update isolated_app service_manager rules

isolated apps should only be able to access 2 services. Remove access permissions for services inappropriately added, and add a neverallow rule to prevent regressions. Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
author: Nick Kralevich <nnk@google.com> 2015-03-05 12:10:30 -0800
committer: Nick Kralevich <nnk@google.com> 2015-03-05 12:12:00 -0800
commit: 75f34dc392b6d13818565fddd6da0111a4edefe5 (patch)
tree: cbedbeb6aefea85fad75553859a6d7bde8a5c07d /app.te
parent: 723e31efe568bf3372205cb539436fb1ecef4e3f (diff)
download: android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.tar.gz
android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.tar.bz2
android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/app.te b/app.te
index c17c903..89c81cf 100644
--- a/app.te
+++ b/app.te
@@ -182,9 +182,9 @@ control_logd(appdomain)
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
-allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
 
-use_keystore(appdomain)
+use_keystore({ appdomain -isolated_app })
 
 ###
 ### Neverallow rules
author	Nick Kralevich <nnk@google.com>	2015-03-05 12:10:30 -0800
committer	Nick Kralevich <nnk@google.com>	2015-03-05 12:12:00 -0800
commit	75f34dc392b6d13818565fddd6da0111a4edefe5 (patch)
tree	cbedbeb6aefea85fad75553859a6d7bde8a5c07d /app.te
parent	723e31efe568bf3372205cb539436fb1ecef4e3f (diff)
download	android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.tar.gz android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.tar.bz2 android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.zip