diff options
author | Nick Kralevich <nnk@google.com> | 2015-03-05 12:10:30 -0800 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-03-05 12:12:00 -0800 |
commit | 75f34dc392b6d13818565fddd6da0111a4edefe5 (patch) | |
tree | cbedbeb6aefea85fad75553859a6d7bde8a5c07d /app.te | |
parent | 723e31efe568bf3372205cb539436fb1ecef4e3f (diff) | |
download | android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.tar.gz android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.tar.bz2 android_external_sepolicy-75f34dc392b6d13818565fddd6da0111a4edefe5.zip |
update isolated_app service_manager rules
isolated apps should only be able to access 2 services.
Remove access permissions for services inappropriately added,
and add a neverallow rule to prevent regressions.
Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
Diffstat (limited to 'app.te')
-rw-r--r-- | app.te | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -182,9 +182,9 @@ control_logd(appdomain) # application inherit logd write socket (urge is to deprecate this long term) allow appdomain zygote:unix_dgram_socket write; -allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify }; +allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify }; -use_keystore(appdomain) +use_keystore({ appdomain -isolated_app }) ### ### Neverallow rules |