Update policy for Android 4.2 / latest master.
Update policy for Android 4.2 / latest master. Primarily this consists of changes around the bluetooth subsystem. The zygote also needs further permissions to set up /storage/emulated. adbd service now gets a socket under /dev/socket. keystore uses the binder. Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
eab23895cd
commit
61c80d5ec8
8 changed files with 38 additions and 4 deletions
2
adbd.te
2
adbd.te
|
|
@ -4,7 +4,7 @@ type adbd, domain, mlstrustedsubject;
|
|||
allow adbd adb_device:chr_file rw_file_perms;
|
||||
allow adbd qemu_device:chr_file rw_file_perms;
|
||||
allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
|
||||
allow adbd rootfs:file entrypoint;
|
||||
allow adbd rootfs:file { read entrypoint };
|
||||
allow adbd init:process sigchld;
|
||||
allow adbd self:tcp_socket *;
|
||||
allow adbd self:unix_stream_socket *;
|
||||
|
|
|
|||
21
bluetooth.te
21
bluetooth.te
|
|
@ -1,4 +1,23 @@
|
|||
# Domains that can create and use bluetooth sockets.
|
||||
# bluetooth subsystem
|
||||
type bluetooth, domain;
|
||||
app_domain(bluetooth)
|
||||
|
||||
# Data file accesses.
|
||||
allow bluetooth bluetooth_data_file:dir create_dir_perms;
|
||||
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
|
||||
|
||||
# bluetooth factory file accesses.
|
||||
r_dir_file(bluetooth, bluetooth_efs_file)
|
||||
|
||||
# Device accesses.
|
||||
allow bluetooth hci_attach_dev:chr_file rw_file_perms;
|
||||
allow bluetooth input_device:chr_file write;
|
||||
|
||||
# sysfs access.
|
||||
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
|
||||
dontaudit bluetooth self:capability net_admin;
|
||||
|
||||
# Other domains that can create and use bluetooth sockets.
|
||||
# SELinux does not presently define a specific socket class for
|
||||
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
|
||||
allow bluetoothdomain self:socket *;
|
||||
|
|
|
|||
2
file.te
2
file.te
|
|
@ -9,6 +9,7 @@ type selinuxfs, fs_type;
|
|||
type cgroup, fs_type, mlstrustedobject;
|
||||
type sysfs, fs_type, mlstrustedobject;
|
||||
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type inotify, fs_type, mlstrustedobject;
|
||||
type devpts, fs_type;
|
||||
|
|
@ -69,6 +70,7 @@ type asec_image_file, file_type, data_file_type;
|
|||
type bluetooth_efs_file, file_type;
|
||||
|
||||
# Socket types
|
||||
type adbd_socket, file_type;
|
||||
type bluetooth_socket, file_type;
|
||||
type dbus_socket, file_type;
|
||||
type dnsproxyd_socket, file_type, mlstrustedobject;
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@
|
|||
/dev/s3c-mfc u:object_r:graphics_device:s0
|
||||
/dev/snd(/.*)? u:object_r:audio_device:s0
|
||||
/dev/socket u:object_r:socket_device:s0
|
||||
/dev/socket/adbd u:object_r:adbd_socket:s0
|
||||
/dev/socket/bluetooth u:object_r:bluetooth_socket:s0
|
||||
/dev/socket/dbus_bluetooth u:object_r:bluetooth_socket:s0
|
||||
/dev/socket/dbus u:object_r:dbus_socket:s0
|
||||
|
|
@ -127,6 +128,7 @@
|
|||
# Misc data
|
||||
/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0
|
||||
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
|
||||
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
|
||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
|
||||
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
|
||||
|
|
@ -150,6 +152,8 @@
|
|||
#
|
||||
/sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0
|
||||
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
|
||||
/sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
|
||||
/sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
|
||||
#############################
|
||||
# asec containers
|
||||
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
||||
|
|
|
|||
|
|
@ -3,6 +3,8 @@ type keystore_exec, exec_type, file_type;
|
|||
|
||||
# keystore daemon
|
||||
init_daemon_domain(keystore)
|
||||
binder_use(keystore)
|
||||
binder_service(keystore)
|
||||
allow keystore keystore_data_file:dir create_dir_perms;
|
||||
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
|
||||
allow keystore keystore_exec:file { getattr };
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@
|
|||
#
|
||||
isSystemServer=true domain=system
|
||||
user=system domain=system_app type=system_data_file
|
||||
user=bluetooth domain=bluetooth type=bluetooth_data_file
|
||||
user=nfc domain=nfc type=nfc_data_file
|
||||
user=radio domain=radio type=radio_data_file
|
||||
user=_app domain=untrusted_app type=app_data_file levelFromUid=true
|
||||
|
|
|
|||
|
|
@ -82,8 +82,8 @@ allow system self:netlink_kobject_uevent_socket *;
|
|||
allow system appdomain:process { sigkill signal };
|
||||
|
||||
# Set scheduling info for apps.
|
||||
allow system appdomain:process setsched;
|
||||
allow system mediaserver:process setsched;
|
||||
allow system appdomain:process { getsched setsched };
|
||||
allow system mediaserver:process { getsched setsched };
|
||||
|
||||
# Read /proc data for apps.
|
||||
allow system appdomain:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -29,3 +29,9 @@ selinux_check_access(zygote)
|
|||
# Read /seapp_contexts, presently on the rootfs.
|
||||
allow zygote rootfs:file r_file_perms;
|
||||
|
||||
# Setting up /storage/emulated.
|
||||
allow zygote rootfs:dir mounton;
|
||||
allow zygote sdcard:dir { write search setattr create add_name mounton };
|
||||
dontaudit zygote self:capability fsetid;
|
||||
allow zygote tmpfs:dir { write create add_name setattr mounton };
|
||||
allow zygote tmpfs:filesystem mount;
|
||||
|
|
|
|||
Loading…
Reference in a new issue