Skip to content
Snippets Groups Projects
Commit 882f7ee2 authored by Stephen Smalley's avatar Stephen Smalley Committed by Android Git Automerger
Browse files

am 0ecb0f88: Eliminate most of the app policy booleans. 

* commit '0ecb0f88':
  Eliminate most of the app policy booleans.
parents c507c377 0ecb0f88
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 6 additions and 33 deletions
app.te
+ 6
33
View file @ 882f7ee2
...@@ -71,6 +71,7 @@ allow release_app log_device:chr_file read; ...@@ -71,6 +71,7 @@ allow release_app log_device:chr_file read;
# set it must be an mlstrustedsubject. # set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject; type isolated_app, domain, mlstrustedsubject;
app_domain(isolated_app) app_domain(isolated_app)
allow isolated_app system_data_file:file { open execute };
# #
# An example of a specific domain for a specific app # An example of a specific domain for a specific app
...@@ -99,29 +100,12 @@ allow platformappdomain system_data_file:file { execute open }; ...@@ -99,29 +100,12 @@ allow platformappdomain system_data_file:file { execute open };
# #
type untrusted_app, domain; type untrusted_app, domain;
app_domain(untrusted_app) app_domain(untrusted_app)
# Boolean-controlled options for untrusted apps. net_domain(untrusted_app)
# Network access. bluetooth_domain(untrusted_app)
bool app_network true;
if (app_network) {
# Cannot use net_domain within a conditional - type attribute.
allow untrusted_app self:{ tcp_socket udp_socket } *;
allow untrusted_app port_type:tcp_socket name_connect;
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
allow untrusted_app port_type:udp_socket name_bind;
allow untrusted_app port_type:tcp_socket name_bind;
unix_socket_connect(untrusted_app, dnsproxyd, netd)
allow untrusted_app tun_device:chr_file rw_file_perms; allow untrusted_app tun_device:chr_file rw_file_perms;
allow untrusted_app untrusted_app:netlink_route_socket write; allow untrusted_app system_data_file:file { execute open };
# Get route information. allow untrusted_app log_device:chr_file read;
allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
}
# Bluetooth access.
bool app_bluetooth false;
if (app_bluetooth or android_cts) {
# No specific SELinux class for bluetooth sockets presently.
allow untrusted_app self:socket *;
allow untrusted_app bluetooth:unix_stream_socket { read write shutdown };
}
# Internal SDCard rw access. # Internal SDCard rw access.
bool app_internal_sdcard_rw true; bool app_internal_sdcard_rw true;
if (app_internal_sdcard_rw) { if (app_internal_sdcard_rw) {
...@@ -134,17 +118,6 @@ if (app_external_sdcard_rw) { ...@@ -134,17 +118,6 @@ if (app_external_sdcard_rw) {
allow untrusted_app sdcard_external:dir create_dir_perms; allow untrusted_app sdcard_external:dir create_dir_perms;
allow untrusted_app sdcard_external:file create_file_perms; allow untrusted_app sdcard_external:file create_file_perms;
} }
# Native app support.
bool app_ndk false;
if (app_ndk or android_cts) {
allow untrusted_app system_data_file:file { execute open };
allow isolated_app system_data_file:file { open execute };
}
# Read Logs
bool app_read_logs false;
if (app_read_logs or android_cts) {
allow untrusted_app log_device:chr_file read;
}
# #
# Rules for all app domains. # Rules for all app domains.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment