tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rewrite mac_permissions.xml file.

Browse source 
Rewrite all stanzas to only include seinfo tags.

Change-Id: I4d528ce092ec8d1aac15195ed3a8e307d604607e
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
This commit is contained in:
Robert Craig 2013-03-22 15:43:53 -04:00 committed by William Roberts
parent cd4104e84b
commit b24c30b4ed
1 changed files with 0 additions and 170 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

170
mac_permissions.xml
View file

@ -1,197 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<policy>
<!--
Sample signer stanza for install policy
Rules:
* A signature is a hex encoded X.509 certificate and is required for each signer tag.
* A <signer signature="" > element may have multiple child elements:
allow-permission : produces a set of maximal allowed permissions (whitelist).
deny-permission : produces a blacklist of permissions to deny.
allow-all : a wildcard tag that will allow every permission requested.
package : a complex tag which itself defines allow, deny, and wildcard sub elements for
a specific package name protected by the signature
* Zero or more global <package name=""> tags are allowed. These tags allow a policy
to be set outside any signature for specific package names.
* Unknown tags at any level are skipped.
* Zero or more signer tags are allowed.
* Zero or more package tags are allowed per signer tag.
* A <package name=""> tag may not contain another <package name=""> tag. If found, it's skipped.
* A <default> tag is allowed that can contain install policy for all apps not signed with a
previously listed cert and not having a per package global policy.
* When multiple sub elements appear for a tag the following logic is used to
ultimately determine the type of enforcement:
** A blacklist is used if at least one deny-permission tag is found
** A whitelist is used if not a blacklist and at least one allow-permission tag is found
** A wildcard (accept all permission) policy is used if not a blacklist and not a whitelist
and at least one allow-all tag is present.
** If a <package name=""> sub element is found then that sub element's policy is used
according to the above logic and overrides any signature global policy type.
** In order for a policy stanza to be enforced at least one of the above situations must
apply. Meaning, empty signer, default or package tags will not be accepted.
* Each signer/default/global package tag is allowed to contain one <seinfo value=""/> tag.
This tag represents additional info that each app can use in setting a SELinux security
context on the eventual process. Any <seinfo value=""/> tag found as a child of a
<package name=""> tag which is protected (sub element of signer or the default tag) is
ignored. It's possible that multiple seinfo tags are relevant for one app. In the event
that this happens, the seinfo tag that will be applied is the one for which the corresponding
policy stanza is used in the policy decision.
* Strict enforcing of any xml stanza is not enforced in most cases. This mainly applies to
duplicate tags which are allowed. In the event that a tag already exists, the original
tag is replaced.
* There are also no checks on the validity of permission names. Although valid android
permissions are expected, nothing prevents unknowns.
* Enforcement decisions:
- All signatures used to sign an app are checked for policy according to signer tags.
Only one of the signature policies has to pass however.
- In the event that none of the signature policies pass, or none even match, then
a global package policy is sought. If found, this policy mediates the install.
- The default tag is consulted last if needed.
- A local package policy always overrides any parent policy.
- If none of the cases apply then the app is denied.
Example global package policy
<package name="com.foo.com">
<allow-permission name="android.permission.INTERNET" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
</package>
Sample stanzas are given below based on the AOSP developer keys.
-->
<!-- Platform dev key with AOSP -->
<signer signature="@PLATFORM" >
<allow-all />
<seinfo value="platform" />
</signer>
<!-- Media dev key in AOSP -->
<signer signature="@MEDIA" >
<allow-permission name="android.permission.ACCESS_ALL_DOWNLOADS" />
<allow-permission name="android.permission.ACCESS_CACHE_FILESYSTEM" />
<allow-permission name="android.permission.ACCESS_DOWNLOAD_MANAGER" />
<allow-permission name="android.permission.ACCESS_MTP" />
<allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
<allow-permission name="android.permission.CONNECTIVITY_INTERNAL" />
<allow-permission name="android.permission.INTERNET" />
<allow-permission name="android.permission.MODIFY_NETWORK_ACCOUNTING" />
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
<allow-permission name="android.permission.RECEIVE_WAP_PUSH" />
<allow-permission name="android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS" />
<allow-permission name="android.permission.UPDATE_DEVICE_STATS" />
<allow-permission name="android.permission.WAKE_LOCK" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.WRITE_MEDIA_STORAGE" />
<allow-permission name="android.permission.WRITE_SETTINGS" />
<seinfo value="media" />
</signer>
<!-- shared dev key in AOSP -->
<signer signature="@SHARED" >
<allow-permission name="android.permission.ACCESS_COARSE_LOCATION" />
<allow-permission name="android.permission.ACCESS_FINE_LOCATION" />
<allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
<allow-permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK" />
<allow-permission name="android.permission.BIND_APPWIDGET" />
<allow-permission name="android.permission.BIND_WALLPAPER" />
<allow-permission name="android.permission.CALL_PHONE" />
<allow-permission name="android.permission.CALL_PRIVILEGED" />
<allow-permission name="android.permission.CAMERA" />
<allow-permission name="android.permission.GET_ACCOUNTS" />
<allow-permission name="android.permission.GLOBAL_SEARCH" />
<allow-permission name="android.permission.INTERNET" />
<allow-permission name="android.permission.MANAGE_ACCOUNTS" />
<allow-permission name="android.permission.MODIFY_AUDIO_SETTINGS" />
<allow-permission name="android.permission.MODIFY_PHONE_STATE" />
<allow-permission name="android.permission.NFC" />
<allow-permission name="android.permission.PACKAGE_USAGE_STATS" />
<allow-permission name="android.permission.READ_CALL_LOG" />
<allow-permission name="android.permission.READ_CONTACTS"/>
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.READ_PHONE_STATE" />
<allow-permission name="android.permission.READ_PROFILE" />
<allow-permission name="android.permission.READ_SOCIAL_STREAM" />
<allow-permission name="android.permission.READ_SYNC_SETTINGS" />
<allow-permission name="android.permission.READ_SYNC_STATS" />
<allow-permission name="android.permission.READ_USER_DICTIONARY" />
<allow-permission name="android.permission.REBOOT" />
<allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
<allow-permission name="android.permission.RECORD_AUDIO" />
<allow-permission name="android.permission.SET_WALLPAPER" />
<allow-permission name="android.permission.SET_WALLPAPER_COMPONENT" />
<allow-permission name="android.permission.SET_WALLPAPER_HINTS" />
<allow-permission name="android.permission.SUBSCRIBED_FEEDS_READ" />
<allow-permission name="android.permission.SUBSCRIBED_FEEDS_WRITE" />
<allow-permission name="android.permission.USE_CREDENTIALS" />
<allow-permission name="android.permission.VIBRATE" />
<allow-permission name="android.permission.WAKE_LOCK" />
<allow-permission name="android.permission.WRITE_CALL_LOG" />
<allow-permission name="android.permission.WRITE_CONTACTS" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.WRITE_PROFILE" />
<allow-permission name="android.permission.WRITE_SETTINGS" />
<allow-permission name="android.permission.WRITE_USER_DICTIONARY" />
<allow-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
<allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT" />
<allow-permission name="com.android.launcher.permission.READ_SETTINGS" />
<allow-permission name="com.android.launcher.permission.WRITE_SETTINGS" />
<allow-permission name="com.android.voicemail.permission.ADD_VOICEMAIL" />
<allow-permission name="com.android.voicemail.permission.READ_WRITE_ALL_VOICEMAIL" />
<allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH" />
<allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.cp" />
<allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.mail" />
<seinfo value="shared" />
</signer>
<!-- release dev key in AOSP -->
<signer signature="@RELEASE" >
<seinfo value="release" />
<deny-permission name="android.permission.BRICK" />
<deny-permission name="android.permission.READ_LOGS" />
<deny-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS" />
<deny-permission name="com.android.browser.permission.WRITE_HISTORY_BOOKMARKS" />
<package name="com.android.browser" >
<allow-permission name="android.permission.ACCESS_COARSE_LOCATION"/>
<allow-permission name="android.permission.ACCESS_DOWNLOAD_MANAGER"/>
<allow-permission name="android.permission.ACCESS_FINE_LOCATION"/>
<allow-permission name="android.permission.ACCESS_NETWORK_STATE"/>
<allow-permission name="android.permission.ACCESS_WIFI_STATE"/>
<allow-permission name="android.permission.GET_ACCOUNTS"/>
<allow-permission name="android.permission.INTERNET" />
<allow-permission name="android.permission.MANAGE_ACCOUNTS" />
<allow-permission name="android.permission.NFC" />
<allow-permission name="android.permission.READ_CONTACTS" />
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.READ_PROFILE" />
<allow-permission name="android.permission.READ_SYNC_SETTINGS" />
<allow-permission name="android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS" />
<allow-permission name="android.permission.SET_WALLPAPER" />
<allow-permission name="android.permission.USE_CREDENTIALS"/>
<allow-permission name="android.permission.WAKE_LOCK"/>
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.WRITE_SETTINGS" />
<allow-permission name="android.permission.WRITE_SYNC_SETTINGS" />
<allow-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
<allow-permission name="com.android.browser.permission.WRITE_HISTORY_BOOKMARKS"/>
<allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
</package>
</signer>
<!-- All other keys -->
<default>
<seinfo value="default" />
<deny-permission name="android.permission.ACCESS_COARSE_LOCATION" />
<deny-permission name="android.permission.ACCESS_FINE_LOCATION" />
<deny-permission name="android.permission.AUTHENTICATE_ACCOUNTS" />
<deny-permission name="android.permission.CALL_PHONE" />
<deny-permission name="android.permission.CAMERA" />
<deny-permission name="android.permission.READ_LOGS" />
<deny-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
</default>
</policy>