Skip to content
Snippets Groups Projects
Commit e0bc1627 authored by Jeffrey Vander Stoep's avatar Jeffrey Vander Stoep Committed by android-build-merger
Browse files

Merge "Migrate to upstream policy version 30" am: 9a3d490e am: 862e4ab1 

am: af56999e

* commit 'af56999e':
  Migrate to upstream policy version 30
parents 46e7d2bc af56999e
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Android.mk
+ 1
1
View file @ e0bc1627
...@@ -5,7 +5,7 @@ include $(CLEAR_VARS) ...@@ -5,7 +5,7 @@ include $(CLEAR_VARS)
# SELinux policy version. # SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V. # Must be within the compatibility range reported by checkpolicy -V.
POLICYVERS ?= 29 POLICYVERS ?= 30
MLS_SENS=1 MLS_SENS=1
MLS_CATS=1024 MLS_CATS=1024
......
ioctl_macros
+ 10
1
View file @ e0bc1627
...@@ -5,7 +5,16 @@ define(`unpriv_sock_ioctls', ` ...@@ -5,7 +5,16 @@ define(`unpriv_sock_ioctls', `
0x8900-0x8926 0x8928-0x89ff 0x8900-0x8926 0x8928-0x89ff
# all wireless extensions ioctls except get/set essid # all wireless extensions ioctls except get/set essid
# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B # IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
0x8B00-0x8B09 0x8B1C-0x8BFF 0x8B00-0x8B19 0x8B1C-0x8BFF
# commonly used TTY ioctls # commonly used TTY ioctls
0x5411 0x5451 0x5411 0x5451
}') }')
# socket ioctls never allowed to unprivileged appss
define(`priv_sock_ioctls', `
{
# Mac address SIOCGIFHWADDR
0x8927
# get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
0x8B1A-0x8B1B
}')
isolated_app.te
+ 7
0
View file @ e0bc1627
...@@ -18,6 +18,9 @@ allow isolated_app app_data_file:file { read write getattr lock }; ...@@ -18,6 +18,9 @@ allow isolated_app app_data_file:file { read write getattr lock };
allow isolated_app activity_service:service_manager find; allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find; allow isolated_app display_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
# Google Breakpad (crash reporter for Chrome) relies on ptrace # Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter # functionality. Without the ability to ptrace, the crash reporter
# tool is broken. # tool is broken.
...@@ -47,3 +50,7 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; ...@@ -47,3 +50,7 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_app access to /cache # Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms }; neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr }; neverallow isolated_app cache_file:file ~{ read getattr };
# do not allow privileged socket ioctl commands
neverallowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
untrusted_app.te
+ 6
0
View file @ e0bc1627
...@@ -87,6 +87,9 @@ allow untrusted_app radio_service:service_manager find; ...@@ -87,6 +87,9 @@ allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find; allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find; allow untrusted_app app_api_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
# Allow GMS core to access perfprofd output, which is stored # Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all # in /data/misc/perfprofd/. GMS core will need to list all
# data stored in that directory to process them one by one. # data stored in that directory to process them one by one.
...@@ -148,6 +151,9 @@ neverallow untrusted_app file_type:file link; ...@@ -148,6 +151,9 @@ neverallow untrusted_app file_type:file link;
# Do not allow untrusted_app to access network MAC address file # Do not allow untrusted_app to access network MAC address file
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
# do not allow privileged socket ioctl commands
neverallowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
# Do not allow untrusted_app access to /cache # Do not allow untrusted_app access to /cache
neverallow untrusted_app cache_file:dir ~{ r_dir_perms }; neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
neverallow untrusted_app cache_file:file ~{ read getattr }; neverallow untrusted_app cache_file:file ~{ read getattr };
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment