Address various denials introduced by JB/4.1.
This commit is contained in:
Stephen Smalley
parent
c331d0fefa
commit
1c7351652c
5 changed files with 15 additions and 6 deletions
10
app.te
10
app.te
|
|
@ -40,8 +40,8 @@ allow media_app mtp_device:chr_file rw_file_perms;
|
|||
allow media_app cache_file:dir rw_dir_perms;
|
||||
allow media_app cache_file:file create_file_perms;
|
||||
# Access sdcard.
|
||||
allow media_app sdcard:dir rw_dir_perms;
|
||||
allow media_app sdcard:file rw_file_perms;
|
||||
allow media_app sdcard:dir create_dir_perms;
|
||||
allow media_app sdcard:file create_file_perms;
|
||||
|
||||
# Apps signed with the shared key.
|
||||
type shared_app, domain;
|
||||
|
|
@ -119,8 +119,12 @@ allow appdomain zygote_tmpfs:file read;
|
|||
# Notify zygote of death;
|
||||
allow appdomain zygote:process sigchld;
|
||||
|
||||
# Communicate over a FIFO to system processes.
|
||||
# Communicate over a FIFO or socket created by the system_server.
|
||||
allow appdomain system:fifo_file rw_file_perms;
|
||||
allow appdomain system:unix_stream_socket { read write };
|
||||
|
||||
# Communicate over a socket created by surfaceflinger.
|
||||
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
|
||||
|
||||
# App sandbox file accesses.
|
||||
allow appdomain app_data_file:dir create_dir_perms;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ allow sdcardd cgroup:dir create_dir_perms;
|
|||
allow sdcardd fuse_device:chr_file rw_file_perms;
|
||||
allow sdcardd rootfs:dir mounton;
|
||||
allow sdcardd sdcard:filesystem mount;
|
||||
allow sdcardd self:capability { setuid setgid };
|
||||
allow sdcardd self:capability { setuid setgid dac_override };
|
||||
allow sdcardd system_data_file:dir create_dir_perms;
|
||||
allow sdcardd system_data_file:file create_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -23,5 +23,7 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
|
|||
# Create and use netlink kobject uevent sockets.
|
||||
allow surfaceflinger self:netlink_kobject_uevent_socket *;
|
||||
|
||||
# ctl interface
|
||||
# Set properties.
|
||||
allow surfaceflinger system_prop:property_service set;
|
||||
allow surfaceflinger ctl_default_prop:property_service set;
|
||||
|
||||
|
|
|
|||
|
|
@ -107,6 +107,9 @@ unix_socket_connect(system, gps, gpsd)
|
|||
unix_socket_connect(system, bluetooth, bluetoothd)
|
||||
unix_socket_send(system, wpa, wpa)
|
||||
|
||||
# Communicate over a socket created by surfaceflinger.
|
||||
allow system surfaceflinger:unix_stream_socket { read write setopt };
|
||||
|
||||
# Perform Binder IPC.
|
||||
tmpfs_domain(system)
|
||||
binder_use(system)
|
||||
|
|
|
|||
2
vold.te
2
vold.te
|
|
@ -53,7 +53,7 @@ allow vold kernel:system module_request;
|
|||
allow vold proc:file write;
|
||||
|
||||
# Create and mount on /data/tmp_mnt.
|
||||
allow vold system_data_file:dir { write create add_name mounton };
|
||||
allow vold system_data_file:dir { open read write create add_name mounton };
|
||||
|
||||
# Property Service
|
||||
allow vold vold_prop:property_service set;
|
||||
|
|
|
|||
Loading…
Reference in a new issue