tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/unconfined.te
Nick Kralevich ee49c0e36a remove shell_data_file from unconfined. 
Domains which want to access /data/local/tmp must do so by
creating their own SELinux domain.

Bug: 15164984
Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
2014-06-07 10:00:59 -07:00

83 lines
3.4 KiB
Text
Raw Blame History

#######################################################
#
# This is the unconfined template. This template is the base policy
# which is used by daemons and other privileged components of
# Android.
#
# Historically, this template was called "unconfined" because it
# allowed the domain to do anything it wanted. Over time,
# this has changed, and will continue to change in the future.
# The rules in this file will be removed when no remaining
# unconfined domains require it, or when the rules contradict
# Android security best practices. Domains which need rules not
# provided by the unconfined template should add them directly to
# the relevant policy.
#
# The use of this template is discouraged.
######################################################
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
allow unconfineddomain domain:process {
fork
sigchld
sigkill
sigstop
signull
signal
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
noatsecure
siginh
setrlimit
rlimitinh
};
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {
file_type
-keystore_data_file
-property_data_file
-system_file
-exec_type
-security_file
-shell_data_file
}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {
file_type
-keystore_data_file
-property_data_file
-system_file
-exec_type
-security_file
-shell_data_file
}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain { rootfs system_file exec_type }:file execute;
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
allow unconfineddomain { property_type -security_prop }:property_service set;
Reference in a new issue View git blame Copy permalink