Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / b63e485b769ad847ef541423a671379f383a404e^2..b63e485b769ad847ef541423a671379f383a404e / .
commitb63e485b769ad847ef541423a671379f383a404e[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Dec 18 15:26:10 2013 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Dec 18 15:26:11 2013 +0000
tree2ccc56513fcc5adeb62a5cc15d80954c146977cf
parent594693705f0d5768db3c3212037da5fd5d5653be [diff]
parent712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2 [diff]
Merge "Confine shell domain in -user builds only."
diff --git a/app.te b/app.te
index f3a083c..eb91793 100644
--- a/app.te
+++ b/app.te

@@ -13,6 +13,10 @@
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 
+# Needed to close the zygote socket, which involves getopt / getattr
+# This should be deleted after b/12061011 is fixed
+allow appdomain zygote:unix_stream_socket { getopt getattr };
+
 # gdbserver for ndk-gdb reads the zygote.
 allow appdomain zygote_exec:file r_file_perms;
 
@@ -149,6 +153,30 @@
 allow appdomain usbaccessory_device:chr_file { read write getattr };
 
 ###
+### CTS-specific rules
+###
+
+# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
+# Reads /proc/pid/status and statm entries to check that
+# no unexpected root processes are running.
+# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+# Reads /proc/pid/cmdline of vold.
+allow appdomain domain:dir { open read search getattr };
+allow appdomain domain:{ file lnk_file } { open read getattr };
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
+# Check SELinux policy and contexts.
+selinux_check_access(appdomain)
+selinux_check_context(appdomain)
+# Validate that each process is running in the correct security context.
+allow appdomain domain:process getattr;
+
+###
 ### Neverallow rules
 ###
 ### These are things that Android apps should NEVER be able to do
@@ -200,7 +228,6 @@
         netlink_tcpdiag_socket
         netlink_nflog_socket
         netlink_xfrm_socket
-        netlink_selinux_socket
         netlink_audit_socket
         netlink_ip6fw_socket
         netlink_dnrt_socket
@@ -309,8 +336,6 @@
 # Write to various pseudo file systems.
 neverallow { appdomain -nfc -unconfineddomain }
     sysfs:dir_file_class_set write;
-neverallow { appdomain -system_app -unconfineddomain }
-    selinuxfs:dir_file_class_set write;
 neverallow { appdomain -unconfineddomain }
     proc:dir_file_class_set write;
 

diff --git a/file.te b/file.te
index cb184e3..3ca9fd7 100644
--- a/file.te
+++ b/file.te

@@ -60,6 +60,7 @@
 type camera_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
+type media_rw_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;

diff --git a/file_contexts b/file_contexts
index 9df91cd..817c0e0 100644
--- a/file_contexts
+++ b/file_contexts

@@ -170,6 +170,7 @@
 /data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/media(/.*)?	u:object_r:media_rw_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0

diff --git a/platform_app.te b/platform_app.te
index 1e89760..5a0167e 100644
--- a/platform_app.te
+++ b/platform_app.te

@@ -39,3 +39,6 @@
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;

diff --git a/sdcardd.te b/sdcardd.te
index 25d1246..f9e72b7 100644
--- a/sdcardd.te
+++ b/sdcardd.te

@@ -3,3 +3,7 @@
 
 init_daemon_domain(sdcardd)
 unconfined_domain(sdcardd)
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;

diff --git a/system_server.te b/system_server.te
index 2afafa6..0b1ec45 100644
--- a/system_server.te
+++ b/system_server.te

@@ -13,6 +13,10 @@
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
 
+# Needed to close the zygote socket, which involves getopt / getattr
+# This should be deleted after b/12061011 is fixed
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 bluetooth_domain(system_server)