Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
S
sepolicy
Manage
Activity
Members
Plan
Wiki
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Deploy
Releases
Package Registry
Model registry
Operate
Terraform modules
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
CodeLinaro
public-release-test
platform
system
sepolicy
Commits
554f1816
Commit
554f1816
authored
6 years ago
by
Treehugger Robot
Committed by
Gerrit Code Review
6 years ago
Browse files
Options
Downloads
Plain Diff
Merge "sepolicy: Allow apps to get info from priv_app by ashmem"
parents
b10f4eba
fdfa42bf
No related branches found
Branches containing commit
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
private/app.te
+4
-0
4 additions, 0 deletions
private/app.te
private/mls
+3
-3
3 additions, 3 deletions
private/mls
with
7 additions
and
3 deletions
private/app.te
+
4
−
0
View file @
554f1816
...
...
@@ -6,6 +6,10 @@ allow appdomain zygote_tmpfs:file read;
# ashmem, e.g. battery stats.
allow appdomain system_server_tmpfs:file read;
# Get info from priv_app through ashmem, such as contact
# info etc.
allow appdomain priv_app_tmpfs:file read;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
This diff is collapsed.
Click to expand it.
private/mls
+
3
−
3
View file @
554f1816
...
...
@@ -57,7 +57,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file and t2 != privapp_data_file) or l1 dom l2 or t1 == mlstrustedsubject);
( (t2 != app_data_file and t2 != privapp_data_file
and t2 != priv_app_tmpfs
) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
...
...
@@ -69,7 +69,7 @@ mlsconstrain dir { read getattr search }
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(t2 == app_data_file or t2 == privapp_data_file or
t2 == priv_app_tmpfs or
l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
...
...
@@ -77,7 +77,7 @@ mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(t2 == app_data_file or t2 == privapp_data_file or
t2 == priv_app_tmpfs or
l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
