diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2013-10-23 13:12:55 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2013-10-23 13:12:55 -0400 |
commit | 5637099a252c7ef647ca22d1d1094d67f54bb916 (patch) | |
tree | a9d35c3b56b047b021be8721ad6333c8fb569166 /system_app.te | |
parent | d7fd22e601293ffae0de2166b226adbae1f7e33e (diff) | |
download | android_external_sepolicy-5637099a252c7ef647ca22d1d1094d67f54bb916.tar.gz android_external_sepolicy-5637099a252c7ef647ca22d1d1094d67f54bb916.tar.bz2 android_external_sepolicy-5637099a252c7ef647ca22d1d1094d67f54bb916.zip |
Confine all app domains, but make them permissive for now.
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.
Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'system_app.te')
-rw-r--r-- | system_app.te | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/system_app.te b/system_app.te index d274ac1..a8ad762 100644 --- a/system_app.te +++ b/system_app.te @@ -4,5 +4,32 @@ # server. # type system_app, domain; +permissive system_app; app_domain(system_app) -unconfined_domain(system_app) + +# Perform binder IPC to any app domain. +binder_call(system_app, appdomain) + +# Read and write system data files. +# May want to split into separate types. +allow system_app system_data_file:dir create_dir_perms; +allow system_app system_data_file:file create_file_perms; + +# Read wallpaper file. +allow system_app wallpaper_file:file r_file_perms; + +# Write to dalvikcache. +allow system_app dalvikcache_data_file:file { write setattr }; + +# Talk to keystore. +unix_socket_connect(system_app, keystore, keystore) + +# Read SELinux enforcing status. +selinux_getenforce(system_app) + +# Settings app reads sdcard for storage stats +allow system_app sdcard_type:dir r_dir_perms; + +# Allow settings app to read from asec +allow system_app asec_apk_file:dir search; +allow system_app asec_apk_file:file r_file_perms; |