Merge "gatekeeperd: use more specific label for /data file"
This commit is contained in:
commit
934cf6eaf0
4 changed files with 8 additions and 6 deletions
1
file.te
1
file.te
|
@ -101,6 +101,7 @@ type adb_keys_file, file_type, data_file_type;
|
|||
type audio_data_file, file_type, data_file_type;
|
||||
type bluetooth_data_file, file_type, data_file_type;
|
||||
type camera_data_file, file_type, data_file_type;
|
||||
type gatekeeper_data_file, file_type, data_file_type;
|
||||
type keychain_data_file, file_type, data_file_type;
|
||||
type keystore_data_file, file_type, data_file_type;
|
||||
type media_data_file, file_type, data_file_type;
|
||||
|
|
|
@ -229,6 +229,7 @@
|
|||
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
|
||||
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
|
||||
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
|
||||
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
|
||||
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
|
||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
||||
|
|
|
@ -18,11 +18,7 @@ allow gatekeeperd system_server:binder call;
|
|||
allow gatekeeperd permission_service:service_manager find;
|
||||
|
||||
# for SID file access
|
||||
allow gatekeeperd system_data_file:dir { add_name write};
|
||||
allow gatekeeperd system_data_file:file { write create open };
|
||||
|
||||
# Apps using KeyStore API will request the SID from GateKeeper
|
||||
allow untrusted_app gatekeeper_service:service_manager find;
|
||||
binder_call(untrusted_app, gatekeeperd)
|
||||
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
|
||||
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
|
||||
|
||||
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
|
||||
|
|
|
@ -93,6 +93,10 @@ allow untrusted_app persistent_data_block_service:service_manager find;
|
|||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
||||
|
||||
# Apps using KeyStore API will request the SID from GateKeeper
|
||||
allow untrusted_app gatekeeper_service:service_manager find;
|
||||
binder_call(untrusted_app, gatekeeperd)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
Loading…
Reference in a new issue