Skip to content
Snippets Groups Projects
Commit b5f6977a authored by Stephen Smalley's avatar Stephen Smalley Committed by repo sync
Browse files

Coalesce rules for allowing execution of shared objects by app domains.


Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 9de4c692
Branches
Tags
No related merge requests found
......@@ -69,7 +69,6 @@ bluetooth_domain(release_app)
# set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject;
app_domain(isolated_app)
allow isolated_app system_data_file:file { open execute };
#
# Rules for platform app domains.
......@@ -81,8 +80,6 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
# App sdcard file accesses
allow platformappdomain sdcard_type:dir create_dir_perms;
allow platformappdomain sdcard_type:file create_file_perms;
# System data file accesses (e.g, shared objects from the lib directory)
allow platformappdomain system_data_file:file { execute open };
#
# Untrusted apps.
......@@ -92,7 +89,6 @@ app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
allow untrusted_app tun_device:chr_file rw_file_perms;
allow untrusted_app system_data_file:file { execute open };
# Internal SDCard rw access.
bool app_internal_sdcard_rw true;
......@@ -140,6 +136,7 @@ allow appdomain platform_app_data_file:file { read write };
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute open };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { read write };
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment