Skip to content
Snippets Groups Projects
Commit c34de15a authored by Nick Kralevich's avatar Nick Kralevich Committed by Gerrit Code Review
Browse files

Merge "Clean up, unify, and deduplicate app domain rules."

parents 222c8229 b0db712b
No related branches found
No related tags found
No related merge requests found
...@@ -42,7 +42,7 @@ allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; ...@@ -42,7 +42,7 @@ allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
allow appdomain appdomain:fifo_file rw_file_perms; allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger. # Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses. # App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms; allow appdomain app_data_file:dir create_dir_perms;
...@@ -69,7 +69,7 @@ allow appdomain anr_data_file:file { open append }; ...@@ -69,7 +69,7 @@ allow appdomain anr_data_file:file { open append };
# Allow apps to send dump information to dumpstate # Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use; allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr }; allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr }; allow appdomain shell_data_file:file { write getattr };
# Write to /proc/net/xt_qtaguid/ctrl file. # Write to /proc/net/xt_qtaguid/ctrl file.
...@@ -89,14 +89,11 @@ binder_call(appdomain, binderservicedomain) ...@@ -89,14 +89,11 @@ binder_call(appdomain, binderservicedomain)
# Perform binder IPC to other apps. # Perform binder IPC to other apps.
binder_call(appdomain, appdomain) binder_call(appdomain, appdomain)
# Appdomain interaction with isolated apps
r_dir_file(appdomain, isolated_app)
# Already connected, unnamed sockets being passed over some other IPC # Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how # hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services # Chrome works, may need to be updated as more apps using isolated services
# are examined. # are examined.
allow appdomain isolated_app:unix_stream_socket { read write }; allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
# Backup ability for every app. BMS opens and passes the fd # Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here. # to any app that has backup ability. Hence, no open permissions here.
...@@ -112,6 +109,10 @@ allow appdomain download_file:file r_file_perms; ...@@ -112,6 +109,10 @@ allow appdomain download_file:file r_file_perms;
# Allow read/stat of /data/media files passed by Binder or local socket IPC. # Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow appdomain media_rw_data_file:file { read getattr }; allow appdomain media_rw_data_file:file { read getattr };
# Access SDcard.
allow appdomain sdcard_type:dir create_dir_perms;
allow appdomain sdcard_type:file create_file_perms;
# Allow apps to use the USB Accessory interface. # Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
# #
......
...@@ -43,10 +43,6 @@ unix_socket_connect(bluetooth, property, init) ...@@ -43,10 +43,6 @@ unix_socket_connect(bluetooth, property, init)
# proc access. # proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms; allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# bluetooth file transfers
allow bluetooth sdcard_internal:dir create_dir_perms;
allow bluetooth sdcard_internal:file create_file_perms;
# Allow write access to bluetooth specific properties # Allow write access to bluetooth specific properties
allow bluetooth bluetooth_prop:property_service set; allow bluetooth bluetooth_prop:property_service set;
......
...@@ -12,12 +12,3 @@ ...@@ -12,12 +12,3 @@
type isolated_app, domain; type isolated_app, domain;
app_domain(isolated_app) app_domain(isolated_app)
net_domain(isolated_app) net_domain(isolated_app)
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
allow isolated_app appdomain:unix_stream_socket { read write };
allow isolated_app dalvikcache_data_file:file execute;
allow isolated_app apk_data_file:dir getattr;
...@@ -10,20 +10,15 @@ binder_service(media_app) ...@@ -10,20 +10,15 @@ binder_service(media_app)
net_domain(media_app) net_domain(media_app)
# Access /dev/mtp_usb. # Access /dev/mtp_usb.
allow media_app mtp_device:chr_file rw_file_perms; allow media_app mtp_device:chr_file rw_file_perms;
# Write to /cache.
allow media_app cache_file:dir rw_dir_perms;
allow media_app cache_file:file create_file_perms;
# Stat /cache/lost+found
allow media_app unlabeled:file getattr;
allow media_app unlabeled:dir getattr;
# Stat /cache/backup # Stat /cache/backup
allow media_app cache_backup_file:file getattr; allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr; allow media_app cache_backup_file:dir getattr;
# Read files in the rootdir (in particular, file_contexts for restorecon). # Create download files.
allow media_app rootfs:file r_file_perms;
allow media_app download_file:dir rw_dir_perms; allow media_app download_file:dir rw_dir_perms;
allow media_app download_file:file create_file_perms; allow media_app download_file:file create_file_perms;
# Allow platform apps to mark platform app data files as download files # Allow platform apps to mark platform app data files as download files
relabelto_domain(media_app) relabelto_domain(media_app)
allow media_app platform_app_data_file:dir relabelfrom; allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto; allow media_app download_file:dir relabelto;
# inherits from platformappdomain.te
...@@ -13,6 +13,3 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms; ...@@ -13,6 +13,3 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms; allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write; allow nfc sysfs:file write;
allow nfc sdcard_type:dir create_dir_perms;
allow nfc sdcard_type:file create_file_perms;
...@@ -10,10 +10,7 @@ platform_app_domain(platform_app) ...@@ -10,10 +10,7 @@ platform_app_domain(platform_app)
net_domain(platform_app) net_domain(platform_app)
# Access bluetooth. # Access bluetooth.
bluetooth_domain(platform_app) bluetooth_domain(platform_app)
# Write to /cache. # Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app cache_file:dir rw_dir_perms;
allow platform_app cache_file:file create_file_perms;
# Read from /data/local.
allow platform_app shell_data_file:dir search; allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read }; allow platform_app shell_data_file:file { open getattr read };
allow platform_app shell_data_file:lnk_file read; allow platform_app shell_data_file:lnk_file read;
...@@ -26,20 +23,5 @@ allow platform_app asec_apk_file:dir create_dir_perms; ...@@ -26,20 +23,5 @@ allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms; allow platform_app asec_apk_file:file create_file_perms;
# Access download files. # Access download files.
allow platform_app download_file:file rw_file_perms; allow platform_app download_file:file rw_file_perms;
# Allow BackupManagerService to backup all app domains
allow platform_app appdomain:fifo_file write;
# # inherits from platformappdomain.te
# Rules for all platform app domains.
#
# App sandbox file accesses.
allow platformappdomain platform_app_data_file:dir create_dir_perms;
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
allow platformappdomain platform_app_data_file:file execute;
# App sdcard file accesses
allow platformappdomain sdcard_type:dir create_dir_perms;
allow platformappdomain sdcard_type:file create_file_perms;
# Access to /data/media.
allow platformappdomain media_rw_data_file:dir create_dir_perms;
allow platformappdomain media_rw_data_file:file create_file_perms;
#
# Rules for all platform app domains.
# These rules are inherited by any domain that includes platform_app_domain().
# Presently this consists of the four app domains corresponding to apps
# signed by one of the four build keys: platform_app, shared_app, media_app,
# release_app. These app domains use platform_app_data_file rather
# than app_data_file for their /data/data directories (as specified via
# type= in seapp_contexts) and have greater permissions to specific
# directories owned by groups that are restricted to apps with
# Android permissions that are signature|system.
# App sandbox file accesses.
allow platformappdomain platform_app_data_file:dir create_dir_perms;
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
allow platformappdomain platform_app_data_file:file execute;
# Access to /data/media.
allow platformappdomain media_rw_data_file:dir create_dir_perms;
allow platformappdomain media_rw_data_file:file create_file_perms;
# Write to /cache.
allow platformappdomain cache_file:dir create_dir_perms;
allow platformappdomain cache_file:file create_file_perms;
...@@ -11,6 +11,4 @@ net_domain(release_app) ...@@ -11,6 +11,4 @@ net_domain(release_app)
# Access bluetooth. # Access bluetooth.
bluetooth_domain(release_app) bluetooth_domain(release_app)
# Write to /cache. # inherits from platformappdomain.te
allow release_app cache_file:dir rw_dir_perms;
allow release_app cache_file:file create_file_perms;
...@@ -10,3 +10,5 @@ platform_app_domain(shared_app) ...@@ -10,3 +10,5 @@ platform_app_domain(shared_app)
net_domain(shared_app) net_domain(shared_app)
# Access bluetooth. # Access bluetooth.
bluetooth_domain(shared_app) bluetooth_domain(shared_app)
# inherits from platformappdomain.te
...@@ -5,10 +5,6 @@ allow shelldomain shell_data_file:dir create_dir_perms; ...@@ -5,10 +5,6 @@ allow shelldomain shell_data_file:dir create_dir_perms;
allow shelldomain shell_data_file:file create_file_perms; allow shelldomain shell_data_file:file create_file_perms;
allow shelldomain shell_data_file:file rx_file_perms; allow shelldomain shell_data_file:file rx_file_perms;
# Access sdcard.
allow shelldomain sdcard_type:dir create_dir_perms;
allow shelldomain sdcard_type:file create_file_perms;
# adb bugreport # adb bugreport
unix_socket_connect(shelldomain, dumpstate, dumpstate) unix_socket_connect(shelldomain, dumpstate, dumpstate)
...@@ -29,13 +25,3 @@ allow shelldomain shell_prop:property_service set; ...@@ -29,13 +25,3 @@ allow shelldomain shell_prop:property_service set;
allow shelldomain ctl_dumpstate_prop:property_service set; allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set; allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set; allow shelldomain powerctl_prop:property_service set;
# ndk-gdb invokes adb shell ps to find the app PID.
r_dir_file(shelldomain, non_system_app_set)
# ndk-gdb invokes adb shell ls to check the app data dir.
allow shelldomain app_data_file:dir search;
# ps and ps -Z output for app processes.
r_dir_file(shelldomain, appdomain)
allow shelldomain appdomain:process getattr;
...@@ -20,12 +20,6 @@ allow system_app wallpaper_file:file r_file_perms; ...@@ -20,12 +20,6 @@ allow system_app wallpaper_file:file r_file_perms;
# Write to dalvikcache. # Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr }; allow system_app dalvikcache_data_file:file { write setattr };
# Read SELinux enforcing status.
selinux_getenforce(system_app)
# Settings app reads sdcard for storage stats
allow system_app sdcard_type:dir r_dir_perms;
# Write to properties # Write to properties
unix_socket_connect(system_app, property, init) unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set; allow system_app debug_prop:property_service set;
......
...@@ -32,14 +32,6 @@ allow untrusted_app app_data_file:file rx_file_perms; ...@@ -32,14 +32,6 @@ allow untrusted_app app_data_file:file rx_file_perms;
allow untrusted_app tun_device:chr_file rw_file_perms; allow untrusted_app tun_device:chr_file rw_file_perms;
# Internal SDCard rw access.
allow untrusted_app sdcard_internal:dir create_dir_perms;
allow untrusted_app sdcard_internal:file create_file_perms;
# External SDCard rw access.
allow untrusted_app sdcard_external:dir create_dir_perms;
allow untrusted_app sdcard_external:file create_file_perms;
# ASEC # ASEC
allow untrusted_app asec_apk_file:dir { getattr }; allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms; allow untrusted_app asec_apk_file:file r_file_perms;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment