tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Add keystore_key:attest_unique_id to priv_app." into oc-dev

Browse source
This commit is contained in:
TreeHugger Robot 2017-04-13 14:38:15 +00:00 committed by Android (Google) Code Review
commit b36c9bcd05
3 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/access_vectors
View file

@ -702,6 +702,7 @@ class keystore_key
clear_uid
add_auth
user_changed
gen_unique_id
}
class drmservice {

3
private/domain.te
View file

@ -13,3 +13,6 @@ neverallow {
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;

3
private/priv_app.te
View file

@ -114,6 +114,9 @@ allow priv_app functionfs:file rw_file_perms;
# TODO: narrow this to just MediaProvider
allow priv_app mnt_media_rw_file:dir search;
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
allow priv_app keystore:keystore_key gen_unique_id;
read_runtime_log_tags(priv_app)
###