23c9d91b46
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
58 lines
1.9 KiB
Text
58 lines
1.9 KiB
Text
# drmserver - DRM service
|
|
type drmserver, domain;
|
|
type drmserver_exec, exec_type, file_type;
|
|
|
|
typeattribute drmserver mlstrustedsubject;
|
|
|
|
net_domain(drmserver)
|
|
|
|
# Perform Binder IPC to system server.
|
|
binder_use(drmserver)
|
|
binder_call(drmserver, system_server)
|
|
binder_call(drmserver, appdomain)
|
|
binder_service(drmserver)
|
|
# Inherit or receive open files from system_server.
|
|
allow drmserver system_server:fd use;
|
|
|
|
# Perform Binder IPC to mediaserver
|
|
binder_call(drmserver, mediaserver)
|
|
|
|
allow drmserver sdcard_type:dir search;
|
|
allow drmserver drm_data_file:dir create_dir_perms;
|
|
allow drmserver drm_data_file:file create_file_perms;
|
|
allow drmserver tee_device:chr_file rw_file_perms;
|
|
allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
|
|
allow drmserver sdcard_type:file { read write getattr };
|
|
r_dir_file(drmserver, efs_file)
|
|
|
|
type drmserver_socket, file_type;
|
|
|
|
# /data/app/tlcd_sock socket file.
|
|
# Clearly, /data/app is the most logical place to create a socket. Not.
|
|
allow drmserver apk_data_file:dir rw_dir_perms;
|
|
allow drmserver drmserver_socket:sock_file create_file_perms;
|
|
# Delete old socket file if present.
|
|
allow drmserver apk_data_file:sock_file unlink;
|
|
|
|
# After taking a video, drmserver looks at the video file.
|
|
r_dir_file(drmserver, media_rw_data_file)
|
|
|
|
# Read resources from open apk files passed over Binder.
|
|
allow drmserver apk_data_file:file { read getattr };
|
|
allow drmserver asec_apk_file:file { read getattr };
|
|
allow drmserver ringtone_file:file { read getattr };
|
|
|
|
# Read /data/data/com.android.providers.telephony files passed over Binder.
|
|
allow drmserver radio_data_file:file { read getattr };
|
|
|
|
# /oem access
|
|
allow drmserver oemfs:dir search;
|
|
allow drmserver oemfs:file r_file_perms;
|
|
|
|
add_service(drmserver, drmserver_service)
|
|
allow drmserver permission_service:service_manager find;
|
|
|
|
selinux_check_access(drmserver)
|
|
|
|
r_dir_file(drmserver, cgroup)
|
|
r_dir_file(drmserver, system_file)
|