am b8caf7fd: Move allow rules before neverallow rules.

* commit 'b8caf7fd': Move allow rules before neverallow rules.

am b8caf7fd: Move allow rules before neverallow rules.
* commit 'b8caf7fd': Move allow rules before neverallow rules.
cccef6c0 · Stephen Smalley · Android Git Automerger · 7c0b328a · b8caf7fd · cccef6c0
Commit cccef6c0 authored 10 years ago by Stephen Smalley Committed by Android Git Automerger 10 years ago
--- a/app.te
+++ b/app.te
@@ -155,6 +155,16 @@ allow appdomain apk_data_file:file { rx_file_perms execmod };
 allow appdomain resourcecache_data_file:file r_file_perms;
 allow appdomain resourcecache_data_file:dir r_dir_perms;

+# logd access
+read_logd(appdomain)
+control_logd(appdomain)
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore({ appdomain -isolated_app })
+
 ###
 ### CTS-specific rules
 ###
@@ -171,16 +181,6 @@ selinux_check_context(appdomain)
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;

-# logd access
-read_logd(appdomain)
-control_logd(appdomain)
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
-
-use_keystore({ appdomain -isolated_app })
-
 ###
 ### Neverallow rules
 ###

--- a/keystore.te
+++ b/keystore.te
@@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;

+allow keystore keystore_service:service_manager { add find };
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
 ###
 ### Neverallow rules
 ###
@@ -25,8 +30,3 @@ neverallow { domain -keystore -init } keystore_data_file:dir *;
 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

 neverallow domain keystore:process ptrace;
-
-allow keystore keystore_service:service_manager { add find };
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -138,6 +138,10 @@ auditallow untrusted_app {
    -wifip2p_service
 }:service_manager find;

+# Allow verifier to access staged apks.
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
 ###
 ### neverallow rules
 ###
@@ -162,7 +166,3 @@ neverallow untrusted_app service_manager_type:service_manager add;
 neverallow untrusted_app property_socket:sock_file write;
 neverallow untrusted_app init:unix_stream_socket connectto;
 neverallow untrusted_app property_type:property_service set;
-
-# Allow verifier to access staged apks.
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;