tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Start locking down access to services from ephemeral apps

Browse source 
am: 6237d8b787

Change-Id: If9bf7dca01053f813d1986fa93d4f112968dc918
This commit is contained in:
Alex Klyubin 2017-03-02 20:06:30 +00:00 committed by android-build-merger
commit 3f2398333c
3 changed files with 79 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/ephemeral_app.te
View file

@ -20,8 +20,7 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
# services # services
allow ephemeral_app surfaceflinger_service:service_manager find; allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find; allow ephemeral_app radio_service:service_manager find;
# TODO: Replace app_api_service with a smaller ephemeral_api_service allow ephemeral_app ephemeral_app_api_service:service_manager find;
allow ephemeral_app app_api_service:service_manager find;
### ###
### neverallow rules ### neverallow rules

3
public/attributes
View file

@ -76,6 +76,9 @@ attribute system_server_service;
# services which should be available to all but isolated apps # services which should be available to all but isolated apps
attribute app_api_service; attribute app_api_service;
# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;
# services which export only system_api # services which export only system_api
attribute system_api_service; attribute system_api_service;

150
public/service.te
View file

@ -1,5 +1,5 @@
type audioserver_service, service_manager_type; type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, service_manager_type; type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type; type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type; type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type; type default_android_service, service_manager_type;
@ -29,113 +29,113 @@ type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type; type virtual_touchpad_service, service_manager_type;
# system_server_services broken down # system_server_services broken down
type accessibility_service, app_api_service, system_server_service, service_manager_type; type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, system_server_service, service_manager_type; type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, system_server_service, service_manager_type; type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, system_server_service, service_manager_type; type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, system_server_service, service_manager_type; type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, system_server_service, service_manager_type; type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, system_server_service, service_manager_type; type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, system_server_service, service_manager_type; type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, system_server_service, service_manager_type; type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, system_server_service, service_manager_type; type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, system_server_service, service_manager_type; type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type; type battery_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type; type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type; type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, system_server_service, service_manager_type; type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type; type contexthub_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, system_server_service, service_manager_type; type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type; type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, system_server_service, service_manager_type; type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type; type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, system_server_service, service_manager_type; type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, system_server_service, service_manager_type; type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, system_server_service, service_manager_type; type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, system_server_service, service_manager_type; type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future. # with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type; type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type; type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type; type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type; type device_policy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, system_server_service, service_manager_type; type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, system_server_service, service_manager_type; type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type; type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type; type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type; type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, system_server_service, service_manager_type; type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type; type netd_listener_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type; type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, system_server_service, service_manager_type; type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, system_server_service, service_manager_type; type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type; type ethernet_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type; type fingerprint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type; type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, system_server_service, service_manager_type; type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type; type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, system_server_service, service_manager_type; type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, system_api_service, system_server_service, service_manager_type; type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, system_server_service, service_manager_type; type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, system_server_service, service_manager_type; type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, system_server_service, service_manager_type; type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, system_server_service, service_manager_type; type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, system_server_service, service_manager_type; type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, system_server_service, service_manager_type; type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type; type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, system_server_service, service_manager_type; type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, system_server_service, service_manager_type; type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, system_server_service, service_manager_type; type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type; type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, system_server_service, service_manager_type; type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, system_server_service, service_manager_type; type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, system_server_service, service_manager_type; type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, system_server_service, service_manager_type; type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, system_server_service, service_manager_type; type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type; type network_score_service, system_api_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type; type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type; type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type; type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_server_service, service_manager_type; type overlay_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type; type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, system_server_service, service_manager_type; type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type; type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type; type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, system_server_service, service_manager_type; type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, system_server_service, service_manager_type; type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type; type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, system_server_service, service_manager_type; type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type; type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, system_server_service, service_manager_type; type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, system_server_service, service_manager_type; type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, system_server_service, service_manager_type; type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type; type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, system_server_service, service_manager_type; type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type; type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, system_server_service, service_manager_type; type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type; type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, system_server_service, service_manager_type; type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, system_server_service, service_manager_type; type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type; type shortcut_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, system_server_service, service_manager_type; type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, system_server_service, service_manager_type; type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type; type task_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, system_server_service, service_manager_type; type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, system_server_service, service_manager_type; type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, system_server_service, service_manager_type; type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type; type trust_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, system_server_service, service_manager_type; type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, system_server_service, service_manager_type; type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type; type updatelock_service, system_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, system_server_service, service_manager_type; type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type; type usb_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, system_server_service, service_manager_type; type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, system_server_service, service_manager_type; type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, system_server_service, service_manager_type; type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type; type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type; type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, system_server_service, service_manager_type; type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type; type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type; type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type; type wifi_service, app_api_service, system_server_service, service_manager_type;