d33a9a194b
Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
63 lines
2.6 KiB
Text
63 lines
2.6 KiB
Text
###
|
|
### Apps signed with the platform key.
|
|
###
|
|
|
|
typeattribute platform_app domain_deprecated;
|
|
|
|
app_domain(platform_app)
|
|
|
|
# Access the network.
|
|
net_domain(platform_app)
|
|
# Access bluetooth.
|
|
bluetooth_domain(platform_app)
|
|
# Read from /data/local/tmp or /data/data/com.android.shell.
|
|
allow platform_app shell_data_file:dir search;
|
|
allow platform_app shell_data_file:file { open getattr read };
|
|
allow platform_app icon_file:file { open getattr read };
|
|
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files
|
|
# created by system server.
|
|
allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms;
|
|
allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms;
|
|
allow platform_app apk_private_data_file:dir search;
|
|
# ASEC
|
|
allow platform_app asec_apk_file:dir create_dir_perms;
|
|
allow platform_app asec_apk_file:file create_file_perms;
|
|
|
|
# Access to /data/media.
|
|
allow platform_app media_rw_data_file:dir create_dir_perms;
|
|
allow platform_app media_rw_data_file:file create_file_perms;
|
|
|
|
# Write to /cache.
|
|
allow platform_app cache_file:dir create_dir_perms;
|
|
allow platform_app cache_file:file create_file_perms;
|
|
|
|
# Direct access to vold-mounted storage under /mnt/media_rw
|
|
# This is a performance optimization that allows platform apps to bypass the FUSE layer
|
|
allow platform_app mnt_media_rw_file:dir r_dir_perms;
|
|
allow platform_app vfat:dir create_dir_perms;
|
|
allow platform_app vfat:file create_file_perms;
|
|
|
|
allow platform_app audioserver_service:service_manager find;
|
|
allow platform_app cameraserver_service:service_manager find;
|
|
allow platform_app drmserver_service:service_manager find;
|
|
allow platform_app mediaserver_service:service_manager find;
|
|
allow platform_app mediametrics_service:service_manager find;
|
|
allow platform_app mediaextractor_service:service_manager find;
|
|
allow platform_app mediacodec_service:service_manager find;
|
|
allow platform_app mediadrmserver_service:service_manager find;
|
|
allow platform_app persistent_data_block_service:service_manager find;
|
|
allow platform_app radio_service:service_manager find;
|
|
allow platform_app surfaceflinger_service:service_manager find;
|
|
allow platform_app app_api_service:service_manager find;
|
|
allow platform_app system_api_service:service_manager find;
|
|
allow platform_app vr_manager_service:service_manager find;
|
|
|
|
# Access to /data/preloads
|
|
allow platform_app preloads_data_file:file r_file_perms;
|
|
allow platform_app preloads_data_file:dir r_dir_perms;
|
|
|
|
# Access to ephemeral APKs
|
|
allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
|
|
allow platform_app ephemeral_apk_data_file:file r_file_perms;
|
|
|
|
read_runtime_log_tags(platform_app)
|