b0db712bf0
Coalesce a number of allow rules replicated among multiple
app domains.
Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.
Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.
Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:
avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
28 lines
1.0 KiB
Plaintext
28 lines
1.0 KiB
Plaintext
# Rules for all shell domains (e.g. console service and adb shell).
|
|
|
|
# Access /data/local/tmp.
|
|
allow shelldomain shell_data_file:dir create_dir_perms;
|
|
allow shelldomain shell_data_file:file create_file_perms;
|
|
allow shelldomain shell_data_file:file rx_file_perms;
|
|
|
|
# adb bugreport
|
|
unix_socket_connect(shelldomain, dumpstate, dumpstate)
|
|
|
|
allow shelldomain rootfs:dir r_dir_perms;
|
|
allow shelldomain devpts:chr_file rw_file_perms;
|
|
allow shelldomain tty_device:chr_file rw_file_perms;
|
|
allow shelldomain console_device:chr_file rw_file_perms;
|
|
allow shelldomain input_device:chr_file rw_file_perms;
|
|
allow shelldomain system_file:file x_file_perms;
|
|
allow shelldomain shell_exec:file rx_file_perms;
|
|
allow shelldomain zygote_exec:file rx_file_perms;
|
|
|
|
r_dir_file(shelldomain, apk_data_file)
|
|
|
|
# Set properties.
|
|
unix_socket_connect(shelldomain, property, init)
|
|
allow shelldomain shell_prop:property_service set;
|
|
allow shelldomain ctl_dumpstate_prop:property_service set;
|
|
allow shelldomain debug_prop:property_service set;
|
|
allow shelldomain powerctl_prop:property_service set;
|