Dependencies for new goldfish service domains.
In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service. A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them. A neverallow rule prevents us from allowing
qemu-props to set default_prop.
We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat. We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).
Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/property_contexts b/property_contexts
index f89c432..8403d38 100644
--- a/property_contexts
+++ b/property_contexts
@@ -61,3 +61,9 @@
# NFC properties
nfc. u:object_r:nfc_prop:s0
+
+# These properties are not normally set by processes other than init.
+# They are only distinguished here for setting by qemu-props on the
+# emulator/goldfish.
+config. u:object_r:config_prop:s0
+dalvik. u:object_r:dalvik_prop:s0