diff options
author | repo sync <gcondra@google.com> | 2013-05-17 17:11:29 -0700 |
---|---|---|
committer | repo sync <gcondra@google.com> | 2013-05-20 11:08:05 -0700 |
commit | 77d4731e9d30c8971e076e2469d6957619019921 (patch) | |
tree | a09ca764a3474bfaf20c0aafee0bf3a907d382fe /domain.te | |
parent | 42cabf341c8a600a218023ec69b3518e3d3d482c (diff) | |
download | android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.gz android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.bz2 android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.zip |
Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
Diffstat (limited to 'domain.te')
-rw-r--r-- | domain.te | 122 |
1 files changed, 0 insertions, 122 deletions
@@ -1,122 +0,0 @@ -# Rules for all domains. - -# Allow reaping by init. -allow domain init:process sigchld; - -# Read access to properties mapping. -allow domain kernel:fd use; -allow domain tmpfs:file { read getattr }; - -# Search /storage/emulated tmpfs mount. -allow domain tmpfs:dir r_dir_perms; - -# binder adjusts the nice value during IPC. -allow domain self:capability sys_nice; - -# Intra-domain accesses. -allow domain self:process ~{ execstack execheap }; -allow domain self:fd use; -allow domain self:dir r_dir_perms; -allow domain self:lnk_file r_file_perms; -allow domain self:{ fifo_file file } rw_file_perms; -allow domain self:{ unix_dgram_socket unix_stream_socket } *; - -# Inherit or receive open files from others. -allow domain init:fd use; -allow domain system:fd use; - -# Connect to adbd and use a socket transferred from it. -allow domain adbd:unix_stream_socket connectto; -allow domain adbd:fd use; -allow domain adbd:unix_stream_socket { getattr read write shutdown }; - -# Talk to debuggerd. -allow domain debuggerd:process sigchld; -allow domain debuggerd:unix_stream_socket connectto; - -# Root fs. -allow domain rootfs:dir r_dir_perms; -allow domain rootfs:lnk_file { read getattr }; - -# Device accesses. -allow domain device:dir search; -allow domain dev_type:lnk_file read; -allow domain devpts:dir search; -allow domain device:file read; -allow domain socket_device:dir search; -allow domain owntty_device:chr_file rw_file_perms; -allow domain null_device:chr_file rw_file_perms; -allow domain zero_device:chr_file r_file_perms; -allow domain ashmem_device:chr_file rw_file_perms; -allow domain binder_device:chr_file rw_file_perms; -allow domain ptmx_device:chr_file rw_file_perms; -allow domain powervr_device:chr_file rw_file_perms; -allow domain log_device:dir search; -allow domain log_device:chr_file rw_file_perms; -allow domain nv_device:chr_file rw_file_perms; -allow domain alarm_device:chr_file r_file_perms; -allow domain urandom_device:chr_file r_file_perms; -allow domain random_device:chr_file r_file_perms; -allow domain properties_device:file r_file_perms; - -# Filesystem accesses. -allow domain fs_type:filesystem getattr; -allow domain fs_type:dir getattr; - -# System file accesses. -allow domain system_file:dir r_dir_perms; -allow domain system_file:file r_file_perms; -allow domain system_file:file execute; -allow domain system_file:lnk_file read; - -# Read files already opened under /data. -allow domain system_data_file:dir { search getattr }; -allow domain system_data_file:file { getattr read }; -allow domain system_data_file:lnk_file read; - -# Read apk files under /data/app. -allow domain apk_data_file:dir search; -allow domain apk_data_file:file r_file_perms; - -# Read /data/dalvik-cache. -allow domain dalvikcache_data_file:dir { search getattr }; -allow domain dalvikcache_data_file:file r_file_perms; - -# Read already opened /cache files. -allow domain cache_file:dir r_dir_perms; -allow domain cache_file:file { getattr read }; -allow domain cache_file:lnk_file read; - -# For /acct/uid/*/tasks. -allow domain cgroup:dir { search write }; -allow domain cgroup:file w_file_perms; - -#Allow access to ion memory allocation device -allow domain ion_device:chr_file rw_file_perms; - -# For /sys/qemu_trace files in the emulator. -bool in_qemu false; -if (in_qemu) { -allow domain sysfs:file rw_file_perms; -} -allow domain sysfs_writable:file rw_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(domain, proc) -r_dir_file(domain, sysfs) -r_dir_file(domain, inotify) -r_dir_file(domain, cgroup) - -# debugfs access -bool debugfs false; -if (debugfs) { -allow domain debugfs:dir r_dir_perms; -allow domain debugfs:file rw_file_perms; -} else { -dontaudit domain debugfs:dir r_dir_perms; -dontaudit domain debugfs:file rw_file_perms; -} - -# security files -allow domain security_file:dir { search getattr }; -allow domain security_file:file getattr; |