5637099a25
As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
41 lines
1.4 KiB
Text
41 lines
1.4 KiB
Text
###
|
|
### Apps signed with the platform key.
|
|
###
|
|
|
|
type platform_app, domain;
|
|
permissive platform_app;
|
|
app_domain(platform_app)
|
|
platform_app_domain(platform_app)
|
|
# Access the network.
|
|
net_domain(platform_app)
|
|
# Access bluetooth.
|
|
bluetooth_domain(platform_app)
|
|
# Write to /cache.
|
|
allow platform_app cache_file:dir rw_dir_perms;
|
|
allow platform_app cache_file:file create_file_perms;
|
|
# Read from /data/local.
|
|
allow platform_app shell_data_file:dir search;
|
|
allow platform_app shell_data_file:file { open getattr read };
|
|
allow platform_app shell_data_file:lnk_file read;
|
|
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
|
# created by system server.
|
|
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
|
|
allow platform_app apk_private_data_file:dir search;
|
|
# ASEC
|
|
allow platform_app asec_apk_file:dir create_dir_perms;
|
|
allow platform_app asec_apk_file:file create_file_perms;
|
|
# Access download files.
|
|
allow platform_app download_file:file rw_file_perms;
|
|
# Allow BackupManagerService to backup all app domains
|
|
allow platform_app appdomain:fifo_file write;
|
|
|
|
#
|
|
# Rules for all platform app domains.
|
|
#
|
|
|
|
# App sandbox file accesses.
|
|
allow platformappdomain platform_app_data_file:dir create_dir_perms;
|
|
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
|
|
# App sdcard file accesses
|
|
allow platformappdomain sdcard_type:dir create_dir_perms;
|
|
allow platformappdomain sdcard_type:file create_file_perms;
|