am 0ecb0f88: Eliminate most of the app policy booleans.
* commit '0ecb0f886660da5ddfd6945e4b993048727caac8': Eliminate most of the app policy booleans.
This commit is contained in:
Stephen Smalley
Android Git Automerger
commit
882f7ee268
1 changed files with 6 additions and 33 deletions
39
app.te
39
app.te
|
|
@ -71,6 +71,7 @@ allow release_app log_device:chr_file read;
|
|||
# set it must be an mlstrustedsubject.
|
||||
type isolated_app, domain, mlstrustedsubject;
|
||||
app_domain(isolated_app)
|
||||
allow isolated_app system_data_file:file { open execute };
|
||||
|
||||
#
|
||||
# An example of a specific domain for a specific app
|
||||
|
|
@ -99,29 +100,12 @@ allow platformappdomain system_data_file:file { execute open };
|
|||
#
|
||||
type untrusted_app, domain;
|
||||
app_domain(untrusted_app)
|
||||
# Boolean-controlled options for untrusted apps.
|
||||
# Network access.
|
||||
bool app_network true;
|
||||
if (app_network) {
|
||||
# Cannot use net_domain within a conditional - type attribute.
|
||||
allow untrusted_app self:{ tcp_socket udp_socket } *;
|
||||
allow untrusted_app port_type:tcp_socket name_connect;
|
||||
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
|
||||
allow untrusted_app port_type:udp_socket name_bind;
|
||||
allow untrusted_app port_type:tcp_socket name_bind;
|
||||
unix_socket_connect(untrusted_app, dnsproxyd, netd)
|
||||
net_domain(untrusted_app)
|
||||
bluetooth_domain(untrusted_app)
|
||||
allow untrusted_app tun_device:chr_file rw_file_perms;
|
||||
allow untrusted_app untrusted_app:netlink_route_socket write;
|
||||
# Get route information.
|
||||
allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
|
||||
}
|
||||
# Bluetooth access.
|
||||
bool app_bluetooth false;
|
||||
if (app_bluetooth or android_cts) {
|
||||
# No specific SELinux class for bluetooth sockets presently.
|
||||
allow untrusted_app self:socket *;
|
||||
allow untrusted_app bluetooth:unix_stream_socket { read write shutdown };
|
||||
}
|
||||
allow untrusted_app system_data_file:file { execute open };
|
||||
allow untrusted_app log_device:chr_file read;
|
||||
|
||||
# Internal SDCard rw access.
|
||||
bool app_internal_sdcard_rw true;
|
||||
if (app_internal_sdcard_rw) {
|
||||
|
|
@ -134,17 +118,6 @@ if (app_external_sdcard_rw) {
|
|||
allow untrusted_app sdcard_external:dir create_dir_perms;
|
||||
allow untrusted_app sdcard_external:file create_file_perms;
|
||||
}
|
||||
# Native app support.
|
||||
bool app_ndk false;
|
||||
if (app_ndk or android_cts) {
|
||||
allow untrusted_app system_data_file:file { execute open };
|
||||
allow isolated_app system_data_file:file { open execute };
|
||||
}
|
||||
# Read Logs
|
||||
bool app_read_logs false;
|
||||
if (app_read_logs or android_cts) {
|
||||
allow untrusted_app log_device:chr_file read;
|
||||
}
|
||||
|
||||
#
|
||||
# Rules for all app domains.
|
||||
|
|
|
|||
Loading…
Reference in a new issue