From 92dfa31f7800ff9184e8525dfd471211c90b9d31 Mon Sep 17 00:00:00 2001 From: William Roberts Date: Mon, 29 Sep 2014 10:29:48 -0700 Subject: [PATCH] seinfo for platform based domains should be stated explicitly. The current policy would allow any application that were to "magically" get a sensitive UID into the coresponding sensitive domain. Rather then only using UID as an input selector, require seinfo=platform. Change-Id: I8a7490ed55bdcd3e4a116aece2c3522b384024ec --- seapp_contexts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/seapp_contexts b/seapp_contexts index 2b8aec072..f92d11835 100644 --- a/seapp_contexts +++ b/seapp_contexts @@ -41,12 +41,12 @@ # level may be used to specify a fixed level for any UID. # isSystemServer=true domain=system_server -user=system domain=system_app type=system_app_data_file -user=bluetooth domain=bluetooth type=bluetooth_data_file -user=nfc domain=nfc type=nfc_data_file -user=radio domain=radio type=radio_data_file -user=shared_relro domain=shared_relro -user=shell domain=shell type=shell_data_file +user=system seinfo=platform domain=system_app type=system_app_data_file +user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file +user=nfc seinfo=platform domain=nfc type=nfc_data_file +user=radio seinfo=platform domain=radio type=radio_data_file +user=shared_relro seinfo=platform domain=shared_relro +user=shell seinfo=platform domain=shell type=shell_data_file user=_isolated domain=isolated_app levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user user=_app domain=untrusted_app type=app_data_file levelFrom=user