Add sepolicy for IpMemoryStoreService am: fb15c9f1

am: bb05d23d Change-Id: Iebc05979693943db196df9dc961dfe61515b5921

Add sepolicy for IpMemoryStoreService am: fb15c9f1
am: bb05d23d Change-Id: Iebc05979693943db196df9dc961dfe61515b5921
2f3ccbbe · Chalard Jean · android-build-merger · 3835978a · bb05d23d · 2f3ccbbe
Commit 2f3ccbbe authored 6 years ago by Chalard Jean Committed by android-build-merger 6 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -23,3 +23,6 @@ neverallow { appdomain -shell userdebug_or_eng(`-su') }
    { domain -appdomain -crash_dump -rs }:process { transition };
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
    { domain -appdomain }:process { dyntransition };
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -102,6 +102,7 @@
    iorapd_exec
    iorapd_service
    iorapd_tmpfs
+    ipmemorystore_service
    kmsg_debug_device
    last_boot_reason_prop
    llkd

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -93,6 +93,7 @@
    iorapd_exec
    iorapd_service
    iorapd_tmpfs
+    ipmemorystore_service
    last_boot_reason_prop
    llkd
    llkd_exec

--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,6 +47,7 @@
    heapprofd_prop
    heapprofd_socket
    idmap_service
+    ipmemorystore_service
    iris_service
    iris_vendor_data_file
    llkd

--- a/private/service_contexts
+++ b/private/service_contexts
@@ -82,6 +82,7 @@ iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
+ipmemorystore                             u:object_r:ipmemorystore_service:s0
 ipsec                                     u:object_r:ipsec_service:s0
 iris                                      u:object_r:iris_service:s0
 isms_msim                                 u:object_r:radio_service:s0

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@ allow system_app {
  -dumpstate_service
  -installd_service
  -iorapd_service
+  -ipmemorystore_service
  -netd_service
  -virtual_touchpad_service
  -vold_service

--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
 type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type iris_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@ allow traceur_app {
  -gatekeeper_service
  -incident_service
  -installd_service
+  -ipmemorystore_service
  -iorapd_service
  -netd_service
  -virtual_touchpad_service