Merge "gatekeeperd: use more specific label for /data file"

This commit is contained in:
Nick Kralevich 2015-04-20 15:24:00 +00:00 committed by Gerrit Code Review
commit 934cf6eaf0
4 changed files with 8 additions and 6 deletions

View file

@ -101,6 +101,7 @@ type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type camera_data_file, file_type, data_file_type;
type gatekeeper_data_file, file_type, data_file_type;
type keychain_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type;
type media_data_file, file_type, data_file_type;

View file

@ -229,6 +229,7 @@
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0

View file

@ -18,11 +18,7 @@ allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
# for SID file access
allow gatekeeperd system_data_file:dir { add_name write};
allow gatekeeperd system_data_file:file { write create open };
# Apps using KeyStore API will request the SID from GateKeeper
allow untrusted_app gatekeeper_service:service_manager find;
binder_call(untrusted_app, gatekeeperd)
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;

View file

@ -93,6 +93,10 @@ allow untrusted_app persistent_data_block_service:service_manager find;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
# Apps using KeyStore API will request the SID from GateKeeper
allow untrusted_app gatekeeper_service:service_manager find;
binder_call(untrusted_app, gatekeeperd)
###
### neverallow rules
###