tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/system.te
Geremy Condra 217f8afc18 Fix more long-tail denials. 
For additional context-

The denials related to init_tmpfs are of the form:

denied  { read } for  pid=12315 comm=""dboxed_process0"" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=""tmpfs"" ino=9464 scontext=u:r:isolated_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

(the path above is "/dev/ashmem/dalvik-heap (deleted)")

The denials related to executing things from the dalvik cache are of the form:

enied  { execute } for  pid=3565 comm=""dboxed_process0"" path=""/data/dalvik-cache/system@app@Chrome.apk@classes.dex"" dev=""mmcblk0p28"" ino=105983 scontext=u:r:isolated_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

The denials related to isolated_app and the init socket are:

denied  { getattr } for  pid=3824 comm=""Binder_2"" path=""socket:[14059]"" dev=""sockfs"" ino=14059 scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

The getopt denials for the aforementioned socket are:

denied  { getopt } for  pid=3824 comm=""Binder_2"" path=""/dev/socket/dumpstate"" scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

Change-Id: I3c57702e2af5a779a7618da9aa40930e7f12ee49
2013-09-05 16:45:04 -07:00

23 lines
785 B
Text
Raw Blame History

type system_app, domain;
permissive system_app;
app_domain(system_app)
unconfined_domain(system_app)
type system, domain;
permissive system;
unconfined_domain(system);
relabelto_domain(system);
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system self:zygote { specifyids specifyrlimits specifyseinfo };
allow system backup_data_file:dir relabelto;
allow system cache_backup_file:dir relabelto;
allow system anr_data_file:dir relabelto;
allow system system_data_file:dir relabelto;
allow system apk_data_file:file relabelto;
allow system apk_tmp_file:file relabelto;
allow system cache_backup_file:file relabelto;
allow system apk_private_tmp_file:file relabelto;
allow system wallpaper_file:file relabelto;
Reference in a new issue View git blame Copy permalink