diff options
author | Andres Morales <anmorales@google.com> | 2015-04-16 13:40:57 -0700 |
---|---|---|
committer | Andres Morales <anmorales@google.com> | 2015-04-17 10:41:09 -0700 |
commit | b348f8f55d20026aadcaf4d393294da9a66ce883 (patch) | |
tree | bdcb4384f50495e61e488da6095edb069fd4807c | |
parent | dd156fc377c2892752fb5b38c5cca4c3e7484054 (diff) | |
download | android_external_sepolicy-b348f8f55d20026aadcaf4d393294da9a66ce883.tar.gz android_external_sepolicy-b348f8f55d20026aadcaf4d393294da9a66ce883.tar.bz2 android_external_sepolicy-b348f8f55d20026aadcaf4d393294da9a66ce883.zip |
New rules for SID access
Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e
-rw-r--r-- | gatekeeperd.te | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/gatekeeperd.te b/gatekeeperd.te index 4a50e2c..5f27aa9 100644 --- a/gatekeeperd.te +++ b/gatekeeperd.te @@ -17,6 +17,12 @@ allow gatekeeperd keystore:keystore_key { add_auth }; allow gatekeeperd system_server:binder call; allow gatekeeperd permission_service:service_manager find; -neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find; +# for SID file access +allow gatekeeperd system_data_file:dir { add_name write}; +allow gatekeeperd system_data_file:file { write create open }; + +# Apps using KeyStore API will request the SID from GateKeeper +allow untrusted_app gatekeeper_service:service_manager find; +binder_call(untrusted_app, gatekeeperd) + neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add; -neverallow { domain -system_server } gatekeeperd:binder call; |