tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/system_app.te
Nick Kralevich 623975fa5a Support forcing permissive domains to unconfined. 
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00

41 lines
1.2 KiB
Text
Raw Blame History

#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
type system_app, domain;
permissive_or_unconfined(system_app)
app_domain(system_app)
# Perform binder IPC to any app domain.
binder_call(system_app, appdomain)
# Read and write system data files.
# May want to split into separate types.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };
# Talk to keystore.
unix_socket_connect(system_app, keystore, keystore)
# Read SELinux enforcing status.
selinux_getenforce(system_app)
# Settings app reads sdcard for storage stats
allow system_app sdcard_type:dir r_dir_perms;
# Allow settings app to read from asec
allow system_app asec_apk_file:dir search;
allow system_app asec_apk_file:file r_file_perms;
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
allow system_app radio_prop:property_service set;
allow system_app system_prop:property_service set;
Reference in a new issue View git blame Copy permalink