Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
03ebc7f4
Commit
03ebc7f4
authored
8 years ago
by
Alex Klyubin
Committed by
android-build-merger
8 years ago
Browse files
Options
Downloads
Plain Diff
Start locking down access to services from ephemeral apps am:
6237d8b7
am:
3f239833
am:
21b96084
Change-Id: Ibbae75507699919291484e4f8d45e41758e5efad
parents
08a39920
21b96084
No related branches found
No related tags found
No related merge requests found
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
private/ephemeral_app.te
+1
-2
1 addition, 2 deletions
private/ephemeral_app.te
public/attributes
+3
-0
3 additions, 0 deletions
public/attributes
public/service.te
+75
-75
75 additions, 75 deletions
public/service.te
with
79 additions
and
77 deletions
private/ephemeral_app.te
+
1
−
2
View file @
03ebc7f4
...
...
@@ -20,8 +20,7 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
# services
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
# TODO: Replace app_api_service with a smaller ephemeral_api_service
allow ephemeral_app app_api_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
###
### neverallow rules
...
...
This diff is collapsed.
Click to expand it.
public/attributes
+
3
−
0
View file @
03ebc7f4
...
...
@@ -76,6 +76,9 @@ attribute system_server_service;
# services which should be available to all but isolated apps
attribute app_api_service;
# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;
# services which export only system_api
attribute system_api_service;
...
...
This diff is collapsed.
Click to expand it.
public/service.te
+
75
−
75
View file @
03ebc7f4
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, service_manager_type;
type batteryproperties_service, app_api_service,
ephemeral_app_api_service,
service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
...
...
@@ -30,113 +30,113 @@ type virtual_touchpad_service, service_manager_type;
type vr_window_manager_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, system_server_service, service_manager_type;
type account_service, app_api_service, system_server_service, service_manager_type;
type activity_service, app_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, system_server_service, service_manager_type;
type accessibility_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type account_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type activity_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type alarm_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type appops_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type appwidget_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type assetatlas_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type audio_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type autofill_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type backup_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type batterystats_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type contexthub_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type IProxyService_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type connectivity_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type connmetrics_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type consumer_ir_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type content_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type country_detector_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type deviceidle_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type device_identifiers_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, system_server_service, service_manager_type;
type display_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type font_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type dreams_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type dropbox_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type ethernet_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type fingerprint_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type input_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type imms_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type jobscheduler_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type launcherapps_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type location_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type media_router_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type media_session_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type mount_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type netpolicy_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type netstats_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type network_management_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type;
type notification_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type permission_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type print_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, system_server_service, service_manager_type;
type procstats_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, system_server_service, service_manager_type;
type registry_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type restrictions_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type rttmanager_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, system_server_service, service_manager_type;
type search_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type settings_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type shortcut_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type statusbar_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type storagestats_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type textservices_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type telecom_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type trust_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type tv_input_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type uimode_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type usb_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type user_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type vibrator_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service,
ephemeral_app_api_service,
system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment