Skip to content
Snippets Groups Projects
Commit 3ea6027a authored by Stephen Smalley's avatar Stephen Smalley Committed by Android Git Automerger
Browse files

am 356f4be6: Restrict requesting contexts other than policy-defined defaults.

* commit '356f4be6':
  Restrict requesting contexts other than policy-defined defaults.
parents 219cef14 356f4be6
No related branches found
No related tags found
No related merge requests found
......@@ -3,6 +3,7 @@
type adbd, domain;
userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
......
......@@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr };
allow domain tmpfs:dir r_dir_perms;
# Intra-domain accesses.
allow domain self:process ~{ execmem execstack execheap ptrace };
allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
......
......@@ -27,3 +27,9 @@ allow init watchdogd:process transition;
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
# Life begins with the kernel.
type kernel, domain;
# setcon to init domain.
allow kernel self:process setcurrent;
allow kernel init:process dyntransition;
# The kernel is unconfined.
......
......@@ -15,3 +15,6 @@ allow recovery dev_type:blk_file rw_file_perms;
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery tmpfs:file rx_file_perms;
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
......@@ -21,4 +21,5 @@ allow runas self:capability { setuid setgid };
# read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
......@@ -20,3 +20,6 @@ allow ueventd dev_type:blk_file { create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
......@@ -9,6 +9,7 @@ allow zygote self:capability { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment