Isolate untrusted app ptys from other domains. Add a create_pty() macro that allows a domain to create and use its own ptys, isolated from the ptys of any other domain, and use that macro for untrusted_app. This permits the use of a pty by apps without opening up access to ptys created by any other domain on the system. Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 2dc4acf33b78284f514fe9a6c5102cc783c4309f [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Fri Sep 27 09:44:32 2013 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Fri Sep 27 10:11:33 2013 -0400
tree: 0888510345e76e4dc8188ca30dd5ff679070259e
parent: 189558f64affb73b554b568db90d62eb7d2a9ada [diff] [blame]
diff --git a/untrusted_app.te b/untrusted_app.te
index c91543e..80f60da 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -38,7 +38,7 @@
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-allow untrusted_app devpts:chr_file rw_file_perms;
+create_pty(untrusted_app)
 
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
commit	2dc4acf33b78284f514fe9a6c5102cc783c4309f	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Fri Sep 27 09:44:32 2013 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Fri Sep 27 10:11:33 2013 -0400
tree	0888510345e76e4dc8188ca30dd5ff679070259e
parent	189558f64affb73b554b568db90d62eb7d2a9ada [diff] [blame]