platform_system_sepolicy/system.te
Stephen Smalley 124720a697 Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
2012-04-04 10:11:16 -04:00

169 lines
5.1 KiB
Text

#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
type system_app, domain;
app_domain(system_app)
# Perform binder IPC to any app domain.
binder_call(system_app, appdomain)
binder_transfer(system_app, appdomain)
# Read and write system data files.
# May want to split into separate types.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };
# Talk to keystore.
unix_socket_connect(system_app, keystore, keystore)
# Read SELinux enforcing status.
selinux_getenforce(system_app)
bool settings_manage_selinux true;
if (settings_manage_selinux) {
# Allow settings app to set SELinux to enforcing
selinux_setenforce(system_app)
# Allow settings app to set SELinux booleans
selinux_setbool(system_app)
}
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system, domain, mlstrustedsubject;
# Child of the zygote.
allow system zygote:fd use;
allow system zygote:process sigchld;
allow system zygote_tmpfs:file read;
# system server gets network and bluetooth permissions.
net_domain(system)
bluetooth_domain(system)
# These are the capabilities assigned by the zygote to the
# system server.
# XXX See if we can remove some of these.
allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
# Use netlink uevent sockets.
allow system self:netlink_kobject_uevent_socket *;
# Kill apps.
allow system appdomain:process { sigkill signal };
# Set scheduling info for apps.
allow system appdomain:process setsched;
# Read /proc data for apps.
allow system appdomain:dir r_dir_perms;
allow system appdomain:{ file lnk_file } rw_file_perms;
# Write to /proc/net/xt_qtaguid/ctrl.
# XXX Split /proc/net into its own type.
allow system proc:file write;
# Notify init of death.
allow system init:process sigchld;
# Talk to init and various daemons via sockets.
unix_socket_connect(system, property, init)
unix_socket_connect(system, qemud, qemud)
unix_socket_connect(system, installd, installd)
unix_socket_connect(system, netd, netd)
unix_socket_connect(system, vold, vold)
unix_socket_connect(system, zygote, zygote)
unix_socket_connect(system, keystore, keystore)
unix_socket_connect(system, dbus, dbusd)
unix_socket_connect(system, gps, gpsd)
unix_socket_connect(system, bluetooth, bluetoothd)
unix_socket_send(system, wpa, wpa)
# Perform Binder IPC.
tmpfs_domain(system)
binder_use(system)
binder_call(system, binderservicedomain)
binder_call(system, appdomain)
binder_service(system)
# Transfer other Binder references.
binder_transfer(system, binderservicedomain)
binder_transfer(system, appdomain)
# Read /proc/pid files for Binder clients.
r_dir_file(system, appdomain)
r_dir_file(system, mediaserver)
allow system appdomain:process getattr;
allow system mediaserver:process getattr;
# Specify any arguments to zygote.
allow system self:zygote *;
# Check SELinux permissions.
selinux_check_access(system)
# XXX Label sysfs files with a specific type?
allow system sysfs:file rw_file_perms;
allow system sysfs_nfc_power_writable:file rw_file_perms;
# Access devices.
allow system device:dir r_dir_perms;
allow system device:chr_file rw_file_perms;
allow system akm_device:chr_file rw_file_perms;
allow system accelerometer_device:chr_file rw_file_perms;
allow system alarm_device:chr_file rw_file_perms;
allow system graphics_device:dir search;
allow system graphics_device:chr_file rw_file_perms;
allow system input_device:dir r_dir_perms;
allow system input_device:chr_file rw_file_perms;
allow system tty_device:chr_file rw_file_perms;
allow system urandom_device:chr_file rw_file_perms;
allow system video_device:chr_file rw_file_perms;
allow system qemu_device:chr_file rw_file_perms;
# Manage data files.
allow system data_file_type:dir create_dir_perms;
allow system data_file_type:notdevfile_class_set create_file_perms;
# Read /file_contexts.
allow system rootfs:file r_file_perms;
# Relabel apk files.
allow system apk_tmp_file:file { relabelfrom relabelto };
allow system apk_data_file:file { relabelfrom relabelto };
# Relabel wallpaper.
allow system system_data_file:file relabelfrom;
allow system wallpaper_file:file relabelto;
allow system wallpaper_file:file r_file_perms;
# Property Service write
allow system system_prop:property_service set;
# ctl interface
allow system ctl_default_prop:property_service set;
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system system_wpa_socket:sock_file create_file_perms;
# Manage cache files.
allow system cache_file:dir create_dir_perms;
allow system cache_file:file create_file_perms;
# Run system programs, e.g. dexopt.
allow system system_file:file x_file_perms;
# Allow reading of /proc/pid data for other domains.
# XXX dontaudit candidate
allow system domain:dir r_dir_perms;
allow system domain:file r_file_perms;