am cd516a32: run-as policy fixes.
* commit 'cd516a32663b4eb11b2e3356b86450020e59e279': run-as policy fixes.
This commit is contained in:
Stephen Smalley
Android Git Automerger
commit
ecf78730ed
4 changed files with 7 additions and 7 deletions
|
|
@ -33,6 +33,7 @@ type random_device, dev_type;
|
||||||
type sensors_device, dev_type;
|
type sensors_device, dev_type;
|
||||||
type serial_device, dev_type;
|
type serial_device, dev_type;
|
||||||
type socket_device, dev_type;
|
type socket_device, dev_type;
|
||||||
|
type owntty_device, dev_type, mlstrustedobject;
|
||||||
type tty_device, dev_type;
|
type tty_device, dev_type;
|
||||||
type urandom_device, dev_type;
|
type urandom_device, dev_type;
|
||||||
type video_device, dev_type;
|
type video_device, dev_type;
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,7 @@ allow domain dev_type:lnk_file read;
|
||||||
allow domain devpts:dir search;
|
allow domain devpts:dir search;
|
||||||
allow domain device:file read;
|
allow domain device:file read;
|
||||||
allow domain socket_device:dir search;
|
allow domain socket_device:dir search;
|
||||||
|
allow domain owntty_device:chr_file rw_file_perms;
|
||||||
allow domain null_device:chr_file rw_file_perms;
|
allow domain null_device:chr_file rw_file_perms;
|
||||||
allow domain zero_device:chr_file r_file_perms;
|
allow domain zero_device:chr_file r_file_perms;
|
||||||
allow domain ashmem_device:chr_file rw_file_perms;
|
allow domain ashmem_device:chr_file rw_file_perms;
|
||||||
|
|
|
||||||
|
|
@ -101,6 +101,7 @@
|
||||||
/dev/spdif_out.* u:object_r:audio_device:s0
|
/dev/spdif_out.* u:object_r:audio_device:s0
|
||||||
/dev/tegra.* u:object_r:video_device:s0
|
/dev/tegra.* u:object_r:video_device:s0
|
||||||
/dev/tf_driver u:object_r:tee_device:s0
|
/dev/tf_driver u:object_r:tee_device:s0
|
||||||
|
/dev/tty u:object_r:owntty_device:s0
|
||||||
/dev/tty[0-9]* u:object_r:tty_device:s0
|
/dev/tty[0-9]* u:object_r:tty_device:s0
|
||||||
/dev/ttyS[0-9]* u:object_r:serial_device:s0
|
/dev/ttyS[0-9]* u:object_r:serial_device:s0
|
||||||
/dev/tun u:object_r:tun_device:s0
|
/dev/tun u:object_r:tun_device:s0
|
||||||
|
|
|
||||||
11
runas.te
11
runas.te
|
|
@ -19,15 +19,15 @@ dontaudit shell self:capability { sys_ptrace kill };
|
||||||
|
|
||||||
# ndk-gdb invokes adb shell run-as.
|
# ndk-gdb invokes adb shell run-as.
|
||||||
domain_auto_trans(shell, runas_exec, runas)
|
domain_auto_trans(shell, runas_exec, runas)
|
||||||
|
allow runas adbd:process sigchld;
|
||||||
allow runas shell:fd use;
|
allow runas shell:fd use;
|
||||||
allow runas devpts:chr_file { read write };
|
allow runas devpts:chr_file { read write ioctl };
|
||||||
|
|
||||||
# run-as reads package information.
|
# run-as reads package information.
|
||||||
allow runas system_data_file:file r_file_perms;
|
allow runas system_data_file:file r_file_perms;
|
||||||
|
|
||||||
# run-as checks and changes to the app data dir.
|
# run-as checks and changes to the app data dir.
|
||||||
dontaudit runas self:capability dac_override;
|
dontaudit runas self:capability dac_override;
|
||||||
allow runas self:capability dac_read_search;
|
|
||||||
allow runas app_data_file:dir { getattr search };
|
allow runas app_data_file:dir { getattr search };
|
||||||
|
|
||||||
# run-as switches to the app UID/GID.
|
# run-as switches to the app UID/GID.
|
||||||
|
|
@ -41,18 +41,15 @@ allow runas untrusted_app:process dyntransition; # setcon
|
||||||
# run-as runs lib/gdbserver from the app data dir.
|
# run-as runs lib/gdbserver from the app data dir.
|
||||||
allow untrusted_app system_data_file:file rx_file_perms;
|
allow untrusted_app system_data_file:file rx_file_perms;
|
||||||
|
|
||||||
# run-as may also run sh or system commands.
|
|
||||||
allow untrusted_app shell_exec:file rx_file_perms;
|
|
||||||
allow untrusted_app system_file:file rx_file_perms;
|
|
||||||
|
|
||||||
# gdbserver reads the zygote.
|
# gdbserver reads the zygote.
|
||||||
allow untrusted_app zygote_exec:file r_file_perms;
|
allow untrusted_app zygote_exec:file r_file_perms;
|
||||||
|
|
||||||
# (grand)child death notification.
|
# (grand)child death notification.
|
||||||
allow untrusted_app shell:process sigchld;
|
allow untrusted_app shell:process sigchld;
|
||||||
|
allow untrusted_app adbd:process sigchld;
|
||||||
|
|
||||||
# child shell or gdbserver pty access.
|
# child shell or gdbserver pty access.
|
||||||
allow untrusted_app devpts:chr_file { getattr read write };
|
allow untrusted_app devpts:chr_file { getattr read write ioctl };
|
||||||
|
|
||||||
# gdbserver creates a socket in the app data dir.
|
# gdbserver creates a socket in the app data dir.
|
||||||
allow untrusted_app app_data_file:sock_file { create unlink };
|
allow untrusted_app app_data_file:sock_file { create unlink };
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue