1196d2a576
Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
81 lines
2.1 KiB
Text
81 lines
2.1 KiB
Text
#
|
|
# Apps that run with the system UID, e.g. com.android.system.ui,
|
|
# com.android.settings. These are not as privileged as the system
|
|
# server.
|
|
#
|
|
type system_app, domain;
|
|
app_domain(system_app)
|
|
net_domain(system_app)
|
|
binder_service(system_app)
|
|
|
|
# Read and write /data/data subdirectory.
|
|
allow system_app system_app_data_file:dir create_dir_perms;
|
|
allow system_app system_app_data_file:file create_file_perms;
|
|
|
|
# Read and write to other system-owned /data directories, such as
|
|
# /data/system/cache and /data/misc/keychain.
|
|
allow system_app system_data_file:dir create_dir_perms;
|
|
allow system_app system_data_file:file create_file_perms;
|
|
# Audit writes to these directories and files so we can identify
|
|
# and possibly move these directories into their own type in the future.
|
|
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
|
|
auditallow system_app system_data_file:file { create setattr append write link unlink rename };
|
|
|
|
# Read wallpaper file.
|
|
allow system_app wallpaper_file:file r_file_perms;
|
|
|
|
# Write to dalvikcache.
|
|
allow system_app dalvikcache_data_file:file { write setattr };
|
|
|
|
# Write to properties
|
|
unix_socket_connect(system_app, property, init)
|
|
allow system_app debug_prop:property_service set;
|
|
allow system_app net_radio_prop:property_service set;
|
|
allow system_app system_radio_prop:property_service set;
|
|
auditallow system_app net_radio_prop:property_service set;
|
|
auditallow system_app system_radio_prop:property_service set;
|
|
allow system_app system_prop:property_service set;
|
|
allow system_app ctl_bugreport_prop:property_service set;
|
|
allow system_app logd_prop:property_service set;
|
|
|
|
# Create /data/anr/traces.txt.
|
|
allow system_app anr_data_file:dir ra_dir_perms;
|
|
allow system_app anr_data_file:file create_file_perms;
|
|
|
|
allow system_app keystore:keystore_key {
|
|
test
|
|
get
|
|
insert
|
|
delete
|
|
exist
|
|
saw
|
|
reset
|
|
password
|
|
lock
|
|
unlock
|
|
zero
|
|
sign
|
|
verify
|
|
grant
|
|
duplicate
|
|
clear_uid
|
|
};
|
|
|
|
auditallow system_app keystore:keystore_key {
|
|
test
|
|
get
|
|
insert
|
|
delete
|
|
exist
|
|
reset
|
|
password
|
|
lock
|
|
unlock
|
|
sign
|
|
verify
|
|
grant
|
|
duplicate
|
|
clear_uid
|
|
};
|
|
|
|
control_logd(system_app)
|