Give domains read access to security_file domain.

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
This commit is contained in:
William Roberts 2013-04-04 13:17:36 -07:00 committed by Gerrit Code Review
parent cd516a3266
commit 6c4c27e626
8 changed files with 12 additions and 13 deletions

View file

@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:process ptrace;
allow debuggerd rootfs:file r_file_perms;
security_access_policy(debuggerd)
allow debuggerd system_data_file:dir create_dir_perms;
allow debuggerd system_data_file:dir relabelfrom;
allow debuggerd tombstone_data_file:dir relabelto;

View file

@ -18,8 +18,8 @@ allow installd cgroup:dir create_dir_perms;
dontaudit installd self:capability sys_admin;
# Check validity of SELinux context before use.
selinux_check_context(installd)
# Read /seapp_contexts, presently on the rootfs.
allow installd rootfs:file r_file_perms;
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(installd)
# ASEC
allow installd platform_app_data_file:lnk_file { create setattr };
allow installd app_data_file:lnk_file { create setattr };

View file

@ -34,7 +34,8 @@ allow runas app_data_file:dir { getattr search };
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
allow runas rootfs:file r_file_perms; # read /seapp_contexts
# read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas untrusted_app:process dyntransition; # setcon

View file

@ -147,8 +147,8 @@ allow system tun_device:chr_file rw_file_perms;
allow system data_file_type:dir create_dir_perms;
allow system data_file_type:notdevfile_class_set create_file_perms;
# Read /file_contexts.
allow system rootfs:file r_file_perms;
# Read /file_contexts and /data/security/file_contexts
security_access_policy(system)
# Relabel apk files.
allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };

View file

@ -236,8 +236,6 @@ allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
allow $1 rootfs:dir r_dir_perms;
allow $1 rootfs:file r_file_perms;
allow $1 system_file:dir r_dir_perms;
allow $1 system_file:file r_file_perms;
')
#####################################
@ -285,4 +283,4 @@ allow $1 system_file:file x_file_perms;
# man 2 klogctl
define(`access_kmsg', `
allow $1 kernel:system syslog_read;
')
')

View file

@ -2,7 +2,7 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
tmpfs_domain(ueventd)
allow ueventd rootfs:file r_file_perms;
security_access_policy(ueventd)
allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };

View file

@ -60,6 +60,6 @@ allow vold vold_prop:property_service set;
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
allow vold rootfs:file r_file_perms;
security_access_policy(vold)
allow vold asec_apk_file:dir { rw_dir_perms setattr };
allow vold asec_apk_file:file { r_file_perms setattr };

View file

@ -28,8 +28,8 @@ allow zygote self:capability sys_admin;
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
# Read /seapp_contexts, presently on the rootfs.
allow zygote rootfs:file r_file_perms;
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(zygote)
# Setting up /storage/emulated.
allow zygote rootfs:dir mounton;