am 356f4be6: Restrict requesting contexts other than policy-defined defaults.
* commit '356f4be679544363466dad93e7bee68b2a6f2cf0': Restrict requesting contexts other than policy-defined defaults.
This commit is contained in:
Stephen Smalley
Android Git Automerger
commit
3ea6027a71
8 changed files with 18 additions and 1 deletions
1
adbd.te
1
adbd.te
|
|
@ -3,6 +3,7 @@
|
|||
type adbd, domain;
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow adbd self:process setcurrent;
|
||||
allow adbd su:process dyntransition;
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr };
|
|||
allow domain tmpfs:dir r_dir_perms;
|
||||
|
||||
# Intra-domain accesses.
|
||||
allow domain self:process ~{ execmem execstack execheap ptrace };
|
||||
allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
|
||||
allow domain self:fd use;
|
||||
allow domain self:dir r_dir_perms;
|
||||
allow domain self:lnk_file r_file_perms;
|
||||
|
|
|
|||
6
init.te
6
init.te
|
|
@ -27,3 +27,9 @@ allow init watchdogd:process transition;
|
|||
# the directory as part of a recursive restorecon.
|
||||
allow init keystore_data_file:dir { open create read getattr setattr search };
|
||||
allow init keystore_data_file:file { getattr };
|
||||
|
||||
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
||||
# setexec is for services with seclabel options.
|
||||
# setfscreate is for labeling directories and socket files.
|
||||
# setsockcreate is for labeling local/unix domain sockets.
|
||||
allow init self:process { setexec setfscreate setsockcreate };
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# Life begins with the kernel.
|
||||
type kernel, domain;
|
||||
|
||||
# setcon to init domain.
|
||||
allow kernel self:process setcurrent;
|
||||
allow kernel init:process dyntransition;
|
||||
|
||||
# The kernel is unconfined.
|
||||
|
|
|
|||
|
|
@ -15,3 +15,6 @@ allow recovery dev_type:blk_file rw_file_perms;
|
|||
allow recovery self:process execmem;
|
||||
allow recovery ashmem_device:chr_file execute;
|
||||
allow recovery tmpfs:file rx_file_perms;
|
||||
|
||||
# Use setfscreatecon() to label files for OTA updates.
|
||||
allow recovery self:process setfscreate;
|
||||
|
|
|
|||
1
runas.te
1
runas.te
|
|
@ -21,4 +21,5 @@ allow runas self:capability { setuid setgid };
|
|||
# read /seapp_contexts and /data/security/seapp_contexts
|
||||
security_access_policy(runas)
|
||||
selinux_check_context(runas) # validate context
|
||||
allow runas self:process setcurrent;
|
||||
allow runas non_system_app_set:process dyntransition; # setcon
|
||||
|
|
|
|||
|
|
@ -20,3 +20,6 @@ allow ueventd dev_type:blk_file { create setattr unlink };
|
|||
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow ueventd efs_file:dir search;
|
||||
allow ueventd efs_file:file r_file_perms;
|
||||
|
||||
# Use setfscreatecon() to label /dev directories and files.
|
||||
allow ueventd self:process setfscreate;
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ allow zygote self:capability { dac_override setgid setuid fowner chown };
|
|||
# Drop capabilities from bounding set.
|
||||
allow zygote self:capability setpcap;
|
||||
# Switch SELinux context to app domains.
|
||||
allow zygote self:process setcurrent;
|
||||
allow zygote system_server:process dyntransition;
|
||||
allow zygote appdomain:process dyntransition;
|
||||
# Allow zygote to read app /proc/pid dirs (b/10455872)
|
||||
|
|
|
|||
Loading…
Reference in a new issue