Something went wrong on our end
-
dcashman authoredSystem services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
dcashman authoredSystem services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
platform_app.te 2.51 KiB
###
### Apps signed with the platform key.
###
type platform_app, domain;
app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;
# Access to /data/media.
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
-accessibility_service
-account_service
-activity_service
-appops_service
-appwidget_service
-assetatlas_service
-audio_service
-batterystats_service
-bluetooth_manager_service
-connectivity_service
-content_service
-device_policy_service
-display_service
-dreams_service
-dropbox_service
-fingerprint_service
-graphicsstats_service
-input_method_service
-input_service
-lock_settings_service
-media_projection_service
-media_router_service
-media_session_service
-mount_service
-netpolicy_service
-netstats_service
-network_management_service
-notification_service
-power_service -registry_service
-search_service
-sensorservice_service
-statusbar_service
-trust_service
-uimode_service
-usb_service
-user_service
-vibrator_service
-wallpaper_service
-webviewupdate_service
-wifi_service
}:service_manager find;