Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
3d94272a
Commit
3d94272a
authored
11 years ago
by
Alex Klyubin
Committed by
Android Git Automerger
11 years ago
Browse files
Options
Downloads
Plain Diff
am
1fdee11d
: 1/2: Rename domain "system" to "system_server".
* commit '
1fdee11d
': 1/2: Rename domain "system" to "system_server".
parents
bbc0c39b
1fdee11d
No related branches found
No related tags found
No related merge requests found
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
app.te
+3
-3
3 additions, 3 deletions
app.te
domain.te
+1
-1
1 addition, 1 deletion
domain.te
seapp_contexts
+1
-1
1 addition, 1 deletion
seapp_contexts
system_server.te
+41
-0
41 additions, 0 deletions
system_server.te
zygote.te
+2
-2
2 additions, 2 deletions
zygote.te
with
48 additions
and
7 deletions
app.te
+
3
−
3
View file @
3d94272a
...
...
@@ -20,9 +20,9 @@ allow appdomain zygote_tmpfs:file read;
allow appdomain zygote:process sigchld;
# Communicate with system_server.
allow appdomain system:fifo_file rw_file_perms;
allow appdomain system:unix_stream_socket { read write setopt };
binder_call(appdomain, system)
allow appdomain system
_server
:fifo_file rw_file_perms;
allow appdomain system
_server
:unix_stream_socket { read write setopt };
binder_call(appdomain, system
_server
)
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
...
...
This diff is collapsed.
Click to expand it.
domain.te
+
1
−
1
View file @
3d94272a
...
...
@@ -20,7 +20,7 @@ allow domain self:{ unix_dgram_socket unix_stream_socket } *;
# Inherit or receive open files from others.
allow domain init:fd use;
allow domain system:fd use;
allow domain system
_server
:fd use;
# Connect to adbd and use a socket transferred from it.
allow domain adbd:unix_stream_socket connectto;
...
...
This diff is collapsed.
Click to expand it.
seapp_contexts
+
1
−
1
View file @
3d94272a
...
...
@@ -32,7 +32,7 @@
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
isSystemServer=true domain=system
isSystemServer=true domain=system
_server
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
...
...
This diff is collapsed.
Click to expand it.
system.te
→
system
_server
.te
+
41
−
0
View file @
3d94272a
...
...
@@ -2,14 +2,17 @@
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system, domain;
permissive system;
unconfined_domain(system);
relabelto_domain(system);
type system_server, domain;
permissive system_server;
unconfined_domain(system_server);
relabelto_domain(system_server);
# TODO: Remove the temporary alias below once the renaming of system to system_server is complete in all repositories.
typealias system_server alias system;
# These are the capabilities assigned by the zygote to the
# system server.
allow system self:capability {
allow system
_server
self:capability {
kill
net_admin
net_bind_service
...
...
@@ -24,15 +27,15 @@ allow system self:capability {
};
# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system self:zygote { specifyids specifyrlimits specifyseinfo };
type_transition system
_server
wifi_data_file:sock_file system_wpa_socket;
allow system
_server
self:zygote { specifyids specifyrlimits specifyseinfo };
allow system backup_data_file:dir relabelto;
allow system cache_backup_file:dir relabelto;
allow system anr_data_file:dir relabelto;
allow system system_data_file:dir relabelto;
allow system apk_data_file:file relabelto;
allow system apk_tmp_file:file relabelto;
allow system cache_backup_file:file relabelto;
allow system apk_private_tmp_file:file relabelto;
allow system wallpaper_file:file relabelto;
allow system
_server
backup_data_file:dir relabelto;
allow system
_server
cache_backup_file:dir relabelto;
allow system
_server
anr_data_file:dir relabelto;
allow system
_server
system_data_file:dir relabelto;
allow system
_server
apk_data_file:file relabelto;
allow system
_server
apk_tmp_file:file relabelto;
allow system
_server
cache_backup_file:file relabelto;
allow system
_server
apk_private_tmp_file:file relabelto;
allow system
_server
wallpaper_file:file relabelto;
This diff is collapsed.
Click to expand it.
zygote.te
+
2
−
2
View file @
3d94272a
...
...
@@ -9,13 +9,13 @@ allow zygote self:capability { dac_override setgid setuid fowner };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
allow zygote system:process dyntransition;
allow zygote system
_server
:process dyntransition;
allow zygote appdomain:process dyntransition;
# Allow zygote to read + write app data dirs (b/10455872 and b/10498304)
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { r_file_perms write };
# Move children into the peer process group.
allow zygote system:process { getpgid setpgid };
allow zygote system
_server
:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
