am df822f41
: Merge "Add SELinux policy for asec containers."
* commit 'df822f4168b71629e336e3f484028b510ed21ee4': Add SELinux policy for asec containers.
This commit is contained in:
commit
8c87a18d39
6 changed files with 26 additions and 5 deletions
5
app.te
5
app.te
|
@ -26,6 +26,9 @@ allow platform_app shell_data_file:lnk_file read;
|
|||
allow platform_app apk_tmp_file:file rw_file_perms;
|
||||
# Read /dev/xt_qtaguid
|
||||
allow platform_app qtaguid_device:chr_file r_file_perms;
|
||||
# ASEC
|
||||
allow platform_app asec_apk_file:dir create_dir_perms;
|
||||
allow platform_app asec_apk_file:file create_file_perms;
|
||||
|
||||
# Apps signed with the media key.
|
||||
type media_app, domain;
|
||||
|
@ -53,6 +56,8 @@ net_domain(shared_app)
|
|||
bluetooth_domain(shared_app)
|
||||
# Read logs.
|
||||
allow shared_app log_device:chr_file read;
|
||||
# ASEC
|
||||
r_dir_file(shared_app, asec_apk_file);
|
||||
|
||||
# Apps signed with the release key (testkey in AOSP).
|
||||
type release_app, domain;
|
||||
|
|
|
@ -54,6 +54,7 @@ allow domain urandom_device:chr_file r_file_perms;
|
|||
|
||||
# Filesystem accesses.
|
||||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# System file accesses.
|
||||
allow domain system_file:dir r_dir_perms;
|
||||
|
|
5
file.te
5
file.te
|
@ -32,7 +32,6 @@ type anr_data_file, file_type, data_file_type, mlstrustedobject;
|
|||
type tombstone_data_file, file_type, data_file_type;
|
||||
# /data/app - user-installed apps
|
||||
type apk_data_file, file_type, data_file_type;
|
||||
type asec_data_file, file_type, data_file_type;
|
||||
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
|
||||
# /data/dalvik-cache
|
||||
type dalvikcache_data_file, file_type, data_file_type;
|
||||
|
@ -59,6 +58,10 @@ type cache_file, file_type, mlstrustedobject;
|
|||
type efs_file, file_type;
|
||||
# Type for wallpaper file.
|
||||
type wallpaper_file, file_type, mlstrustedobject;
|
||||
# /mnt/asec
|
||||
type asec_apk_file, file_type, data_file_type;
|
||||
# /data/app-asec
|
||||
type asec_image_file, file_type, data_file_type;
|
||||
|
||||
# All devices have bluetooth efs files. But they
|
||||
# vary per device, so this type is used in per
|
||||
|
|
|
@ -152,4 +152,5 @@
|
|||
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
|
||||
#############################
|
||||
# asec containers
|
||||
/mnt/asec(/.*)? u:object_r:asec_data_file:s0
|
||||
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
||||
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
|
||||
|
|
|
@ -20,3 +20,7 @@ dontaudit installd self:capability sys_admin;
|
|||
selinux_check_context(installd)
|
||||
# Read /seapp_contexts, presently on the rootfs.
|
||||
allow installd rootfs:file r_file_perms;
|
||||
# ASEC
|
||||
allow installd platform_app_data_file:lnk_file { create setattr };
|
||||
allow installd app_data_file:lnk_file { create setattr };
|
||||
allow installd asec_apk_file:file r_file_perms;
|
||||
|
|
13
vold.te
13
vold.te
|
@ -16,7 +16,7 @@ allow vold sdcard:dir create_dir_perms;
|
|||
allow vold tmpfs:filesystem { mount unmount };
|
||||
allow vold tmpfs:dir create_dir_perms;
|
||||
allow vold tmpfs:dir mounton;
|
||||
allow vold self:capability { net_admin dac_override mknod sys_admin };
|
||||
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
||||
allow vold self:netlink_kobject_uevent_socket *;
|
||||
allow vold app_data_file:dir search;
|
||||
allow vold app_data_file:file rw_file_perms;
|
||||
|
@ -39,7 +39,7 @@ allow vold sysfs:file rw_file_perms;
|
|||
unix_socket_connect(vold, property, init)
|
||||
|
||||
# Unmount and mount the fs.
|
||||
allow vold labeledfs:filesystem { mount unmount };
|
||||
allow vold labeledfs:filesystem { mount unmount remount };
|
||||
|
||||
# Access /efs/userdata_footer.
|
||||
# XXX Split into a separate type?
|
||||
|
@ -53,7 +53,14 @@ allow vold kernel:system module_request;
|
|||
allow vold proc:file write;
|
||||
|
||||
# Create and mount on /data/tmp_mnt.
|
||||
allow vold system_data_file:dir { open read write create add_name mounton };
|
||||
allow vold system_data_file:dir { rw_dir_perms mounton };
|
||||
|
||||
# Property Service
|
||||
allow vold vold_prop:property_service set;
|
||||
|
||||
# ASEC
|
||||
allow vold asec_image_file:file create_file_perms;
|
||||
allow vold asec_image_file:dir rw_dir_perms;
|
||||
allow vold rootfs:file r_file_perms;
|
||||
allow vold asec_apk_file:dir { rw_dir_perms setattr };
|
||||
allow vold asec_apk_file:file { r_file_perms setattr };
|
||||
|
|
Loading…
Reference in a new issue