b0db712bf0
Coalesce a number of allow rules replicated among multiple
app domains.
Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.
Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.
Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:
avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
21 lines
1.1 KiB
Text
21 lines
1.1 KiB
Text
#
|
|
# Rules for all platform app domains.
|
|
# These rules are inherited by any domain that includes platform_app_domain().
|
|
# Presently this consists of the four app domains corresponding to apps
|
|
# signed by one of the four build keys: platform_app, shared_app, media_app,
|
|
# release_app. These app domains use platform_app_data_file rather
|
|
# than app_data_file for their /data/data directories (as specified via
|
|
# type= in seapp_contexts) and have greater permissions to specific
|
|
# directories owned by groups that are restricted to apps with
|
|
# Android permissions that are signature|system.
|
|
|
|
# App sandbox file accesses.
|
|
allow platformappdomain platform_app_data_file:dir create_dir_perms;
|
|
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
|
|
allow platformappdomain platform_app_data_file:file execute;
|
|
# Access to /data/media.
|
|
allow platformappdomain media_rw_data_file:dir create_dir_perms;
|
|
allow platformappdomain media_rw_data_file:file create_file_perms;
|
|
# Write to /cache.
|
|
allow platformappdomain cache_file:dir create_dir_perms;
|
|
allow platformappdomain cache_file:file create_file_perms;
|