Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
ef0b7b1a
Commit
ef0b7b1a
authored
9 years ago
by
Jeffrey Vander Stoep
Committed by
Android (Google) Code Review
9 years ago
Browse files
Options
Downloads
Plain Diff
Merge "app: expand socket ioctl restrictions to all apps"
parents
3873c31f
bb1ece49
No related branches found
No related tags found
No related merge requests found
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
app.te
+3
-0
3 additions, 0 deletions
app.te
isolated_app.te
+0
-3
0 additions, 3 deletions
isolated_app.te
priv_app.te
+3
-0
3 additions, 0 deletions
priv_app.te
untrusted_app.te
+0
-3
0 additions, 3 deletions
untrusted_app.te
with
6 additions
and
6 deletions
app.te
+
3
−
0
View file @
ef0b7b1a
...
@@ -205,6 +205,9 @@ use_keystore({ appdomain -isolated_app })
...
@@ -205,6 +205,9 @@ use_keystore({ appdomain -isolated_app })
allow appdomain console_device:chr_file { read write };
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
###
###
### CTS-specific rules
### CTS-specific rules
###
###
...
...
This diff is collapsed.
Click to expand it.
isolated_app.te
+
0
−
3
View file @
ef0b7b1a
...
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
...
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
allow isolated_app activity_service:service_manager find;
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app display_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# tool is broken.
...
...
This diff is collapsed.
Click to expand it.
priv_app.te
+
3
−
0
View file @
ef0b7b1a
...
@@ -77,6 +77,9 @@ allow priv_app fuse_device:chr_file { read write };
...
@@ -77,6 +77,9 @@ allow priv_app fuse_device:chr_file { read write };
allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:file r_file_perms;
allow priv_app sysfs_zram:file r_file_perms;
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
###
###
### neverallow rules
### neverallow rules
###
###
...
...
This diff is collapsed.
Click to expand it.
untrusted_app.te
+
0
−
3
View file @
ef0b7b1a
...
@@ -80,9 +80,6 @@ allow untrusted_app radio_service:service_manager find;
...
@@ -80,9 +80,6 @@ allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
# only allow unprivileged socket ioctl commands
allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
# Allow GMS core to access perfprofd output, which is stored
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
# in /data/misc/perfprofd/. GMS core will need to list all
# data stored in that directory to process them one by one.
# data stored in that directory to process them one by one.
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment