Skip to content
Snippets Groups Projects
Commit b8caf7fd authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Move allow rules before neverallow rules.


There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file.  Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te.  Just move the rules as appropriate.
Should be no change in policy.

Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 0233cd80
No related branches found
No related tags found
No related merge requests found
...@@ -155,6 +155,16 @@ allow appdomain apk_data_file:file { rx_file_perms execmod }; ...@@ -155,6 +155,16 @@ allow appdomain apk_data_file:file { rx_file_perms execmod };
allow appdomain resourcecache_data_file:file r_file_perms; allow appdomain resourcecache_data_file:file r_file_perms;
allow appdomain resourcecache_data_file:dir r_dir_perms; allow appdomain resourcecache_data_file:dir r_dir_perms;
# logd access
read_logd(appdomain)
control_logd(appdomain)
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
use_keystore({ appdomain -isolated_app })
### ###
### CTS-specific rules ### CTS-specific rules
### ###
...@@ -171,16 +181,6 @@ selinux_check_context(appdomain) ...@@ -171,16 +181,6 @@ selinux_check_context(appdomain)
# Validate that each process is running in the correct security context. # Validate that each process is running in the correct security context.
allow appdomain domain:process getattr; allow appdomain domain:process getattr;
# logd access
read_logd(appdomain)
control_logd(appdomain)
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
use_keystore({ appdomain -isolated_app })
### ###
### Neverallow rules ### Neverallow rules
### ###
......
...@@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr }; ...@@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file rw_file_perms; allow keystore tee_device:chr_file rw_file_perms;
allow keystore tee:unix_stream_socket connectto; allow keystore tee:unix_stream_socket connectto;
allow keystore keystore_service:service_manager { add find };
# Check SELinux permissions.
selinux_check_access(keystore)
### ###
### Neverallow rules ### Neverallow rules
### ###
...@@ -25,8 +30,3 @@ neverallow { domain -keystore -init } keystore_data_file:dir *; ...@@ -25,8 +30,3 @@ neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace; neverallow domain keystore:process ptrace;
allow keystore keystore_service:service_manager { add find };
# Check SELinux permissions.
selinux_check_access(keystore)
...@@ -138,6 +138,10 @@ auditallow untrusted_app { ...@@ -138,6 +138,10 @@ auditallow untrusted_app {
-wifip2p_service -wifip2p_service
}:service_manager find; }:service_manager find;
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
### ###
### neverallow rules ### neverallow rules
### ###
...@@ -162,7 +166,3 @@ neverallow untrusted_app service_manager_type:service_manager add; ...@@ -162,7 +166,3 @@ neverallow untrusted_app service_manager_type:service_manager add;
neverallow untrusted_app property_socket:sock_file write; neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app init:unix_stream_socket connectto; neverallow untrusted_app init:unix_stream_socket connectto;
neverallow untrusted_app property_type:property_service set; neverallow untrusted_app property_type:property_service set;
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment