diff options
author | repo sync <gcondra@google.com> | 2013-05-17 17:11:29 -0700 |
---|---|---|
committer | repo sync <gcondra@google.com> | 2013-05-20 11:08:05 -0700 |
commit | 77d4731e9d30c8971e076e2469d6957619019921 (patch) | |
tree | a09ca764a3474bfaf20c0aafee0bf3a907d382fe /drmserver.te | |
parent | 42cabf341c8a600a218023ec69b3518e3d3d482c (diff) | |
download | android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.gz android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.bz2 android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.zip |
Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
Diffstat (limited to 'drmserver.te')
-rw-r--r-- | drmserver.te | 27 |
1 files changed, 1 insertions, 26 deletions
diff --git a/drmserver.te b/drmserver.te index 79f8613..c9fc5f6 100644 --- a/drmserver.te +++ b/drmserver.te @@ -4,29 +4,4 @@ permissive drmserver; type drmserver_exec, exec_type, file_type; init_daemon_domain(drmserver) -typeattribute drmserver mlstrustedsubject; - -# Perform Binder IPC to system server. -binder_use(drmserver) -binder_call(drmserver, system) -binder_call(drmserver, appdomain) -binder_service(drmserver) - -# Perform Binder IPC to mediaserver -binder_call(drmserver, mediaserver) - -# Talk to the tee -allow drmserver tee:unix_stream_socket { connectto }; - -allow drmserver sdcard_type:dir search; -allow drmserver drm_data_file:dir create_dir_perms; -allow drmserver drm_data_file:file create_file_perms; -allow drmserver self:{ tcp_socket udp_socket } *; -allow drmserver port:tcp_socket name_connect; -allow drmserver tee_device:chr_file rw_file_perms; -allow drmserver platform_app_data_file:file { read write getattr }; -allow drmserver app_data_file:file { read write getattr }; -allow drmserver apk_data_file:dir { write add_name remove_name }; -allow drmserver apk_data_file:sock_file { create setattr unlink }; -allow drmserver sdcard_type:file { read write getattr }; -allow drmserver efs_file:file { open read getattr }; +unconfined_domain(drmserver) |