Skip to content
Snippets Groups Projects
Commit cccef6c0 authored by Stephen Smalley's avatar Stephen Smalley Committed by Android Git Automerger
Browse files

am b8caf7fd: Move allow rules before neverallow rules. 

* commit 'b8caf7fd':
  Move allow rules before neverallow rules.
parents 7c0b328a b8caf7fd
Branches
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
app.te
+ 10
10
View file @ cccef6c0
......@@ -155,6 +155,16 @@ allow appdomain apk_data_file:file { rx_file_perms execmod };
allow appdomain resourcecache_data_file:file r_file_perms;
allow appdomain resourcecache_data_file:dir r_dir_perms;
# logd access
read_logd(appdomain)
control_logd(appdomain)
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
use_keystore({ appdomain -isolated_app })
###
### CTS-specific rules
###
......@@ -171,16 +181,6 @@ selinux_check_context(appdomain)
# Validate that each process is running in the correct security context.
allow appdomain domain:process getattr;
# logd access
read_logd(appdomain)
control_logd(appdomain)
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
use_keystore({ appdomain -isolated_app })
###
### Neverallow rules
###
......
keystore.te
+ 5
5
View file @ cccef6c0
......@@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file rw_file_perms;
allow keystore tee:unix_stream_socket connectto;
allow keystore keystore_service:service_manager { add find };
# Check SELinux permissions.
selinux_check_access(keystore)
###
### Neverallow rules
###
......@@ -25,8 +30,3 @@ neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
allow keystore keystore_service:service_manager { add find };
# Check SELinux permissions.
selinux_check_access(keystore)
untrusted_app.te
+ 4
4
View file @ cccef6c0
......@@ -138,6 +138,10 @@ auditallow untrusted_app {
-wifip2p_service
}:service_manager find;
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
###
### neverallow rules
###
......@@ -162,7 +166,3 @@ neverallow untrusted_app service_manager_type:service_manager add;
neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app init:unix_stream_socket connectto;
neverallow untrusted_app property_type:property_service set;
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment