tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Pull keychain-data policy out of system-data

Browse source 
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
This commit is contained in:
Robin Lee 2014-10-13 12:10:08 +01:00
parent ebfd9f8719
commit 51bfecf49d
7 changed files with 28 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app.te
View file

@ -53,6 +53,12 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open execmod }; allow appdomain system_data_file:file { execute execute_no_trans open execmod };
# Keychain and user-trusted credentials
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
allow appdomain misc_user_data_file:dir r_dir_perms;
allow appdomain misc_user_data_file:file r_file_perms;
# Access to OEM provided data and apps # Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms; allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms; allow appdomain oemfs:file rx_file_perms;

2
file.te
View file

@ -78,9 +78,11 @@ type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type; type audio_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type; type bluetooth_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type; type camera_data_file, file_type, data_file_type;
type keychain_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type; type keystore_data_file, file_type, data_file_type;
type media_data_file, file_type, data_file_type; type media_data_file, file_type, data_file_type;
type media_rw_data_file, file_type, data_file_type; type media_rw_data_file, file_type, data_file_type;
type misc_user_data_file, file_type, data_file_type;
type net_data_file, file_type, data_file_type; type net_data_file, file_type, data_file_type;
type nfc_data_file, file_type, data_file_type; type nfc_data_file, file_type, data_file_type;
type radio_data_file, file_type, data_file_type; type radio_data_file, file_type, data_file_type;

2
file_contexts
View file

@ -203,12 +203,14 @@
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0 /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0 /data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0 /data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 /data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0 /data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0 /data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 /data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0 /data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0 /data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0 /data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 /data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0 /data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0

6
installd.te
View file

@ -37,6 +37,12 @@ allow installd media_rw_data_file:file { getattr unlink };
allow installd system_data_file:dir relabelfrom; allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto; allow installd media_rw_data_file:dir relabelto;
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
allow installd keychain_data_file:dir create_dir_perms;
allow installd keychain_data_file:file {r_file_perms unlink};
# Create /data/.layout_version.* file # Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file; type_transition installd system_data_file:file install_data_file;
allow installd install_data_file:file create_file_perms; allow installd install_data_file:file create_file_perms;

8
system_app.te
View file

@ -12,10 +12,16 @@ binder_service(system_app)
allow system_app system_app_data_file:dir create_dir_perms; allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:file create_file_perms; allow system_app system_app_data_file:file create_file_perms;
# Read /data/misc/keychain subdirectory.
allow system_app keychain_data_file:dir r_dir_perms;
allow system_app keychain_data_file:file r_file_perms;
# Read and write to other system-owned /data directories, such as # Read and write to other system-owned /data directories, such as
# /data/system/cache and /data/misc/keychain. # /data/system/cache and /data/misc/user.
allow system_app system_data_file:dir create_dir_perms; allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms; allow system_app system_data_file:file create_file_perms;
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
# Audit writes to these directories and files so we can identify # Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future. # and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };

2
system_server.te
View file

@ -170,6 +170,8 @@ allow system_server tun_device:chr_file rw_file_perms;
# Manage system data files. # Manage system data files.
allow system_server system_data_file:dir create_dir_perms; allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms; allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
# Manage /data/app. # Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms; allow system_server apk_data_file:dir create_dir_perms;

3
zygote.te
View file

@ -21,6 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
# Read system data. # Read system data.
allow zygote system_data_file:dir r_dir_perms; allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms; allow zygote system_data_file:file r_file_perms;
# Read system security data.
allow zygote keychain_data_file:dir r_dir_perms;
allow zygote keychain_data_file:file r_file_perms;
# Write to /data/dalvik-cache. # Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms; allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms; allow zygote dalvikcache_data_file:file create_file_perms;