
|
||||
|
||||
# Tries to override DAC restrictions but expects to fail.
|
||||
dontaudit shell self:capability dac_override;
|
||||
}
|
4
dbusd.te
4
dbusd.te
|
@ -4,6 +4,4 @@ permissive dbusd;
|
|||
type dbusd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(dbusd)
|
||||
# Reads /proc/pid/cmdline of clients
|
||||
r_dir_file(dbusd, system)
|
||||
r_dir_file(dbusd, bluetoothd)
|
||||
unconfined_domain(dbusd)
|
||||
|
|
15
debuggerd.te
15
debuggerd.te
|
@ -4,17 +4,4 @@ permissive debuggerd;
|
|||
type debuggerd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(debuggerd)
|
||||
typeattribute debuggerd mlstrustedsubject;
|
||||
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
|
||||
allow debuggerd self:capability2 { syslog };
|
||||
allow debuggerd domain:dir r_dir_perms;
|
||||
allow debuggerd domain:file r_file_perms;
|
||||
allow debuggerd domain:process ptrace;
|
||||
security_access_policy(debuggerd)
|
||||
allow debuggerd system_data_file:dir create_dir_perms;
|
||||
allow debuggerd system_data_file:dir relabelfrom;
|
||||
allow debuggerd tombstone_data_file:dir relabelto;
|
||||
allow debuggerd tombstone_data_file:dir create_dir_perms;
|
||||
allow debuggerd tombstone_data_file:file create_file_perms;
|
||||
allow debuggerd domain:process { sigstop signal };
|
||||
allow debuggerd exec_type:file r_file_perms;
|
||||
unconfined_domain(debuggerd)
|
||||
|
|
25
dhcp.te
25
dhcp.te
|
@ -6,29 +6,6 @@ type dhcp_system_file, file_type, data_file_type;
|
|||
|
||||
init_daemon_domain(dhcp)
|
||||
net_domain(dhcp)
|
||||
|
||||
allow dhcp cgroup:dir { create write add_name };
|
||||
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
|
||||
allow dhcp self:packet_socket create_socket_perms;
|
||||
allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
|
||||
allow dhcp shell_exec:file rx_file_perms;
|
||||
allow dhcp system_file:file rx_file_perms;
|
||||
allow dhcp proc:file write;
|
||||
allow dhcp system_prop:property_service set ;
|
||||
allow dhcp dhcp_system_file:file rx_file_perms;
|
||||
allow dhcp dhcp_system_file:dir r_dir_perms;
|
||||
unix_socket_connect(dhcp, property, init)
|
||||
unconfined_domain(dhcp)
|
||||
|
||||
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
|
||||
allow dhcp dhcp_data_file:dir create_dir_perms;
|
||||
allow dhcp dhcp_data_file:file create_file_perms;
|
||||
|
||||
# PAN connections
|
||||
allow dhcp netd:fd use;
|
||||
allow dhcp netd:fifo_file rw_file_perms;
|
||||
allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
|
||||
allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
|
||||
# netdev-bt-pan driver loading
|
||||
allow dhcp kernel:system module_request;
|
||||
|
||||
allow dhcp tty_device:chr_file { rw_file_perms };
|
||||
|
|
122
domain.te
122
domain.te
|
@ -1,122 +0,0 @@
|
|||
# Rules for all domains.
|
||||
|
||||
# Allow reaping by init.
|
||||
allow domain init:process sigchld;
|
||||
|
||||
# Read access to properties mapping.
|
||||
allow domain kernel:fd use;
|
||||
allow domain tmpfs:file { read getattr };
|
||||
|
||||
# Search /storage/emulated tmpfs mount.
|
||||
allow domain tmpfs:dir r_dir_perms;
|
||||
|
||||
# binder adjusts the nice value during IPC.
|
||||
allow domain self:capability sys_nice;
|
||||
|
||||
# Intra-domain accesses.
|
||||
allow domain self:process ~{ execstack execheap };
|
||||
allow domain self:fd use;
|
||||
allow domain self:dir r_dir_perms;
|
||||
allow domain self:lnk_file r_file_perms;
|
||||
allow domain self:{ fifo_file file } rw_file_perms;
|
||||
allow domain self:{ unix_dgram_socket unix_stream_socket } *;
|
||||
|
||||
# Inherit or receive open files from others.
|
||||
allow domain init:fd use;
|
||||
allow domain system:fd use;
|
||||
|
||||
# Connect to adbd and use a socket transferred from it.
|
||||
allow domain adbd:unix_stream_socket connectto;
|
||||
allow domain adbd:fd use;
|
||||
allow domain adbd:unix_stream_socket { getattr read write shutdown };
|
||||
|
||||
# Talk to debuggerd.
|
||||
allow domain debuggerd:process sigchld;
|
||||
allow domain debuggerd:unix_stream_socket connectto;
|
||||
|
||||
# Root fs.
|
||||
allow domain rootfs:dir r_dir_perms;
|
||||
allow domain rootfs:lnk_file { read getattr };
|
||||
|
||||
# Device accesses.
|
||||
allow domain device:dir search;
|
||||
allow domain dev_type:lnk_file read;
|
||||
allow domain devpts:dir search;
|
||||
allow domain device:file read;
|
||||
allow domain socket_device:dir search;
|
||||
allow domain owntty_device:chr_file rw_file_perms;
|
||||
allow domain null_device:chr_file rw_file_perms;
|
||||
allow domain zero_device:chr_file r_file_perms;
|
||||
allow domain ashmem_device:chr_file rw_file_perms;
|
||||
allow domain binder_device:chr_file rw_file_perms;
|
||||
allow domain ptmx_device:chr_file rw_file_perms;
|
||||
allow domain powervr_device:chr_file rw_file_perms;
|
||||
allow domain log_device:dir search;
|
||||
allow domain log_device:chr_file rw_file_perms;
|
||||
allow domain nv_device:chr_file rw_file_perms;
|
||||
allow domain alarm_device:chr_file r_file_perms;
|
||||
allow domain urandom_device:chr_file r_file_perms;
|
||||
allow domain random_device:chr_file r_file_perms;
|
||||
allow domain properties_device:file r_file_perms;
|
||||
|
||||
# Filesystem accesses.
|
||||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# System file accesses.
|
||||
allow domain system_file:dir r_dir_perms;
|
||||
allow domain system_file:file r_file_perms;
|
||||
allow domain system_file:file execute;
|
||||
allow domain system_file:lnk_file read;
|
||||
|
||||
# Read files already opened under /data.
|
||||
allow domain system_data_file:dir { search getattr };
|
||||
allow domain system_data_file:file { getattr read };
|
||||
allow domain system_data_file:lnk_file read;
|
||||
|
||||
# Read apk files under /data/app.
|
||||
allow domain apk_data_file:dir search;
|
||||
allow domain apk_data_file:file r_file_perms;
|
||||
|
||||
# Read /data/dalvik-cache.
|
||||
allow domain dalvikcache_data_file:dir { search getattr };
|
||||
allow domain dalvikcache_data_file:file r_file_perms;
|
||||
|
||||
# Read already opened /cache files.
|
||||
allow domain cache_file:dir r_dir_perms;
|
||||
allow domain cache_file:file { getattr read };
|
||||
allow domain cache_file:lnk_file read;
|
||||
|
||||
# For /acct/uid/*/tasks.
|
||||
allow domain cgroup:dir { search write };
|
||||
allow domain cgroup:file w_file_perms;
|
||||
|
||||
#Allow access to ion memory allocation device
|
||||
allow domain ion_device:chr_file rw_file_perms;
|
||||
|
||||
# For /sys/qemu_trace files in the emulator.
|
||||
bool in_qemu false;
|
||||
if (in_qemu) {
|
||||
allow domain sysfs:file rw_file_perms;
|
||||
}
|
||||
allow domain sysfs_writable:file rw_file_perms;
|
||||
|
||||
# Read access to pseudo filesystems.
|
||||
r_dir_file(domain, proc)
|
||||
r_dir_file(domain, sysfs)
|
||||
r_dir_file(domain, inotify)
|
||||
r_dir_file(domain, cgroup)
|
||||
|
||||
# debugfs access
|
||||
bool debugfs false;
|
||||
if (debugfs) {
|
||||
allow domain debugfs:dir r_dir_perms;
|
||||
allow domain debugfs:file rw_file_perms;
|
||||
} else {
|
||||
dontaudit domain debugfs:dir r_dir_perms;
|
||||
dontaudit domain debugfs:file rw_file_perms;
|
||||
}
|
||||
|
||||
# security files
|
||||
allow domain security_file:dir { search getattr };
|
||||
allow domain security_file:file getattr;
|
27
drmserver.te
27
drmserver.te
|
@ -4,29 +4,4 @@ permissive drmserver;
|
|||
type drmserver_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(drmserver)
|
||||
typeattribute drmserver mlstrustedsubject;
|
||||
|
||||
# Perform Binder IPC to system server.
|
||||
binder_use(drmserver)
|
||||
binder_call(drmserver, system)
|
||||
binder_call(drmserver, appdomain)
|
||||
binder_service(drmserver)
|
||||
|
||||
# Perform Binder IPC to mediaserver
|
||||
binder_call(drmserver, mediaserver)
|
||||
|
||||
# Talk to the tee
|
||||
allow drmserver tee:unix_stream_socket { connectto };
|
||||
|
||||
allow drmserver sdcard_type:dir search;
|
||||
allow drmserver drm_data_file:dir create_dir_perms;
|
||||
allow drmserver drm_data_file:file create_file_perms;
|
||||
allow drmserver self:{ tcp_socket udp_socket } *;
|
||||
allow drmserver port:tcp_socket name_connect;
|
||||
allow drmserver tee_device:chr_file rw_file_perms;
|
||||
allow drmserver platform_app_data_file:file { read write getattr };
|
||||
allow drmserver app_data_file:file { read write getattr };
|
||||
allow drmserver apk_data_file:dir { write add_name remove_name };
|
||||
allow drmserver apk_data_file:sock_file { create setattr unlink };
|
||||
allow drmserver sdcard_type:file { read write getattr };
|
||||
allow drmserver efs_file:file { open read getattr };
|
||||
unconfined_domain(drmserver)
|
||||
|
|
7
gpsd.te
7
gpsd.te
|
@ -5,13 +5,8 @@ type gpsd_exec, exec_type, file_type;
|
|||
|
||||
init_daemon_domain(gpsd)
|
||||
net_domain(gpsd)
|
||||
allow gpsd gps_data_file:dir rw_dir_perms;
|
||||
allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
|
||||
unconfined_domain(gpsd)
|
||||
# Socket is created by the daemon, not by init, and under /data/gps,
|
||||
# not under /dev/socket.
|
||||
type_transition gpsd gps_data_file:sock_file gps_socket;
|
||||
allow gpsd gps_socket:sock_file create_file_perms;
|
||||
# XXX Label sysfs files with a specific type?
|
||||
allow gpsd sysfs:file rw_file_perms;
|
||||
|
||||
allow gpsd gps_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -3,8 +3,4 @@ permissive hci_attach;
|
|||
type hci_attach_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(hci_attach)
|
||||
|
||||
allow hci_attach kernel:system module_request;
|
||||
allow hci_attach hci_attach_dev:chr_file rw_file_perms;
|
||||
allow hci_attach bluetooth_efs_file:dir r_dir_perms;
|
||||
allow hci_attach bluetooth_efs_file:file r_file_perms;
|
||||
unconfined_domain(hci_attach)
|
||||
|
|
2
init.te
2
init.te
|
@ -4,3 +4,5 @@ permissive init;
|
|||
# init is unconfined.
|
||||
unconfined_domain(init)
|
||||
tmpfs_domain(init)
|
||||
# add a rule to handle unlabelled mounts
|
||||
allow init unlabeled:filesystem mount;
|
||||
|
|
|
@ -1,14 +1,5 @@
|
|||
# Restricted domain for shell processes spawned by init
|
||||
type init_shell, domain, mlstrustedsubject;
|
||||
type init_shell, domain;
|
||||
permissive init_shell;
|
||||
domain_auto_trans(init, shell_exec, init_shell)
|
||||
allow init_shell rootfs:dir r_dir_perms;
|
||||
allow init_shell devpts:chr_file rw_file_perms;
|
||||
allow init_shell tty_device:chr_file rw_file_perms;
|
||||
allow init_shell console_device:chr_file rw_file_perms;
|
||||
allow init_shell input_device:chr_file rw_file_perms;
|
||||
allow init_shell system_file:file x_file_perms;
|
||||
allow init_shell shell_exec:file rx_file_perms;
|
||||
allow init_shell zygote_exec:file rx_file_perms;
|
||||
|
||||
# setprop toolbox command
|
||||
unix_socket_connect(init_shell, property, init)
|
||||
unconfined_domain(init_shell)
|
||||
|
|
22
installd.te
22
installd.te
|
@ -4,24 +4,4 @@ permissive installd;
|
|||
type installd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(installd)
|
||||
typeattribute installd mlstrustedsubject;
|
||||
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
|
||||
allow installd system_data_file:file create_file_perms;
|
||||
allow installd system_data_file:lnk_file create;
|
||||
allow installd dalvikcache_data_file:file create_file_perms;
|
||||
allow installd data_file_type:dir create_dir_perms;
|
||||
allow installd data_file_type:dir { relabelfrom relabelto };
|
||||
allow installd data_file_type:{ file lnk_file } { getattr unlink };
|
||||
allow installd apk_data_file:file r_file_perms;
|
||||
allow installd apk_tmp_file:file r_file_perms;
|
||||
allow installd system_file:file x_file_perms;
|
||||
allow installd cgroup:dir create_dir_perms;
|
||||
dontaudit installd self:capability sys_admin;
|
||||
# Check validity of SELinux context before use.
|
||||
selinux_check_context(installd)
|
||||
# Read /seapp_contexts and /data/security/seapp_contexts
|
||||
security_access_policy(installd)
|
||||
# ASEC
|
||||
allow installd platform_app_data_file:lnk_file { create setattr };
|
||||
allow installd app_data_file:lnk_file { create setattr };
|
||||
allow installd asec_apk_file:file r_file_perms;
|
||||
unconfined_domain(installd)
|
||||
|
|
|
@ -4,9 +4,4 @@ type keystore_exec, exec_type, file_type;
|
|||
|
||||
# keystore daemon
|
||||
init_daemon_domain(keystore)
|
||||
binder_use(keystore)
|
||||
binder_service(keystore)
|
||||
allow keystore keystore_data_file:dir create_dir_perms;
|
||||
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
||||
allow keystore keystore_exec:file { getattr };
|
||||
allow keystore tee_device:chr_file rw_file_perms;
|
||||
unconfined_domain(keystore)
|
||||
|
|
|
@ -3,52 +3,6 @@ type mediaserver, domain;
|
|||
permissive mediaserver;
|
||||
type mediaserver_exec, exec_type, file_type;
|
||||
|
||||
typeattribute mediaserver mlstrustedsubject;
|
||||
|
||||
net_domain(mediaserver)
|
||||
init_daemon_domain(mediaserver)
|
||||
unix_socket_connect(mediaserver, property, init)
|
||||
|
||||
r_dir_file(mediaserver, sdcard_type)
|
||||
|
||||
binder_use(mediaserver)
|
||||
binder_call(mediaserver, binderservicedomain)
|
||||
binder_call(mediaserver, appdomain)
|
||||
binder_service(mediaserver)
|
||||
|
||||
allow mediaserver kernel:system module_request;
|
||||
allow mediaserver app_data_file:dir search;
|
||||
allow mediaserver app_data_file:file rw_file_perms;
|
||||
allow mediaserver platform_app_data_file:file { getattr read };
|
||||
allow mediaserver sdcard_type:file write;
|
||||
allow mediaserver camera_device:chr_file rw_file_perms;
|
||||
allow mediaserver graphics_device:chr_file rw_file_perms;
|
||||
allow mediaserver video_device:chr_file rw_file_perms;
|
||||
allow mediaserver audio_device:dir r_dir_perms;
|
||||
allow mediaserver audio_device:chr_file rw_file_perms;
|
||||
allow mediaserver qemu_device:chr_file rw_file_perms;
|
||||
allow mediaserver tee_device:chr_file rw_file_perms;
|
||||
allow mediaserver audio_prop:property_service set;
|
||||
|
||||
# XXX Label with a specific type?
|
||||
allow mediaserver sysfs:file rw_file_perms;
|
||||
|
||||
# XXX Why?
|
||||
allow mediaserver apk_data_file:file { read getattr };
|
||||
|
||||
# To use remote processor
|
||||
allow mediaserver rpmsg_device:chr_file rw_file_perms;
|
||||
|
||||
# Inter System processes communicate over named pipe (FIFO)
|
||||
allow mediaserver system:fifo_file r_file_perms;
|
||||
|
||||
# Camera calibration
|
||||
allow mediaserver camera_calibration_file:dir r_dir_perms;
|
||||
allow mediaserver camera_calibration_file:file r_file_perms;
|
||||
|
||||
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
|
||||
allow mediaserver qtaguid_proc:file rw_file_perms;
|
||||
allow mediaserver qtaguid_device:chr_file r_file_perms;
|
||||
|
||||
# Allow abstract socket connection
|
||||
allow mediaserver rild:unix_stream_socket { connectto read write setopt };
|
||||
unconfined_domain(mediaserver)
|
||||
|
|
10
mtp.te
10
mtp.te
|
@ -5,12 +5,4 @@ type mtp_exec, exec_type, file_type;
|
|||
|
||||
init_daemon_domain(mtp)
|
||||
net_domain(mtp)
|
||||
|
||||
# pptp policy
|
||||
allow mtp self:tcp_socket { create setopt connect write read };
|
||||
allow mtp self:socket { create connect };
|
||||
allow mtp self:rawip_socket create;
|
||||
allow mtp self:capability net_raw;
|
||||
allow mtp ppp:process signal;
|
||||
allow mtp port:tcp_socket name_connect;
|
||||
allow mtp vpn_data_file:dir search;
|
||||
unconfined_domain(mtp)
|
||||
|
|
14
net.te
14
net.te
|
@ -2,17 +2,3 @@
|
|||
type node, node_type;
|
||||
type netif, netif_type;
|
||||
type port, port_type;
|
||||
|
||||
# Use network sockets.
|
||||
allow netdomain self:{ tcp_socket udp_socket } *;
|
||||
# Connect to ports.
|
||||
allow netdomain port_type:tcp_socket name_connect;
|
||||
# Bind to ports.
|
||||
allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
|
||||
allow netdomain port_type:udp_socket name_bind;
|
||||
allow netdomain port_type:tcp_socket name_bind;
|
||||
# Get route information.
|
||||
allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
|
||||
|
||||
# Talks to netd via dnsproxyd socket.
|
||||
unix_socket_connect(netdomain, dnsproxyd, netd)
|
||||
|
|
34
netd.te
34
netd.te
|
@ -1,38 +1,8 @@
|
|||
# network manager
|
||||
type netd, domain;
|
||||
permissive netd;
|
||||
type netd_exec, exec_type, file_type;
|
||||
|
||||
permissive netd;
|
||||
unconfined_domain(netd)
|
||||
init_daemon_domain(netd)
|
||||
typeattribute netd mlstrustedsubject;
|
||||
allow netd self:capability { net_admin net_raw sys_module kill };
|
||||
allow netd self:netlink_kobject_uevent_socket *;
|
||||
allow netd self:netlink_route_socket *;
|
||||
allow netd self:netlink_nflog_socket *;
|
||||
allow netd self:rawip_socket *;
|
||||
allow netd self:udp_socket *;
|
||||
allow netd node:udp_socket node_bind;
|
||||
allow netd port:udp_socket name_bind;
|
||||
allow netd self:unix_stream_socket *;
|
||||
allow netd shell_exec:file rx_file_perms;
|
||||
allow netd system_file:file x_file_perms;
|
||||
allow netd devpts:chr_file rw_file_perms;
|
||||
|
||||
# For /proc/sys/net/ipv[46]/route/flush.
|
||||
# XXX Split /proc/sys/net into its own type.
|
||||
allow netd proc:file write;
|
||||
|
||||
# For /sys/modules/bcmdhd/parameters/firmware_path
|
||||
# XXX Split into its own type.
|
||||
allow netd sysfs:file write;
|
||||
|
||||
# Network driver loading.
|
||||
allow netd kernel:system module_request;
|
||||
|
||||
# Set dhcp lease for PAN connection
|
||||
unix_socket_connect(netd, property, init)
|
||||
allow netd system_prop:property_service set;
|
||||
|
||||
# Connect to PAN
|
||||
domain_auto_trans(netd, dhcp_exec, dhcp)
|
||||
allow netd dhcp:process signal;
|
||||
|
|
11
nfc.te
11
nfc.te
|
@ -2,13 +2,4 @@
|
|||
type nfc, domain;
|
||||
permissive nfc;
|
||||
app_domain(nfc)
|
||||
|
||||
# NFC device access.
|
||||
allow nfc nfc_device:chr_file rw_file_perms;
|
||||
|
||||
# Data file accesses.
|
||||
allow nfc nfc_data_file:dir create_dir_perms;
|
||||
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
|
||||
allow nfc sysfs:file write;
|
||||
unconfined_domain(nfc)
|
||||
|
|
10
ping.te
10
ping.te
|
@ -2,12 +2,4 @@ type ping, domain;
|
|||
permissive ping;
|
||||
type ping_exec, file_type;
|
||||
domain_auto_trans(shell, ping_exec, ping)
|
||||
|
||||
allow ping self:capability net_raw;
|
||||
allow ping self:rawip_socket create_socket_perms;
|
||||
allow ping self:udp_socket create_socket_perms;
|
||||
allow ping node:rawip_socket node_bind;
|
||||
allow ping dnsproxyd_socket:sock_file write;
|
||||
allow ping netd:unix_stream_socket connectto;
|
||||
allow ping devpts:chr_file rw_file_perms;
|
||||
allow ping shell:fd use;
|
||||
unconfined_domain(ping)
|
||||
|
|
12
ppp.te
12
ppp.te
|
@ -4,15 +4,5 @@ permissive ppp;
|
|||
type ppp_device, dev_type;
|
||||
type ppp_exec, exec_type, file_type;
|
||||
type ppp_system_file, file_type;
|
||||
|
||||
unconfined_domain(ppp)
|
||||
domain_auto_trans(mtp, ppp_exec, ppp)
|
||||
|
||||
allow ppp mtp:socket { read write ioctl };
|
||||
allow ppp ppp_device:chr_file rw_file_perms;
|
||||
allow ppp self:capability net_admin;
|
||||
allow ppp self:udp_socket { create ioctl };
|
||||
allow ppp ppp_system_file:dir search;
|
||||
allow ppp ppp_system_file:file rx_file_perms;
|
||||
allow ppp vpn_data_file:dir w_dir_perms;
|
||||
allow ppp vpn_data_file:file create_file_perms;
|
||||
allow ppp mtp:fd use;
|
||||
|
|
2
qemud.te
2
qemud.te
|
@ -4,4 +4,4 @@ permissive qemud;
|
|||
type qemud_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(qemud)
|
||||
allow qemud serial_device:chr_file rw_file_perms;
|
||||
unconfined_domain(qemud)
|
22
racoon.te
22
racoon.te
|
@ -3,24 +3,4 @@ type racoon, domain;
|
|||
permissive racoon;
|
||||
type racoon_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(racoon)
|
||||
typeattribute racoon mlstrustedsubject;
|
||||
|
||||
binder_call(racoon, servicemanager)
|
||||
binder_call(racoon, keystore)
|
||||
|
||||
allow racoon tun_device:chr_file r_file_perms;
|
||||
allow racoon cgroup:dir { add_name create };
|
||||
allow racoon kernel:system module_request;
|
||||
allow racoon port:udp_socket name_bind;
|
||||
allow racoon node:udp_socket node_bind;
|
||||
|
||||
allow racoon self:{ key_socket udp_socket } create_socket_perms;
|
||||
allow racoon self:tun_socket create;
|
||||
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
|
||||
|
||||
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
|
||||
allow racoon ppp_system_file:file rx_file_perms;
|
||||
allow racoon ppp_system_file:dir search;
|
||||
allow racoon vpn_data_file:file create_file_perms;
|
||||
allow racoon vpn_data_file:dir w_dir_perms;
|
||||
unconfined_domain(racoon)
|
||||
|
|
18
radio.te
18
radio.te
|
@ -5,20 +5,4 @@ app_domain(radio)
|
|||
net_domain(radio)
|
||||
bluetooth_domain(radio)
|
||||
|
||||
# Talks to init via the property socket.
|
||||
unix_socket_connect(radio, property, init)
|
||||
|
||||
# Talks to rild via the rild socket.
|
||||
unix_socket_connect(radio, rild, rild)
|
||||
|
||||
# Data file accesses.
|
||||
allow radio radio_data_file:dir create_dir_perms;
|
||||
allow radio radio_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
allow radio alarm_device:chr_file rw_file_perms;
|
||||
|
||||
# Property service
|
||||
allow radio radio_prop:property_service set;
|
||||
|
||||
# ctl interface
|
||||
allow radio ctl_rildaemon_prop:property_service set;
|
||||
unconfined_domain(radio)
|
40
rild.te
40
rild.te
|
@ -5,42 +5,4 @@ type rild_exec, exec_type, file_type;
|
|||
|
||||
init_daemon_domain(rild)
|
||||
net_domain(rild)
|
||||
allow rild self:netlink_route_socket { setopt write };
|
||||
allow rild kernel:system module_request;
|
||||
unix_socket_connect(rild, property, init)
|
||||
unix_socket_connect(rild, qemud, qemud)
|
||||
allow rild self:capability { setuid net_admin net_raw };
|
||||
allow rild alarm_device:chr_file rw_file_perms;
|
||||
allow rild cgroup:dir create_dir_perms;
|
||||
allow rild radio_device:chr_file rw_file_perms;
|
||||
allow rild radio_device:blk_file r_file_perms;
|
||||
allow rild qemu_device:chr_file rw_file_perms;
|
||||
allow rild mtd_device:dir search;
|
||||
allow rild efs_file:dir create_dir_perms;
|
||||
allow rild efs_file:file create_file_perms;
|
||||
allow rild shell_exec:file rx_file_perms;
|
||||
allow rild bluetooth_efs_file:file r_file_perms;
|
||||
allow rild bluetooth_efs_file:dir r_dir_perms;
|
||||
allow rild radio_data_file:dir rw_dir_perms;
|
||||
allow rild radio_data_file:file create_file_perms;
|
||||
allow rild sdcard_type:dir r_dir_perms;
|
||||
allow rild system_data_file:dir create_dir_perms;
|
||||
allow rild system_data_file:file create_file_perms;
|
||||
allow rild system_file:file x_file_perms;
|
||||
dontaudit rild self:capability sys_admin;
|
||||
# XXX Label sysfs files with a specific type?
|
||||
allow rild sysfs:file rw_file_perms;
|
||||
|
||||
# property service
|
||||
allow rild rild_prop:property_service set;
|
||||
allow rild radio_prop:property_service set;
|
||||
|
||||
# Read/Write to uart driver (for GPS)
|
||||
allow rild gps_device:chr_file rw_file_perms;
|
||||
|
||||
allow rild tty_device:chr_file rw_file_perms;
|
||||
|
||||
# Allow rild to create, bind, read, write to itself through a netlink socket
|
||||
allow rild self:netlink_socket { create bind read write };
|
||||
|
||||
allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
|
||||
unconfined_domain(rild)
|
||||
|
|
66
runas.te
66
runas.te
|
@ -1,67 +1,7 @@
|
|||
type runas, domain, mlstrustedsubject;
|
||||
type runas, domain;
|
||||
type runas_exec, file_type;
|
||||
|
||||
bool support_runas true;
|
||||
|
||||
if (support_runas) {
|
||||
|
||||
# ndk-gdb invokes adb shell ps to find the app PID.
|
||||
r_dir_file(shell, untrusted_app)
|
||||
dontaudit shell domain:dir r_dir_perms;
|
||||
dontaudit shell domain:file r_file_perms;
|
||||
|
||||
# ndk-gdb invokes adb shell ls to check the app data dir.
|
||||
allow shell app_data_file:dir search;
|
||||
|
||||
# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
|
||||
allow shell untrusted_app:process sigkill;
|
||||
dontaudit shell self:capability { sys_ptrace kill };
|
||||
permissive runas;
|
||||
unconfined_domain(runas)
|
||||
|
||||
# ndk-gdb invokes adb shell run-as.
|
||||
domain_auto_trans(shell, runas_exec, runas)
|
||||
allow runas adbd:process sigchld;
|
||||
allow runas shell:fd use;
|
||||
allow runas devpts:chr_file { read write ioctl };
|
||||
|
||||
# run-as reads package information.
|
||||
allow runas system_data_file:file r_file_perms;
|
||||
|
||||
# run-as checks and changes to the app data dir.
|
||||
dontaudit runas self:capability dac_override;
|
||||
allow runas app_data_file:dir { getattr search };
|
||||
|
||||
# run-as switches to the app UID/GID.
|
||||
allow runas self:capability { setuid setgid };
|
||||
|
||||
# run-as switches to the app security context.
|
||||
# read /seapp_contexts and /data/security/seapp_contexts
|
||||
security_access_policy(runas)
|
||||
selinux_check_context(runas) # validate context
|
||||
allow runas untrusted_app:process dyntransition; # setcon
|
||||
|
||||
# run-as runs lib/gdbserver from the app data dir.
|
||||
allow untrusted_app system_data_file:file rx_file_perms;
|
||||
|
||||
# gdbserver reads the zygote.
|
||||
allow untrusted_app zygote_exec:file r_file_perms;
|
||||
|
||||
# (grand)child death notification.
|
||||
allow untrusted_app shell:process sigchld;
|
||||
allow untrusted_app adbd:process sigchld;
|
||||
|
||||
# child shell or gdbserver pty access.
|
||||
allow untrusted_app devpts:chr_file { getattr read write ioctl };
|
||||
|
||||
# gdbserver creates a socket in the app data dir.
|
||||
allow untrusted_app app_data_file:sock_file { create unlink };
|
||||
|
||||
# ndk-gdb invokes adb forward to forward the gdbserver socket.
|
||||
allow adbd app_data_file:dir search;
|
||||
allow adbd app_data_file:sock_file write;
|
||||
allow adbd untrusted_app:unix_stream_socket connectto;
|
||||
|
||||
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
|
||||
allow adbd zygote_exec:file r_file_perms;
|
||||
allow adbd system_file:file r_file_perms;
|
||||
|
||||
}
|
||||
|
|
|
@ -3,11 +3,4 @@ permissive sdcardd;
|
|||
type sdcardd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(sdcardd)
|
||||
|
||||
allow sdcardd cgroup:dir create_dir_perms;
|
||||
allow sdcardd fuse_device:chr_file rw_file_perms;
|
||||
allow sdcardd rootfs:dir mounton;
|
||||
allow sdcardd sdcard_type:filesystem mount;
|
||||
allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
|
||||
allow sdcardd system_data_file:dir create_dir_perms;
|
||||
allow sdcardd system_data_file:file create_file_perms;
|
||||
unconfined_domain(sdcardd)
|
||||
|
|
|
@ -4,12 +4,4 @@ permissive servicemanager;
|
|||
type servicemanager_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(servicemanager)
|
||||
|
||||
# Note that we do not use the binder_* macros here.
|
||||
# servicemanager is unique in that it only provides
|
||||
# name service (aka context manager) for Binder.
|
||||
# As such, it only ever receives and transfers other references
|
||||
# created by other domains. It never passes its own references
|
||||
# or initiates a Binder IPC.
|
||||
allow servicemanager self:binder set_context_mgr;
|
||||
allow servicemanager domain:binder transfer;
|
||||
unconfined_domain(servicemanager)
|
||||
|
|
30
shell.te
30
shell.te
|
@ -1,34 +1,8 @@
|
|||
# Domain for shell processes spawned by ADB
|
||||
type shell, domain, mlstrustedsubject;
|
||||
type shell, domain;
|
||||
type shell_exec, file_type;
|
||||
allow shell rootfs:dir r_dir_perms;
|
||||
allow shell devpts:chr_file rw_file_perms;
|
||||
allow shell tty_device:chr_file rw_file_perms;
|
||||
allow shell console_device:chr_file rw_file_perms;
|
||||
allow shell input_device:chr_file rw_file_perms;
|
||||
allow shell system_file:file x_file_perms;
|
||||
allow shell shell_exec:file rx_file_perms;
|
||||
allow shell zygote_exec:file rx_file_perms;
|
||||
allow shell shell_data_file:dir create_dir_perms;
|
||||
allow shell shell_data_file:file create_file_perms;
|
||||
allow shell shell_data_file:file rx_file_perms;
|
||||
|
||||
# Access sdcard.
|
||||
allow shell sdcard_type:dir rw_dir_perms;
|
||||
allow shell sdcard_type:file create_file_perms;
|
||||
|
||||
r_dir_file(shell, apk_data_file)
|
||||
allow shell dalvikcache_data_file:file { write setattr };
|
||||
unconfined_domain(shell)
|
||||
|
||||
# Run app_process.
|
||||
# XXX Split into its own domain?
|
||||
app_domain(shell)
|
||||
|
||||
# Property Service
|
||||
allow shell shell_prop:property_service set;
|
||||
|
||||
# setprop toolbox command
|
||||
unix_socket_connect(shell, property, init)
|
||||
|
||||
# ctl interface
|
||||
allow shell ctl_dumpstate_prop:property_service set;
|
||||
|
|
|
@ -4,32 +4,7 @@ permissive surfaceflinger;
|
|||
type surfaceflinger_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(surfaceflinger)
|
||||
typeattribute surfaceflinger mlstrustedsubject;
|
||||
unconfined_domain(surfaceflinger)
|
||||
|
||||
# Talk to init over the property socket.
|
||||
unix_socket_connect(surfaceflinger, property, init)
|
||||
|
||||
# Perform Binder IPC.
|
||||
binder_use(surfaceflinger)
|
||||
binder_call(surfaceflinger, system)
|
||||
binder_service(surfaceflinger)
|
||||
allow surfaceflinger init:binder transfer;
|
||||
|
||||
# Access /dev/graphics/fb0.
|
||||
allow surfaceflinger graphics_device:dir search;
|
||||
allow surfaceflinger graphics_device:chr_file rw_file_perms;
|
||||
|
||||
# Access /dev/video1.
|
||||
allow surfaceflinger video_device:chr_file rw_file_perms;
|
||||
|
||||
# Create and use netlink kobject uevent sockets.
|
||||
allow surfaceflinger self:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Set properties.
|
||||
allow surfaceflinger system_prop:property_service set;
|
||||
allow surfaceflinger ctl_default_prop:property_service set;
|
||||
|
||||
# Use open files supplied by an app.
|
||||
allow surfaceflinger appdomain:fd use;
|
||||
allow surfaceflinger platform_app_data_file:file { read write };
|
||||
allow surfaceflinger app_data_file:file { read write };
|
||||
|
|
223
system.te
223
system.te
|
@ -1,226 +1,11 @@
|
|||
#
|
||||
# Apps that run with the system UID, e.g. com.android.system.ui,
|
||||
# com.android.settings. These are not as privileged as the system
|
||||
# server.
|
||||
#
|
||||
type system_app, domain;
|
||||
permissive system_app;
|
||||
app_domain(system_app)
|
||||
unconfined_domain(system_app)
|
||||
|
||||
# Perform binder IPC to any app domain.
|
||||
binder_call(system_app, appdomain)
|
||||
|
||||
# Read and write system data files.
|
||||
# May want to split into separate types.
|
||||
allow system_app system_data_file:dir create_dir_perms;
|
||||
allow system_app system_data_file:file create_file_perms;
|
||||
|
||||
# Read wallpaper file.
|
||||
allow system_app wallpaper_file:file r_file_perms;
|
||||
|
||||
# Write to dalvikcache.
|
||||
allow system_app dalvikcache_data_file:file { write setattr };
|
||||
|
||||
# Talk to keystore.
|
||||
unix_socket_connect(system_app, keystore, keystore)
|
||||
|
||||
# Read SELinux enforcing status.
|
||||
selinux_getenforce(system)
|
||||
selinux_getenforce(system_app)
|
||||
|
||||
# Settings app reads sdcard for storage stats
|
||||
allow system_app sdcard_type:dir r_dir_perms;
|
||||
|
||||
#
|
||||
# System Server aka system_server spawned by zygote.
|
||||
# Most of the framework services run in this process.
|
||||
#
|
||||
type system, domain, mlstrustedsubject;
|
||||
|
||||
# Child of the zygote.
|
||||
allow system zygote:fd use;
|
||||
allow system zygote:process sigchld;
|
||||
allow system zygote_tmpfs:file read;
|
||||
|
||||
# system server gets network and bluetooth permissions.
|
||||
net_domain(system)
|
||||
bluetooth_domain(system)
|
||||
|
||||
# These are the capabilities assigned by the zygote to the
|
||||
# system server.
|
||||
# XXX See if we can remove some of these.
|
||||
allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
|
||||
|
||||
# Triggered by /proc/pid accesses, not allowed.
|
||||
dontaudit system self:capability sys_ptrace;
|
||||
|
||||
# Trigger module auto-load.
|
||||
allow system kernel:system module_request;
|
||||
|
||||
# Use netlink uevent sockets.
|
||||
allow system self:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Kill apps.
|
||||
allow system appdomain:process { sigkill signal };
|
||||
|
||||
# Set scheduling info for apps.
|
||||
allow system appdomain:process { getsched setsched };
|
||||
allow system mediaserver:process { getsched setsched };
|
||||
|
||||
# Read /proc data for apps.
|
||||
allow system appdomain:dir r_dir_perms;
|
||||
allow system appdomain:{ file lnk_file } rw_file_perms;
|
||||
|
||||
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
|
||||
allow system qtaguid_proc:file rw_file_perms;
|
||||
allow system qtaguid_device:chr_file rw_file_perms;
|
||||
|
||||
# WifiWatchdog uses a packet_socket
|
||||
allow system self:packet_socket *;
|
||||
|
||||
# Notify init of death.
|
||||
allow system init:process sigchld;
|
||||
|
||||
# 3rd party VPN clients require a tun_socket to be created
|
||||
allow system self:tun_socket create;
|
||||
|
||||
# Talk to init and various daemons via sockets.
|
||||
unix_socket_connect(system, property, init)
|
||||
unix_socket_connect(system, qemud, qemud)
|
||||
unix_socket_connect(system, installd, installd)
|
||||
unix_socket_connect(system, netd, netd)
|
||||
unix_socket_connect(system, vold, vold)
|
||||
unix_socket_connect(system, zygote, zygote)
|
||||
unix_socket_connect(system, keystore, keystore)
|
||||
unix_socket_connect(system, dbus, dbusd)
|
||||
unix_socket_connect(system, gps, gpsd)
|
||||
unix_socket_connect(system, bluetooth, bluetoothd)
|
||||
unix_socket_connect(system, racoon, racoon)
|
||||
unix_socket_send(system, wpa, wpa)
|
||||
unix_socket_send(system, wpa, init)
|
||||
|
||||
# Communicate over a socket created by surfaceflinger.
|
||||
allow system surfaceflinger:unix_stream_socket { read write setopt };
|
||||
|
||||
# Perform Binder IPC.
|
||||
tmpfs_domain(system)
|
||||
binder_use(system)
|
||||
binder_call(system, binderservicedomain)
|
||||
binder_call(system, appdomain)
|
||||
binder_service(system)
|
||||
|
||||
# Read /proc/pid files for Binder clients.
|
||||
r_dir_file(system, appdomain)
|
||||
r_dir_file(system, mediaserver)
|
||||
allow system appdomain:process getattr;
|
||||
allow system mediaserver:process getattr;
|
||||
|
||||
# Specify any arguments to zygote.
|
||||
allow system self:zygote *;
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(system)
|
||||
|
||||
# XXX Label sysfs files with a specific type?
|
||||
allow system sysfs:file rw_file_perms;
|
||||
allow system sysfs_nfc_power_writable:file rw_file_perms;
|
||||
|
||||
# Access devices.
|
||||
allow system device:dir r_dir_perms;
|
||||
allow system device:sock_file rw_file_perms;
|
||||
allow system akm_device:chr_file rw_file_perms;
|
||||
allow system accelerometer_device:chr_file rw_file_perms;
|
||||
allow system alarm_device:chr_file rw_file_perms;
|
||||
allow system graphics_device:dir search;
|
||||
allow system graphics_device:chr_file rw_file_perms;
|
||||
allow system iio_device:chr_file rw_file_perms;
|
||||
allow system input_device:dir r_dir_perms;
|
||||
allow system input_device:chr_file rw_file_perms;
|
||||
allow system tty_device:chr_file rw_file_perms;
|
||||
allow system urandom_device:chr_file rw_file_perms;
|
||||
allow system usbaccessory_device:chr_file rw_file_perms;
|
||||
allow system video_device:chr_file rw_file_perms;
|
||||
allow system qemu_device:chr_file rw_file_perms;
|
||||
allow system devpts:chr_file rw_file_perms;
|
||||
|
||||
# tun device used for 3rd party vpn apps
|
||||
allow system tun_device:chr_file rw_file_perms;
|
||||
|
||||
# Manage data files.
|
||||
allow system data_file_type:dir create_dir_perms;
|
||||
allow system data_file_type:notdevfile_class_set create_file_perms;
|
||||
|
||||
# Read /file_contexts and /data/security/file_contexts
|
||||
security_access_policy(system)
|
||||
|
||||
# Relabel apk files.
|
||||
allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
|
||||
allow system { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
|
||||
|
||||
# Relabel wallpaper.
|
||||
allow system system_data_file:file relabelfrom;
|
||||
allow system wallpaper_file:file relabelto;
|
||||
allow system wallpaper_file:file rw_file_perms;
|
||||
|
||||
# Relabel /data/anr.
|
||||
allow system system_data_file:dir relabelfrom;
|
||||
allow system anr_data_file:dir relabelto;
|
||||
|
||||
# Property Service write
|
||||
allow system system_prop:property_service set;
|
||||
allow system radio_prop:property_service set;
|
||||
|
||||
# ctl interface
|
||||
allow system ctl_default_prop:property_service set;
|
||||
type system, domain;
|
||||
permissive system;
|
||||
unconfined_domain(system);
|
||||
|
||||
# Create a socket for receiving info from wpa.
|
||||
type_transition system wifi_data_file:sock_file system_wpa_socket;
|
||||
allow system system_wpa_socket:sock_file create_file_perms;
|
||||
|
||||
# Manage cache files.
|
||||
allow system cache_file:dir { relabelfrom create_dir_perms };
|
||||
allow system cache_file:file { relabelfrom create_file_perms };
|
||||
|
||||
# Run system programs, e.g. dexopt.
|
||||
allow system system_file:file x_file_perms;
|
||||
|
||||
# Allow reading of /proc/pid data for other domains.
|
||||
# XXX dontaudit candidate
|
||||
allow system domain:dir r_dir_perms;
|
||||
allow system domain:file r_file_perms;
|
||||
|
||||
# LocationManager(e.g, GPS) needs to read and write
|
||||
# to uart driver and ctrl proc entry
|
||||
allow system gps_device:chr_file rw_file_perms;
|
||||
allow system gps_control:file rw_file_perms;
|
||||
|
||||
# system Read/Write tcp/udp_socket of untrusted_app
|
||||
allow system appdomain:{ tcp_socket udp_socket } { setopt read write };
|
||||
|
||||
# Allow abstract socket connection
|
||||
allow system rild:unix_stream_socket connectto;
|
||||
|
||||
# connect to vpn tunnel
|
||||
allow system mtp:unix_stream_socket { connectto };
|
||||
|
||||
# BackupManagerService lets PMS create a data backup file
|
||||
allow system cache_backup_file:file create_file_perms;
|
||||
# Relabel /data/backup
|
||||
allow system backup_data_file:dir { relabelto relabelfrom };
|
||||
# Relabel /cache/.*\.{data|restore}
|
||||
allow system cache_backup_file:file { relabelto relabelfrom };
|
||||
# LocalTransport creates and relabels /cache/backup
|
||||
allow system cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
|
||||
|
||||
# Allow system to talk to usb device
|
||||
allow system usb_device:chr_file rw_file_perms;
|
||||
allow system usb_device:dir r_dir_perms;
|
||||
|
||||
# Allow system to talk to sensors
|
||||
allow system sensors_device:chr_file rw_file_perms;
|
||||
|
||||
# Allow system to search the /sys/devices/system/cpu directory
|
||||
allow system sysfs_devices_system_cpu:dir search;
|
||||
|
||||
# Allow system to write to the adbd_socket
|
||||
allow system adbd_socket:sock_file write;
|
||||
|
|
8
tee.te
8
tee.te
|
@ -2,14 +2,10 @@
|
|||
# trusted execution environment (tee) daemon
|
||||
#
|
||||
type tee, domain;
|
||||
permissive tee;
|
||||
type tee_exec, exec_type, file_type;
|
||||
type tee_device, dev_type;
|
||||
type tee_data_file, file_type, data_file_type;
|
||||
|
||||
permissive tee;
|
||||
unconfined_domain(netd)
|
||||
init_daemon_domain(tee)
|
||||
allow tee self:capability { dac_override };
|
||||
allow tee tee_device:chr_file rw_file_perms;
|
||||
allow tee tee_data_file:dir { getattr write add_name };
|
||||
allow tee tee_data_file:file create_file_perms;
|
||||
allow tee self:netlink_socket { create bind read };
|
||||
|
|
18
ueventd.te
18
ueventd.te
|
@ -3,21 +3,5 @@
|
|||
type ueventd, domain;
|
||||
permissive ueventd;
|
||||
tmpfs_domain(ueventd)
|
||||
write_klog(ueventd)
|
||||
security_access_policy(ueventd)
|
||||
unconfined_domain(ueventd)
|
||||
allow ueventd rootfs:file entrypoint;
|
||||
allow ueventd init:process sigchld;
|
||||
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
||||
allow ueventd device:file create_file_perms;
|
||||
allow ueventd device:chr_file rw_file_perms;
|
||||
allow ueventd sysfs:file rw_file_perms;
|
||||
allow ueventd sysfs:file setattr;
|
||||
allow ueventd sysfs_type:file { relabelfrom relabelto };
|
||||
allow ueventd tmpfs:chr_file rw_file_perms;
|
||||
allow ueventd dev_type:dir create_dir_perms;
|
||||
allow ueventd dev_type:lnk_file { create unlink };
|
||||
allow ueventd dev_type:chr_file { create setattr unlink };
|
||||
allow ueventd dev_type:blk_file { create setattr unlink };
|
||||
allow ueventd self:netlink_kobject_uevent_socket *;
|
||||
allow ueventd efs_file:dir search;
|
||||
allow ueventd efs_file:file r_file_perms;
|
||||
|
|
|
@ -19,5 +19,5 @@ allow unconfineddomain netif_type:netif *;
|
|||
allow unconfineddomain port_type:socket_class_set name_bind;
|
||||
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
|
||||
allow unconfineddomain domain:peer recv;
|
||||
allow unconfineddomain domain:binder { call transfer };
|
||||
allow unconfineddomain domain:binder { call transfer set_context_mgr };
|
||||
allow unconfineddomain property_type:property_service set;
|
||||
|
|
69
vold.te
69
vold.te
|
@ -4,71 +4,4 @@ permissive vold;
|
|||
type vold_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(vold)
|
||||
typeattribute vold mlstrustedsubject;
|
||||
allow vold system_file:file x_file_perms;
|
||||
allow vold block_device:dir create_dir_perms;
|
||||
allow vold block_device:blk_file create_file_perms;
|
||||
allow vold device:dir write;
|
||||
allow vold devpts:chr_file rw_file_perms;
|
||||
allow vold rootfs:dir mounton;
|
||||
allow vold sdcard_type:dir mounton;
|
||||
allow vold sdcard_type:filesystem { mount remount unmount };
|
||||
allow vold sdcard_type:dir create_dir_perms;
|
||||
allow vold tmpfs:filesystem { mount unmount };
|
||||
allow vold tmpfs:dir create_dir_perms;
|
||||
allow vold tmpfs:dir mounton;
|
||||
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
||||
allow vold self:netlink_kobject_uevent_socket *;
|
||||
allow vold app_data_file:dir search;
|
||||
allow vold app_data_file:file rw_file_perms;
|
||||
allow vold loop_device:blk_file rw_file_perms;
|
||||
allow vold dm_device:chr_file rw_file_perms;
|
||||
# For vold Process::killProcessesWithOpenFiles function.
|
||||
allow vold domain:dir r_dir_perms;
|
||||
allow vold domain:{ file lnk_file } r_file_perms;
|
||||
allow vold domain:process { signal sigkill };
|
||||
allow vold self:capability { sys_ptrace };
|
||||
# Grant vold the capability to reboot the system
|
||||
allow vold self:capability { sys_boot };
|
||||
|
||||
# XXX Label sysfs files with a specific type?
|
||||
allow vold sysfs:file rw_file_perms;
|
||||
|
||||
write_klog(vold)
|
||||
|
||||
#
|
||||
# Rules to support encrypted fs support.
|
||||
#
|
||||
|
||||
# Set property.
|
||||
unix_socket_connect(vold, property, init)
|
||||
|
||||
# Unmount and mount the fs.
|
||||
allow vold labeledfs:filesystem { mount unmount remount };
|
||||
|
||||
# Access /efs/userdata_footer.
|
||||
# XXX Split into a separate type?
|
||||
allow vold efs_file:file rw_file_perms;
|
||||
|
||||
# Request AES module.
|
||||
allow vold kernel:system module_request;
|
||||
|
||||
# Write to /proc/sysrq-trigger
|
||||
# XXX Label with a distinct type?
|
||||
allow vold proc:file write;
|
||||
|
||||
# Create and mount on /data/tmp_mnt.
|
||||
allow vold system_data_file:dir { create rw_dir_perms mounton };
|
||||
|
||||
# Set scheduling policy of kernel processes
|
||||
allow vold kernel:process setsched;
|
||||
|
||||
# Property Service
|
||||
allow vold vold_prop:property_service set;
|
||||
|
||||
# ASEC
|
||||
allow vold asec_image_file:file create_file_perms;
|
||||
allow vold asec_image_file:dir rw_dir_perms;
|
||||
security_access_policy(vold)
|
||||
allow vold asec_apk_file:dir { rw_dir_perms setattr };
|
||||
allow vold asec_apk_file:file { r_file_perms setattr };
|
||||
unconfined_domain(vold)
|
||||
|
|
|
@ -1,9 +1,4 @@
|
|||
# watchdogd seclabel is specified in init.<board>.rc
|
||||
type watchdogd, domain;
|
||||
permissive watchdogd;
|
||||
allow watchdogd rootfs:file { entrypoint r_file_perms };
|
||||
allow watchdogd self:capability mknod;
|
||||
allow watchdogd device:dir { add_name write remove_name };
|
||||
allow watchdogd watchdog_device:chr_file rw_file_perms;
|
||||
# because of /dev/__kmsg__ and /dev/__null__
|
||||
allow watchdogd device:chr_file create_file_perms;
|
||||
unconfined_domain(watchdogd)
|
||||
|
|
|
@ -4,18 +4,5 @@ permissive wpa;
|
|||
type wpa_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(wpa)
|
||||
allow wpa kernel:system module_request;
|
||||
allow wpa self:capability { setuid net_admin setgid net_raw };
|
||||
allow wpa cgroup:dir create_dir_perms;
|
||||
allow wpa self:netlink_route_socket *;
|
||||
allow wpa self:netlink_socket *;
|
||||
allow wpa self:packet_socket *;
|
||||
allow wpa self:udp_socket *;
|
||||
allow wpa wifi_data_file:dir create_dir_perms;
|
||||
allow wpa wifi_data_file:file create_file_perms;
|
||||
unix_socket_send(wpa, system_wpa, system)
|
||||
allow wpa random_device:chr_file r_file_perms;
|
||||
|
||||
# Create a socket for receiving info from wpa
|
||||
unconfined_domain(wpa)
|
||||
type_transition wpa wifi_data_file:sock_file wpa_socket;
|
||||
allow wpa wpa_socket:sock_file create_file_perms;
|
||||
|
|
41
zygote.te
41
zygote.te
|
@ -1,44 +1,7 @@
|
|||
# zygote
|
||||
type zygote, domain;
|
||||
permissive zygote;
|
||||
type zygote_exec, exec_type, file_type;
|
||||
|
||||
permissive zygote;
|
||||
init_daemon_domain(zygote)
|
||||
typeattribute zygote mlstrustedsubject;
|
||||
# Override DAC on files and switch uid/gid.
|
||||
allow zygote self:capability { dac_override setgid setuid };
|
||||
# Drop capabilities from bounding set.
|
||||
allow zygote self:capability setpcap;
|
||||
# Switch SELinux context to app domains.
|
||||
allow zygote system:process dyntransition;
|
||||
allow zygote appdomain:process dyntransition;
|
||||
# Move children into the peer process group.
|
||||
allow zygote system:process { getpgid setpgid };
|
||||
allow zygote appdomain:process { getpgid setpgid };
|
||||
# Write to system data.
|
||||
allow zygote system_data_file:dir rw_dir_perms;
|
||||
allow zygote system_data_file:file create_file_perms;
|
||||
allow zygote dalvikcache_data_file:dir rw_dir_perms;
|
||||
allow zygote dalvikcache_data_file:file create_file_perms;
|
||||
# Execute dexopt.
|
||||
allow zygote system_file:file x_file_perms;
|
||||
# Control cgroups.
|
||||
allow zygote cgroup:dir create_dir_perms;
|
||||
allow zygote self:capability sys_admin;
|
||||
# Check validity of SELinux context before use.
|
||||
selinux_check_context(zygote)
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(zygote)
|
||||
# Read /seapp_contexts and /data/security/seapp_contexts
|
||||
security_access_policy(zygote)
|
||||
|
||||
# Setting up /storage/emulated.
|
||||
allow zygote rootfs:dir mounton;
|
||||
allow zygote sdcard_type:dir { write search setattr create add_name mounton };
|
||||
dontaudit zygote self:capability fsetid;
|
||||
allow zygote tmpfs:dir { write create add_name setattr mounton search };
|
||||
allow zygote tmpfs:filesystem mount;
|
||||
allow zygote labeledfs:filesystem remount;
|
||||
|
||||
# Handle --invoke-with command when launching Zygote with a wrapper command.
|
||||
allow zygote zygote_exec:file { execute_no_trans open };
|
||||
unconfined_domain(zygote)
|
||||
|
|
Loading…
Reference in a new issue