From 748fdef626d1dda2a0a727ea35d85d04363f5307 Mon Sep 17 00:00:00 2001 From: Nick Kralevich <nnk@google.com> Date: Fri, 12 Jul 2013 16:33:29 -0700 Subject: [PATCH] Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f --- app.te | 78 +++++++----------------------------------------- isolated_app.te | 15 ++++++++++ media_app.te | 13 ++++++++ platform_app.te | 13 ++++++++ release_app.te | 13 ++++++++ shared_app.te | 13 ++++++++ untrusted_app.te | 17 +++++++++++ 7 files changed, 94 insertions(+), 68 deletions(-) create mode 100644 isolated_app.te create mode 100644 media_app.te create mode 100644 platform_app.te create mode 100644 release_app.te create mode 100644 shared_app.te create mode 100644 untrusted_app.te diff --git a/app.te b/app.te index 22168f891..b896adadb 100644 --- a/app.te +++ b/app.te @@ -1,68 +1,10 @@ -# -# Domains for apps that do not run with one of the predefined -# platform UIDs (system, radio, nfc, ...). -# - -# -# Apps signed with the platform key. -# -type platform_app, domain; -permissive platform_app; -app_domain(platform_app) -platform_app_domain(platform_app) -# Access the network. -net_domain(platform_app) -# Access bluetooth. -bluetooth_domain(platform_app) -unconfined_domain(platform_app) - -# Apps signed with the media key. -type media_app, domain; -permissive media_app; -app_domain(media_app) -platform_app_domain(media_app) -# Access the network. -net_domain(media_app) -unconfined_domain(media_app) -relabelto_domain(media_app) -allow media_app download_file:dir relabelto; - -# Apps signed with the shared key. -type shared_app, domain; -permissive shared_app; -app_domain(shared_app) -platform_app_domain(shared_app) -# Access the network. -net_domain(shared_app) -# Access bluetooth. -bluetooth_domain(shared_app) -unconfined_domain(shared_app) - -# Apps signed with the release key (testkey in AOSP). -type release_app, domain; -permissive release_app; -app_domain(release_app) -platform_app_domain(release_app) -# Access the network. -net_domain(release_app) -# Access bluetooth. -bluetooth_domain(release_app) -unconfined_domain(release_app) - -# Services with isolatedProcess=true in their manifest. -# In order for isolated_apps to interact with apps that have levelFromUid=true -# set it must be an mlstrustedsubject. -type isolated_app, domain, mlstrustedsubject; -permissive isolated_app; -app_domain(isolated_app) -unconfined_domain(isolated_app) - -# -# Untrusted apps. -# -type untrusted_app, domain; -permissive untrusted_app; -app_domain(untrusted_app) -net_domain(untrusted_app) -bluetooth_domain(untrusted_app) -unconfined_domain(untrusted_app) +### +### Domain for all zygote spawned apps +### +### This file is the base policy for all zygote spawned apps. +### Other policy files, such as isolated_app.te, untrusted_app.te, etc +### extend from this policy. Only policies which should apply to ALL +### zygote spawned apps should be added here. +### + +# currently empty diff --git a/isolated_app.te b/isolated_app.te new file mode 100644 index 000000000..57c357c19 --- /dev/null +++ b/isolated_app.te @@ -0,0 +1,15 @@ +### +### Services with isolatedProcess=true in their manifest. +### +### This file defines the rules for isolated apps. An "isolated +### app" is an APP with UID between AID_ISOLATED_START (99000) +### and AID_ISOLATED_END (99999). +### +### isolated_app includes all the appdomain rules, plus the +### additional following rules: +### + +type isolated_app, domain; +permissive isolated_app; +app_domain(isolated_app) +unconfined_domain(isolated_app) diff --git a/media_app.te b/media_app.te new file mode 100644 index 000000000..f0f987fac --- /dev/null +++ b/media_app.te @@ -0,0 +1,13 @@ +### +### Apps signed with the media key. +### + +type media_app, domain; +permissive media_app; +app_domain(media_app) +platform_app_domain(media_app) +# Access the network. +net_domain(media_app) +unconfined_domain(media_app) +relabelto_domain(media_app) +allow media_app download_file:dir relabelto; diff --git a/platform_app.te b/platform_app.te new file mode 100644 index 000000000..38d8fcd62 --- /dev/null +++ b/platform_app.te @@ -0,0 +1,13 @@ +### +### Apps signed with the platform key. +### + +type platform_app, domain; +permissive platform_app; +app_domain(platform_app) +platform_app_domain(platform_app) +# Access the network. +net_domain(platform_app) +# Access bluetooth. +bluetooth_domain(platform_app) +unconfined_domain(platform_app) diff --git a/release_app.te b/release_app.te new file mode 100644 index 000000000..285f48300 --- /dev/null +++ b/release_app.te @@ -0,0 +1,13 @@ +### +### Apps signed with the release key (testkey in AOSP). +### + +type release_app, domain; +permissive release_app; +app_domain(release_app) +platform_app_domain(release_app) +# Access the network. +net_domain(release_app) +# Access bluetooth. +bluetooth_domain(release_app) +unconfined_domain(release_app) diff --git a/shared_app.te b/shared_app.te new file mode 100644 index 000000000..b66fbfbe6 --- /dev/null +++ b/shared_app.te @@ -0,0 +1,13 @@ +### +### Apps signed with the shared key. +### + +type shared_app, domain; +permissive shared_app; +app_domain(shared_app) +platform_app_domain(shared_app) +# Access the network. +net_domain(shared_app) +# Access bluetooth. +bluetooth_domain(shared_app) +unconfined_domain(shared_app) diff --git a/untrusted_app.te b/untrusted_app.te new file mode 100644 index 000000000..f552129e5 --- /dev/null +++ b/untrusted_app.te @@ -0,0 +1,17 @@ +### +### Untrusted apps. +### +### This file defines the rules for untrusted apps. An "untrusted +### app" is an APP with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000). +### +### untrusted_app includes all the appdomain rules, plus the +### additional following rules: +### + +type untrusted_app, domain; +permissive untrusted_app; +app_domain(untrusted_app) +net_domain(untrusted_app) +bluetooth_domain(untrusted_app) +unconfined_domain(untrusted_app) -- GitLab