Add sepolicy for IpMemoryStoreService

Bug: 116512211 Test: Builds, boots, including upcoming changes needing this Change-Id: I6f119368c5a4f7ac6c0325915dff60124c5a6399
2018-12-05 14:47:51 +09:00 · 2018-12-05 14:47:51 +09:00 · fb15c9f12f
commit fb15c9f12f
parent 0fa0d1e596
8 changed files with 10 additions and 0 deletions
--- a/private/app.te
+++ b/private/app.te
@ -23,3 +23,6 @@ neverallow { appdomain -shell userdebug_or_eng(`-su') }
    { domain -appdomain -crash_dump -rs }:process { transition };
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
    { domain -appdomain }:process { dyntransition };
+
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -102,6 +102,7 @@
    iorapd_exec
    iorapd_service
    iorapd_tmpfs
+    ipmemorystore_service
    kmsg_debug_device
    last_boot_reason_prop
    llkd
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@ -93,6 +93,7 @@
    iorapd_exec
    iorapd_service
    iorapd_tmpfs
+    ipmemorystore_service
    last_boot_reason_prop
    llkd
    llkd_exec
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -47,6 +47,7 @@
    heapprofd_prop
    heapprofd_socket
    idmap_service
+    ipmemorystore_service
    iris_service
    iris_vendor_data_file
    llkd
--- a/private/service_contexts
+++ b/private/service_contexts
@ -82,6 +82,7 @@ iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
+ipmemorystore                             u:object_r:ipmemorystore_service:s0
 ipsec                                     u:object_r:ipsec_service:s0
 iris                                      u:object_r:iris_service:s0
 isms_msim                                 u:object_r:radio_service:s0
--- a/private/system_app.te
+++ b/private/system_app.te
@ -74,6 +74,7 @@ allow system_app {
  -dumpstate_service
  -installd_service
  -iorapd_service
+  -ipmemorystore_service
  -netd_service
  -virtual_touchpad_service
  -vold_service
--- a/public/service.te
+++ b/public/service.te
@ -101,6 +101,7 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
 type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type iris_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@ -11,6 +11,7 @@ allow traceur_app {
  -gatekeeper_service
  -incident_service
  -installd_service
+  -ipmemorystore_service
  -iorapd_service
  -netd_service
  -virtual_touchpad_service