App data backup security policy.
Policy covers: * backup_data_file type for labeling all files/dirs under /data dealing with backup mechanism. * cache_backup_file type for labeling all files/dirs under /cache dealing with backup mechanism. This also covers the the use of LocalTransport for local archive and restore testing. * the use of 'adb shell bmgr' to initiate backup mechanism from shell. * the use of 'adb backup/restore' to archive and restore the device's data. Change-Id: I700a92d8addb9bb91474bc07ca4bb71eb4fc840e Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
This commit is contained in:
parent
c57dbccb50
commit
1c8464e136
7
app.te
7
app.te
@ -201,3 +201,10 @@ r_dir_file(appdomain, isolated_app)
|
||||
# are examined.
|
||||
allow appdomain isolated_app:unix_stream_socket { read write };
|
||||
allow isolated_app appdomain:unix_stream_socket { read write };
|
||||
|
||||
# Backup ability for every app. BMS opens and passes the fd
|
||||
# to any app that has backup ability. Hence, no open permissions here.
|
||||
allow { appdomain isolated_app } backup_data_file:file { read write };
|
||||
allow { appdomain isolated_app } cache_backup_file:file { read write };
|
||||
# Backup ability using 'adb backup'
|
||||
allow { appdomain isolated_app } system_data_file:lnk_file getattr;
|
||||
|
5
file.te
5
file.te
@ -55,6 +55,9 @@ type app_data_file, file_type, data_file_type;
|
||||
type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
|
||||
# Default type for anything under /cache
|
||||
type cache_file, file_type, mlstrustedobject;
|
||||
# Type for /cache/.*\.{data|restore} and default
|
||||
# type for anything under /cache/backup
|
||||
type cache_backup_file, file_type, mlstrustedobject;
|
||||
# Default type for anything under /efs
|
||||
type efs_file, file_type;
|
||||
# Type for wallpaper file.
|
||||
@ -63,6 +66,8 @@ type wallpaper_file, file_type, mlstrustedobject;
|
||||
type asec_apk_file, file_type, data_file_type;
|
||||
# /data/app-asec
|
||||
type asec_image_file, file_type, data_file_type;
|
||||
# /data/backup and /data/secure/backup
|
||||
type backup_data_file, file_type, data_file_type, mlstrustedobject;
|
||||
|
||||
# All devices have bluetooth efs files. But they
|
||||
# vary per device, so this type is used in per
|
||||
|
@ -140,6 +140,8 @@
|
||||
# Data files
|
||||
#
|
||||
/data(/.*)? u:object_r:system_data_file:s0
|
||||
/data/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/drm(/.*)? u:object_r:drm_data_file:s0
|
||||
/data/gps(/.*)? u:object_r:gps_data_file:s0
|
||||
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
@ -170,6 +172,10 @@
|
||||
# Cache files
|
||||
#
|
||||
/cache(/.*)? u:object_r:cache_file:s0
|
||||
/cache/.*\.data u:object_r:cache_backup_file:s0
|
||||
/cache/.*\.restore u:object_r:cache_backup_file:s0
|
||||
# LocalTransport (backup) uses this directory
|
||||
/cache/backup(/.*)? u:object_r:cache_backup_file:s0
|
||||
#############################
|
||||
# sysfs files
|
||||
#
|
||||
|
13
system.te
13
system.te
@ -189,8 +189,8 @@ type_transition system wifi_data_file:sock_file system_wpa_socket;
|
||||
allow system system_wpa_socket:sock_file create_file_perms;
|
||||
|
||||
# Manage cache files.
|
||||
allow system cache_file:dir create_dir_perms;
|
||||
allow system cache_file:file create_file_perms;
|
||||
allow system cache_file:dir { relabelfrom create_dir_perms };
|
||||
allow system cache_file:file { relabelfrom create_file_perms };
|
||||
|
||||
# Run system programs, e.g. dexopt.
|
||||
allow system system_file:file x_file_perms;
|
||||
@ -212,3 +212,12 @@ allow system rild:unix_stream_socket connectto;
|
||||
|
||||
# connect to vpn tunnel
|
||||
allow system mtp:unix_stream_socket { connectto };
|
||||
|
||||
# BackupManagerService lets PMS create a data backup file
|
||||
allow system cache_backup_file:file create_file_perms;
|
||||
# Relabel /data/backup
|
||||
allow system backup_data_file:dir { relabelto relabelfrom };
|
||||
# Relabel /cache/.*\.{data|restore}
|
||||
allow system cache_backup_file:file { relabelto relabelfrom };
|
||||
# LocalTransport creates and relabels /cache/backup
|
||||
allow system cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
|
||||
|
Loading…
Reference in New Issue
Block a user