Merge "gatekeeperd: use more specific label for /data file"
This commit is contained in:
Nick Kralevich
Gerrit Code Review
commit
934cf6eaf0
4 changed files with 8 additions and 6 deletions
1
file.te
1
file.te
|
|
@ -101,6 +101,7 @@ type adb_keys_file, file_type, data_file_type;
|
||||||
type audio_data_file, file_type, data_file_type;
|
type audio_data_file, file_type, data_file_type;
|
||||||
type bluetooth_data_file, file_type, data_file_type;
|
type bluetooth_data_file, file_type, data_file_type;
|
||||||
type camera_data_file, file_type, data_file_type;
|
type camera_data_file, file_type, data_file_type;
|
||||||
|
type gatekeeper_data_file, file_type, data_file_type;
|
||||||
type keychain_data_file, file_type, data_file_type;
|
type keychain_data_file, file_type, data_file_type;
|
||||||
type keystore_data_file, file_type, data_file_type;
|
type keystore_data_file, file_type, data_file_type;
|
||||||
type media_data_file, file_type, data_file_type;
|
type media_data_file, file_type, data_file_type;
|
||||||
|
|
|
||||||
|
|
@ -229,6 +229,7 @@
|
||||||
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
|
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
|
||||||
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
|
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
|
||||||
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
|
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
|
||||||
|
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
|
||||||
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
|
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
|
||||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||||
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
||||||
|
|
|
||||||
|
|
@ -18,11 +18,7 @@ allow gatekeeperd system_server:binder call;
|
||||||
allow gatekeeperd permission_service:service_manager find;
|
allow gatekeeperd permission_service:service_manager find;
|
||||||
|
|
||||||
# for SID file access
|
# for SID file access
|
||||||
allow gatekeeperd system_data_file:dir { add_name write};
|
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
|
||||||
allow gatekeeperd system_data_file:file { write create open };
|
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
|
||||||
|
|
||||||
# Apps using KeyStore API will request the SID from GateKeeper
|
|
||||||
allow untrusted_app gatekeeper_service:service_manager find;
|
|
||||||
binder_call(untrusted_app, gatekeeperd)
|
|
||||||
|
|
||||||
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
|
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
|
||||||
|
|
|
||||||
|
|
@ -93,6 +93,10 @@ allow untrusted_app persistent_data_block_service:service_manager find;
|
||||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
||||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
||||||
|
|
||||||
|
# Apps using KeyStore API will request the SID from GateKeeper
|
||||||
|
allow untrusted_app gatekeeper_service:service_manager find;
|
||||||
|
binder_call(untrusted_app, gatekeeperd)
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue