Add SELinux policy for asec containers.
Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
when the asec images are mounted
- asec_image_file : the actual encrypted apks under
/data/app-asec
Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
This commit is contained in:
rpcraig
parent
6766cc9e3c
commit
7672eac5fb
5
app.te
5
app.te
@ -26,6 +26,9 @@ allow platform_app shell_data_file:lnk_file read;
|
||||
allow platform_app apk_tmp_file:file rw_file_perms;
|
||||
# Read /dev/xt_qtaguid
|
||||
allow platform_app qtaguid_device:chr_file r_file_perms;
|
||||
# ASEC
|
||||
allow platform_app asec_apk_file:dir create_dir_perms;
|
||||
allow platform_app asec_apk_file:file create_file_perms;
|
||||
|
||||
# Apps signed with the media key.
|
||||
type media_app, domain;
|
||||
@ -53,6 +56,8 @@ net_domain(shared_app)
|
||||
bluetooth_domain(shared_app)
|
||||
# Read logs.
|
||||
allow shared_app log_device:chr_file read;
|
||||
# ASEC
|
||||
r_dir_file(shared_app, asec_apk_file);
|
||||
|
||||
# Apps signed with the release key (testkey in AOSP).
|
||||
type release_app, domain;
|
||||
|
||||
@ -54,6 +54,7 @@ allow domain urandom_device:chr_file r_file_perms;
|
||||
|
||||
# Filesystem accesses.
|
||||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
||||
# System file accesses.
|
||||
allow domain system_file:dir r_dir_perms;
|
||||
|
||||
5
file.te
5
file.te
@ -32,7 +32,6 @@ type anr_data_file, file_type, data_file_type, mlstrustedobject;
|
||||
type tombstone_data_file, file_type, data_file_type;
|
||||
# /data/app - user-installed apps
|
||||
type apk_data_file, file_type, data_file_type;
|
||||
type asec_data_file, file_type, data_file_type;
|
||||
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
|
||||
# /data/dalvik-cache
|
||||
type dalvikcache_data_file, file_type, data_file_type;
|
||||
@ -59,6 +58,10 @@ type cache_file, file_type, mlstrustedobject;
|
||||
type efs_file, file_type;
|
||||
# Type for wallpaper file.
|
||||
type wallpaper_file, file_type, mlstrustedobject;
|
||||
# /mnt/asec
|
||||
type asec_apk_file, file_type, data_file_type;
|
||||
# /data/app-asec
|
||||
type asec_image_file, file_type, data_file_type;
|
||||
|
||||
# All devices have bluetooth efs files. But they
|
||||
# vary per device, so this type is used in per
|
||||
|
||||
@ -152,4 +152,5 @@
|
||||
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
|
||||
#############################
|
||||
# asec containers
|
||||
/mnt/asec(/.*)? u:object_r:asec_data_file:s0
|
||||
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
||||
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
|
||||
|
||||
@ -20,3 +20,7 @@ dontaudit installd self:capability sys_admin;
|
||||
selinux_check_context(installd)
|
||||
# Read /seapp_contexts, presently on the rootfs.
|
||||
allow installd rootfs:file r_file_perms;
|
||||
# ASEC
|
||||
allow installd platform_app_data_file:lnk_file { create setattr };
|
||||
allow installd app_data_file:lnk_file { create setattr };
|
||||
allow installd asec_apk_file:file r_file_perms;
|
||||
|
||||
13
vold.te
13
vold.te
@ -16,7 +16,7 @@ allow vold sdcard:dir create_dir_perms;
|
||||
allow vold tmpfs:filesystem { mount unmount };
|
||||
allow vold tmpfs:dir create_dir_perms;
|
||||
allow vold tmpfs:dir mounton;
|
||||
allow vold self:capability { net_admin dac_override mknod sys_admin };
|
||||
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
||||
allow vold self:netlink_kobject_uevent_socket *;
|
||||
allow vold app_data_file:dir search;
|
||||
allow vold app_data_file:file rw_file_perms;
|
||||
@ -39,7 +39,7 @@ allow vold sysfs:file rw_file_perms;
|
||||
unix_socket_connect(vold, property, init)
|
||||
|
||||
# Unmount and mount the fs.
|
||||
allow vold labeledfs:filesystem { mount unmount };
|
||||
allow vold labeledfs:filesystem { mount unmount remount };
|
||||
|
||||
# Access /efs/userdata_footer.
|
||||
# XXX Split into a separate type?
|
||||
@ -53,7 +53,14 @@ allow vold kernel:system module_request;
|
||||
allow vold proc:file write;
|
||||
|
||||
# Create and mount on /data/tmp_mnt.
|
||||
allow vold system_data_file:dir { open read write create add_name mounton };
|
||||
allow vold system_data_file:dir { rw_dir_perms mounton };
|
||||
|
||||
# Property Service
|
||||
allow vold vold_prop:property_service set;
|
||||
|
||||
# ASEC
|
||||
allow vold asec_image_file:file create_file_perms;
|
||||
allow vold asec_image_file:dir rw_dir_perms;
|
||||
allow vold rootfs:file r_file_perms;
|
||||
allow vold asec_apk_file:dir { rw_dir_perms setattr };
|
||||
allow vold asec_apk_file:file { r_file_perms setattr };
|
||||
|
||||
Loading…
Reference in New Issue
Block a user