Skip to content
Snippets Groups Projects
Commit 509a008f authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

more ephemeral_app cleanup am: d5b6043f

am: cb7a9c1d

Change-Id: Ibf1c84344b132bcc26fa71eeda93065d78f08948
parents 70b7401d cb7a9c1d
Branches
Tags
No related merge requests found
...@@ -84,7 +84,7 @@ userdebug_or_eng(` ...@@ -84,7 +84,7 @@ userdebug_or_eng(`
# ndk-gdb invokes adb forward to forward the gdbserver socket. # ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd { app_data_file ephemeral_data_file }:dir search; allow adbd { app_data_file ephemeral_data_file }:dir search;
allow adbd { app_data_file ephemeral_data_file }:sock_file write; allow adbd { app_data_file ephemeral_data_file }:sock_file write;
allow adbd { appdomain ephemeral_app }:unix_stream_socket connectto; allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so. # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms; allow adbd zygote_exec:file r_file_perms;
......
...@@ -6,7 +6,7 @@ r_dir_file(audioserver, sdcard_type) ...@@ -6,7 +6,7 @@ r_dir_file(audioserver, sdcard_type)
binder_use(audioserver) binder_use(audioserver)
binder_call(audioserver, binderservicedomain) binder_call(audioserver, binderservicedomain)
binder_call(audioserver, { appdomain ephemeral_app }) binder_call(audioserver, appdomain)
binder_service(audioserver) binder_service(audioserver)
hwbinder_use(audioserver) hwbinder_use(audioserver)
......
...@@ -297,7 +297,6 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre ...@@ -297,7 +297,6 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
neverallow { neverallow {
domain domain
-appdomain -appdomain
-ephemeral_app
-dumpstate -dumpstate
-shell -shell
userdebug_or_eng(`-su') userdebug_or_eng(`-su')
......
...@@ -9,7 +9,7 @@ net_domain(drmserver) ...@@ -9,7 +9,7 @@ net_domain(drmserver)
# Perform Binder IPC to system server. # Perform Binder IPC to system server.
binder_use(drmserver) binder_use(drmserver)
binder_call(drmserver, system_server) binder_call(drmserver, system_server)
binder_call(drmserver, { appdomain ephemeral_app }) binder_call(drmserver, appdomain)
binder_service(drmserver) binder_service(drmserver)
# Inherit or receive open files from system_server. # Inherit or receive open files from system_server.
allow drmserver system_server:fd use; allow drmserver system_server:fd use;
......
...@@ -49,7 +49,7 @@ allow dumpstate pstorefs:file r_file_perms; ...@@ -49,7 +49,7 @@ allow dumpstate pstorefs:file r_file_perms;
allow dumpstate domain:process getattr; allow dumpstate domain:process getattr;
# Signal java processes to dump their stack # Signal java processes to dump their stack
allow dumpstate { appdomain ephemeral_app system_server }:process signal; allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack. # Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c # This list comes from native_processes_to_dump in dumpstate/utils.c
...@@ -85,7 +85,7 @@ r_dir_file(dumpstate, cgroup) ...@@ -85,7 +85,7 @@ r_dir_file(dumpstate, cgroup)
# Allow dumpstate to make binder calls to any binder service # Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain) binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain ephemeral_app netd wificond }) binder_call(dumpstate, { appdomain netd wificond })
# Vibrate the device after we are done collecting the bugreport # Vibrate the device after we are done collecting the bugreport
# For binderized mode: # For binderized mode:
......
...@@ -13,4 +13,4 @@ allow hal_graphics_composer graphics_device:chr_file rw_file_perms; ...@@ -13,4 +13,4 @@ allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
# Fences # Fences
allow hal_graphics_composer system_server:fd use; allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use; allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer {appdomain ephemeral_app}:fd use; allow hal_graphics_composer appdomain:fd use;
...@@ -14,8 +14,6 @@ allow lmkd self:capability ipc_lock; ...@@ -14,8 +14,6 @@ allow lmkd self:capability ipc_lock;
## TODO: maybe scope this down? ## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain) r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write; allow lmkd appdomain:file write;
r_dir_file(lmkd, ephemeral_app)
allow lmkd ephemeral_app:file write;
r_dir_file(lmkd, system_server) r_dir_file(lmkd, system_server)
allow lmkd system_server:file write; allow lmkd system_server:file write;
......
...@@ -22,7 +22,7 @@ userdebug_or_eng(` ...@@ -22,7 +22,7 @@ userdebug_or_eng(`
binder_use(mediaserver) binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain) binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, { appdomain ephemeral_app }) binder_call(mediaserver, appdomain)
binder_service(mediaserver) binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms; allow mediaserver media_data_file:dir create_dir_perms;
...@@ -48,7 +48,7 @@ allow mediaserver ringtone_file:file { read getattr }; ...@@ -48,7 +48,7 @@ allow mediaserver ringtone_file:file { read getattr };
allow mediaserver radio_data_file:file { read getattr }; allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains. # Use pipes passed over Binder from app domains.
allow mediaserver { appdomain ephemeral_app }:fifo_file { getattr read write }; allow mediaserver appdomain:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms; allow mediaserver rpmsg_device:chr_file rw_file_perms;
......
...@@ -12,7 +12,7 @@ binder_call(surfaceflinger, hal_graphics_composer) ...@@ -12,7 +12,7 @@ binder_call(surfaceflinger, hal_graphics_composer)
# Perform Binder IPC. # Perform Binder IPC.
binder_use(surfaceflinger) binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain) binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, { appdomain ephemeral_app }) binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim) binder_call(surfaceflinger, bootanim)
binder_service(surfaceflinger) binder_service(surfaceflinger)
...@@ -21,7 +21,7 @@ binder_call(surfaceflinger, adbd) ...@@ -21,7 +21,7 @@ binder_call(surfaceflinger, adbd)
# Read /proc/pid files for Binder clients. # Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain) r_dir_file(surfaceflinger, binderservicedomain)
r_dir_file(surfaceflinger, { appdomain ephemeral_app }) r_dir_file(surfaceflinger, appdomain)
# Access the GPU. # Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms; allow surfaceflinger gpu_device:chr_file rw_file_perms;
...@@ -42,7 +42,7 @@ set_prop(surfaceflinger, system_prop) ...@@ -42,7 +42,7 @@ set_prop(surfaceflinger, system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop) set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app. # Use open files supplied by an app.
allow surfaceflinger { appdomain ephemeral_app }:fd use; allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write }; allow surfaceflinger app_data_file:file { read write };
# Allow a dumpstate triggered screenshot # Allow a dumpstate triggered screenshot
......
...@@ -87,10 +87,10 @@ allow system_server self:socket create_socket_perms_no_ioctl; ...@@ -87,10 +87,10 @@ allow system_server self:socket create_socket_perms_no_ioctl;
allow system_server self:netlink_route_socket nlmsg_write; allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps. # Kill apps.
allow system_server { appdomain ephemeral_app }:process { sigkill signal }; allow system_server appdomain:process { sigkill signal };
# Set scheduling info for apps. # Set scheduling info for apps.
allow system_server { appdomain ephemeral_app }:process { getsched setsched }; allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched }; allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched }; allow system_server hal_audio:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched }; allow system_server cameraserver:process { getsched setsched };
...@@ -151,7 +151,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt }; ...@@ -151,7 +151,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC. # Perform Binder IPC.
binder_use(system_server) binder_use(system_server)
binder_call(system_server, { appdomain ephemeral_app }) binder_call(system_server, appdomain)
binder_call(system_server, binderservicedomain) binder_call(system_server, binderservicedomain)
binder_call(system_server, dumpstate) binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd) binder_call(system_server, fingerprintd)
...@@ -428,8 +428,8 @@ allow system_server system_file:lnk_file r_file_perms; ...@@ -428,8 +428,8 @@ allow system_server system_file:lnk_file r_file_perms;
allow system_server gps_control:file rw_file_perms; allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes. # Allow system_server to use app-created sockets and pipes.
allow system_server { appdomain ephemeral_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server { appdomain ephemeral_app }:{ fifo_file unix_stream_socket } { getattr read write }; allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
# Allow abstract socket connection # Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto; allow system_server rild:unix_stream_socket connectto;
......
...@@ -13,15 +13,15 @@ allow zygote self:capability setpcap; ...@@ -13,15 +13,15 @@ allow zygote self:capability setpcap;
# Switch SELinux context to app domains. # Switch SELinux context to app domains.
allow zygote self:process setcurrent; allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition; allow zygote system_server:process dyntransition;
allow zygote { appdomain ephemeral_app }:process dyntransition; allow zygote appdomain:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872). # Allow zygote to read app /proc/pid dirs (b/10455872).
allow zygote { appdomain ephemeral_app }:dir { getattr search }; allow zygote appdomain:dir { getattr search };
allow zygote { appdomain ephemeral_app }:file { r_file_perms }; allow zygote appdomain:file { r_file_perms };
# Move children into the peer process group. # Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid }; allow zygote system_server:process { getpgid setpgid };
allow zygote { appdomain ephemeral_app }:process { getpgid setpgid }; allow zygote appdomain:process { getpgid setpgid };
# Read system data. # Read system data.
allow zygote system_data_file:dir r_dir_perms; allow zygote system_data_file:dir r_dir_perms;
...@@ -116,7 +116,7 @@ get_prop(zygote, overlay_prop) ...@@ -116,7 +116,7 @@ get_prop(zygote, overlay_prop)
# This is achieved by ensuring that it is impossible for zygote to # This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated # setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server. # with appdomain plus system_server.
neverallow zygote ~{ appdomain ephemeral_app system_server }:process dyntransition; neverallow zygote ~{ appdomain system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files. # Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote { neverallow zygote {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment