diff options
Diffstat (limited to 'sepolicy')
| -rw-r--r-- | sepolicy/alipay_app.te | 50 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 3 | ||||
| -rw-r--r-- | sepolicy/ifaad.te | 26 | ||||
| -rwxr-xr-x | sepolicy/ifaadaemon.te | 26 | ||||
| -rw-r--r-- | sepolicy/platform_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/property_contexts | 6 | ||||
| -rw-r--r-- | sepolicy/seapp_contexts | 2 | ||||
| -rw-r--r-- | sepolicy/service_contexts | 2 | ||||
| -rw-r--r-- | sepolicy/servicemanager.te | 6 |
9 files changed, 35 insertions, 88 deletions
diff --git a/sepolicy/alipay_app.te b/sepolicy/alipay_app.te index 6cc3ad2..1c80dd2 100644 --- a/sepolicy/alipay_app.te +++ b/sepolicy/alipay_app.te @@ -4,53 +4,3 @@ type alipay_app, domain; app_domain(alipay_app) net_domain(alipay_app) bluetooth_domain(alipay_app) - -# Some apps ship with shared libraries and binaries that they write out -# to their sandbox directory and then execute. -allow alipay_app app_data_file:file { rx_file_perms execmod }; - -# Used by Finsky / Android "Verify Apps" functionality when -# running "adb install foo.apk". -# TODO: Long term, we don't want apps probing into shell data files. -# Figure out a way to remove these rules. -allow alipay_app shell_data_file:file r_file_perms; -allow alipay_app shell_data_file:dir r_dir_perms; - -# Read and write system app data files passed over Binder. -# Motivating case was /data/data/com.android.settings/cache/*.jpg for -# cropping or taking user photos. -allow alipay_app system_app_data_file:file { read write getattr }; - -# -# Rules migrated from old app domains coalesced into alipay_app. -# This includes what used to be media_app, shared_app, and release_app. -# - -# Access to /data/media. -allow alipay_app media_rw_data_file:dir create_dir_perms; -allow alipay_app media_rw_data_file:file create_file_perms; - -# Traverse into /mnt/media_rw for bypassing FUSE daemon -# TODO: narrow this to just MediaProvider -allow alipay_app mnt_media_rw_file:dir search; - -# Write to /cache. -allow alipay_app cache_file:dir create_dir_perms; -allow alipay_app cache_file:file create_file_perms; - -allow alipay_app battery_service:service_manager find; -allow alipay_app drmserver_service:service_manager find; -allow alipay_app healthd_service:service_manager find; -allow alipay_app mediaserver_service:service_manager find; -allow alipay_app nfc_service:service_manager find; -allow alipay_app radio_service:service_manager find; -allow alipay_app surfaceflinger_service:service_manager find; -allow alipay_app app_api_service:service_manager find; -allow alipay_app ifaadaemon_service:service_manager find; - -# TODO: remove this once priv-apps are no longer running in alipay_app -allow alipay_app system_api_service:service_manager find; - -# Programs routinely attempt to scan through /system, looking -# for files. Suppress the denials when they occur. -dontaudit alipay_app exec_type:file getattr; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index b89c4d0..686f99b 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -16,5 +16,4 @@ /data/fpc_images(/.*)? u:object_r:fpc_images_file:s0 /sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0 -#IFAA -/system/bin/ifaad u:object_r:ifaad_exec:s0 +/system/bin/ifaadaemon u:object_r:ifaadaemon_exec:s0 diff --git a/sepolicy/ifaad.te b/sepolicy/ifaad.te deleted file mode 100644 index 3650eaa..0000000 --- a/sepolicy/ifaad.te +++ /dev/null @@ -1,26 +0,0 @@ -type ifaad, domain; -type ifaad_exec, exec_type, file_type; - -#Allow for transition from init domain to ifaad -init_daemon_domain(ifaad) - -#Allow ifaad to use Binder IPC -binder_use(ifaad) - -#Allow servicemanager to interact with ifaad -binder_call(ifaad, servicemanager) - -#Allow alipay_app to interact with ifaad -binder_call(ifaad, alipay_app) - -#Mark ifaad as a Binder service domain -binder_service(ifaad) - -#Allow ifaad to be registered with service manager -allow ifaad ifaadaemon_service:service_manager add; - -#Allow access to tee device -allow ifaad tee_device:chr_file rw_file_perms; - -#Allow access to firmware -r_dir_file(ifaad, firmware_file) diff --git a/sepolicy/ifaadaemon.te b/sepolicy/ifaadaemon.te new file mode 100755 index 0000000..c458692 --- /dev/null +++ b/sepolicy/ifaadaemon.te @@ -0,0 +1,26 @@ +type ifaadaemon, domain; +type ifaadaemon_exec, exec_type, file_type; + +#Allow for transition from init domain to ifaadaemon +init_daemon_domain(ifaadaemon) + +#Allow ifaadaemon to use Binder IPC +binder_use(ifaadaemon) + +#Allow servicemanager to interact with ifaadaemon +binder_call(ifaadaemon, servicemanager) + +#Allow alipay_app to interact with ifaadaemon +binder_call(ifaadaemon, alipay_app) + +#Mark ifaadaemon as a Binder service domain +binder_service(ifaadaemon) + +#Allow ifaadaemon to be registered with service manager +allow ifaadaemon ifaadaemon_service:service_manager add; + +#Allow access to tee device +allow ifaadaemon tee_device:chr_file rw_file_perms; + +#Allow access to firmware +r_dir_file(ifaadaemon, firmware_file) diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te deleted file mode 100644 index 84de19f..0000000 --- a/sepolicy/platform_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow platform_app battery_service:service_manager find; -allow platform_app healthd_service:service_manager find; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 854b445..4dbb541 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1 +1,5 @@ -persist.sys.diag.max.size u:object_r:diag_prop:s0 +service.soundcard. u:object_r:audio_prop:s0 +audio. u:object_r:audio_prop:s0 +sys.fake_bs_flag0 u:object_r:system_radio_prop:s0 +sys.fake_bs_flag1 u:object_r:system_radio_prop:s0 +sys.oem.sno u:object_r:system_radio_prop:s0 diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts deleted file mode 100644 index c69f557..0000000 --- a/sepolicy/seapp_contexts +++ /dev/null @@ -1,2 +0,0 @@ -user=_app seinfo=alipay name=com.eg.android.AlipayGphone* domain=alipay_app type=app_data_file -user=_app seinfo=taobao name=com.taobao.taobao* domain=alipay_app type=app_data_file diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts deleted file mode 100644 index 118cacd..0000000 --- a/sepolicy/service_contexts +++ /dev/null @@ -1,2 +0,0 @@ -#IFAA -android.hardware.ifaa.IIfaaDaemon u:object_r:ifaadaemon_service:s0 diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te index 2df4dc0..caf3d25 100644 --- a/sepolicy/servicemanager.te +++ b/sepolicy/servicemanager.te @@ -1,3 +1,3 @@ -allow servicemanager ifaad:dir r_dir_perms; -allow servicemanager ifaad:file r_file_perms; -allow servicemanager ifaad:process getattr; +allow servicemanager ifaadaemon:dir r_dir_perms; +allow servicemanager ifaadaemon:file r_file_perms; +allow servicemanager ifaadaemon:process getattr; |