Annotate MLS trusted subjects and objects.
When using MLS (i.e. enabling levelFrom= in seapp_contexts), certain domains and types must be exempted from the normal constraints defined in the mls file. Beyond the current set, adbd, logd, mdnsd, netd, and servicemanager need to be able to read/write to any level in order to communicate with apps running with any level, and the logdr and logdw sockets need to be writable by apps running with any level. This change has no impact unless levelFrom= is specified in seapp_contexts, so by itself it is a no-op. Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
5fc825c917
commit
45731c70ef
6 changed files with 7 additions and 7 deletions
2
adbd.te
2
adbd.te
|
@ -1,6 +1,6 @@
|
||||||
# adbd seclabel is specified in init.rc since
|
# adbd seclabel is specified in init.rc since
|
||||||
# it lives in the rootfs and has no unique file type.
|
# it lives in the rootfs and has no unique file type.
|
||||||
type adbd, domain;
|
type adbd, domain, mlstrustedsubject;
|
||||||
|
|
||||||
userdebug_or_eng(`
|
userdebug_or_eng(`
|
||||||
allow adbd self:process setcurrent;
|
allow adbd self:process setcurrent;
|
||||||
|
|
4
file.te
4
file.te
|
@ -133,8 +133,8 @@ type installd_socket, file_type;
|
||||||
type lmkd_socket, file_type;
|
type lmkd_socket, file_type;
|
||||||
type logd_debug, file_type;
|
type logd_debug, file_type;
|
||||||
type logd_socket, file_type;
|
type logd_socket, file_type;
|
||||||
type logdr_socket, file_type;
|
type logdr_socket, file_type, mlstrustedobject;
|
||||||
type logdw_socket, file_type;
|
type logdw_socket, file_type, mlstrustedobject;
|
||||||
type mdns_socket, file_type;
|
type mdns_socket, file_type;
|
||||||
type mdnsd_socket, file_type;
|
type mdnsd_socket, file_type;
|
||||||
type mtpd_socket, file_type;
|
type mtpd_socket, file_type;
|
||||||
|
|
2
logd.te
2
logd.te
|
@ -1,5 +1,5 @@
|
||||||
# android user-space log manager
|
# android user-space log manager
|
||||||
type logd, domain;
|
type logd, domain, mlstrustedsubject;
|
||||||
type logd_exec, exec_type, file_type;
|
type logd_exec, exec_type, file_type;
|
||||||
|
|
||||||
init_daemon_domain(logd)
|
init_daemon_domain(logd)
|
||||||
|
|
2
mdnsd.te
2
mdnsd.te
|
@ -1,5 +1,5 @@
|
||||||
# mdns daemon
|
# mdns daemon
|
||||||
type mdnsd, domain;
|
type mdnsd, domain, mlstrustedsubject;
|
||||||
type mdnsd_exec, exec_type, file_type;
|
type mdnsd_exec, exec_type, file_type;
|
||||||
|
|
||||||
init_daemon_domain(mdnsd)
|
init_daemon_domain(mdnsd)
|
||||||
|
|
2
netd.te
2
netd.te
|
@ -1,5 +1,5 @@
|
||||||
# network manager
|
# network manager
|
||||||
type netd, domain;
|
type netd, domain, mlstrustedsubject;
|
||||||
type netd_exec, exec_type, file_type;
|
type netd_exec, exec_type, file_type;
|
||||||
|
|
||||||
init_daemon_domain(netd)
|
init_daemon_domain(netd)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# servicemanager - the Binder context manager
|
# servicemanager - the Binder context manager
|
||||||
type servicemanager, domain;
|
type servicemanager, domain, mlstrustedsubject;
|
||||||
type servicemanager_exec, exec_type, file_type;
|
type servicemanager_exec, exec_type, file_type;
|
||||||
|
|
||||||
init_daemon_domain(servicemanager)
|
init_daemon_domain(servicemanager)
|
||||||
|
|
Loading…
Reference in a new issue