From 5da6b8a8c10a57dc4e4d977e4b126d3d2f92eef3 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 12 Mar 2014 13:31:14 -0400 Subject: Get rid of separate platform_app_data_file type. The original concept was to allow separation between /data/data/ files of "platform" apps (signed by one of the four build keys) and untrusted apps. But we had to allow read/write to support passing of open files via Binder or local socket for compatibilty, and it seems that direct open by pathname is in fact used in Android as well, only passing the pathname via Binder or local socket. So there is no real benefit to keeping it as a separate type. Retain a type alias for platform_app_data_file to app_data_file until restorecon /data/data support is in place to provide compatibility. Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489 Signed-off-by: Stephen Smalley --- app.te | 4 ---- file.te | 3 ++- installd.te | 1 - media_app.te | 1 + seapp_contexts | 10 +++++----- 5 files changed, 8 insertions(+), 11 deletions(-) diff --git a/app.te b/app.te index d90185c..8c4b2a3 100644 --- a/app.te +++ b/app.te @@ -32,10 +32,6 @@ binder_call(appdomain, surfaceflinger) allow appdomain app_data_file:dir create_dir_perms; allow appdomain app_data_file:notdevfile_class_set create_file_perms; -# Read/write data files created by the platform apps if they -# were passed to the app via binder or local IPC. Do not allow open. -allow appdomain platform_app_data_file:file { getattr read write }; - # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:file { execute open }; diff --git a/file.te b/file.te index 69e5c82..c901ec7 100644 --- a/file.te +++ b/file.te @@ -58,7 +58,8 @@ type camera_calibration_file, file_type, data_file_type; type adb_keys_file, file_type, data_file_type; # /data/data subdirectories - app sandboxes type app_data_file, file_type, data_file_type; -type platform_app_data_file, file_type, data_file_type, mlstrustedobject; +# Compatibility with type name used in Android 4.3 and 4.4. +typealias app_data_file alias platform_app_data_file; # Default type for anything under /cache type cache_file, file_type, mlstrustedobject; # Type for /cache/.*\.{data|restore} and default diff --git a/installd.te b/installd.te index 1d3ef0a..1151155 100644 --- a/installd.te +++ b/installd.te @@ -24,7 +24,6 @@ selinux_check_context(installd) # Read /seapp_contexts and /data/security/seapp_contexts security_access_policy(installd) # ASEC -allow installd platform_app_data_file:lnk_file { create setattr rename relabelto }; allow installd app_data_file:lnk_file { create setattr }; allow installd asec_apk_file:file r_file_perms; allow installd bluetooth_data_file:lnk_file { create setattr }; diff --git a/media_app.te b/media_app.te index f0f987f..44d5885 100644 --- a/media_app.te +++ b/media_app.te @@ -10,4 +10,5 @@ platform_app_domain(media_app) net_domain(media_app) unconfined_domain(media_app) relabelto_domain(media_app) +allow media_app app_data_file:dir relabelfrom; allow media_app download_file:dir relabelto; diff --git a/seapp_contexts b/seapp_contexts index 41d3dd8..8904fe1 100644 --- a/seapp_contexts +++ b/seapp_contexts @@ -37,10 +37,10 @@ user=system domain=system_app type=system_data_file user=bluetooth domain=bluetooth type=bluetooth_data_file user=nfc domain=nfc type=nfc_data_file user=radio domain=radio type=radio_data_file -user=_app domain=untrusted_app type=app_data_file levelFrom=none -user=_app seinfo=platform domain=platform_app type=platform_app_data_file -user=_app seinfo=shared domain=shared_app type=platform_app_data_file -user=_app seinfo=media domain=media_app type=platform_app_data_file -user=_app seinfo=release domain=release_app type=platform_app_data_file +user=_app domain=untrusted_app type=app_data_file +user=_app seinfo=platform domain=platform_app type=app_data_file +user=_app seinfo=shared domain=shared_app type=app_data_file +user=_app seinfo=media domain=media_app type=app_data_file +user=_app seinfo=release domain=release_app type=app_data_file user=_isolated domain=isolated_app user=shell domain=shell type=shell_data_file -- cgit v1.2.3