Confine all app domains, but make them permissive for now.
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.
Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/media_app.te b/media_app.te
index 1fe06dd..5f09a63 100644
--- a/media_app.te
+++ b/media_app.te
@@ -3,10 +3,27 @@
###
type media_app, domain;
+permissive media_app;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
net_domain(media_app)
-unconfined_domain(media_app)
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file rw_file_perms;
+# Write to /cache.
+allow media_app cache_file:dir rw_dir_perms;
+allow media_app cache_file:file create_file_perms;
+# Stat /cache/lost+found
+allow media_app unlabeled:file getattr;
+allow media_app unlabeled:dir getattr;
+# Stat /cache/backup
+allow media_app cache_backup_file:file getattr;
+allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir (in particular, file_contexts for restorecon).
+allow media_app rootfs:file r_file_perms;
+allow media_app download_file:dir rw_dir_perms;
+allow media_app download_file:file create_file_perms;
+# Allow platform apps to mark platform app data files as download files
relabelto_domain(media_app)
+allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;
diff --git a/nfc.te b/nfc.te
index 31b9144..efb1a14 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,4 +1,14 @@
# nfc subsystem
type nfc, domain;
+permissive nfc;
app_domain(nfc)
-unconfined_domain(nfc)
+
+# NFC device access.
+allow nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+allow nfc sysfs_nfc_power_writable:file rw_file_perms;
+allow nfc sysfs:file write;
diff --git a/platform_app.te b/platform_app.te
index 042d495..1e89760 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -3,10 +3,39 @@
###
type platform_app, domain;
+permissive platform_app;
app_domain(platform_app)
platform_app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
-unconfined_domain(platform_app)
+# Write to /cache.
+allow platform_app cache_file:dir rw_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+# Read from /data/local.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+# Access download files.
+allow platform_app download_file:file rw_file_perms;
+# Allow BackupManagerService to backup all app domains
+allow platform_app appdomain:fifo_file write;
+
+#
+# Rules for all platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+# App sdcard file accesses
+allow platformappdomain sdcard_type:dir create_dir_perms;
+allow platformappdomain sdcard_type:file create_file_perms;
diff --git a/radio.te b/radio.te
index feea2cc..9de8aba 100644
--- a/radio.te
+++ b/radio.te
@@ -1,7 +1,24 @@
# phone subsystem
type radio, domain;
+permissive radio;
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
-unconfined_domain(radio)
\ No newline at end of file
+# Talks to init via the property socket.
+unix_socket_connect(radio, property, init)
+
+# Talks to rild via the rild socket.
+unix_socket_connect(radio, rild, rild)
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+
+allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
diff --git a/release_app.te b/release_app.te
index e7e4b35..6be3620 100644
--- a/release_app.te
+++ b/release_app.te
@@ -3,10 +3,14 @@
###
type release_app, domain;
+permissive release_app;
app_domain(release_app)
platform_app_domain(release_app)
# Access the network.
net_domain(release_app)
# Access bluetooth.
bluetooth_domain(release_app)
-unconfined_domain(release_app)
+
+# Write to /cache.
+allow release_app cache_file:dir rw_dir_perms;
+allow release_app cache_file:file create_file_perms;
diff --git a/shared_app.te b/shared_app.te
index 8475e0c..e469bdd 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -3,10 +3,12 @@
###
type shared_app, domain;
+permissive shared_app;
app_domain(shared_app)
platform_app_domain(shared_app)
# Access the network.
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
-unconfined_domain(shared_app)
+# ASEC
+r_dir_file(shared_app, asec_apk_file)
diff --git a/system_app.te b/system_app.te
index d274ac1..a8ad762 100644
--- a/system_app.te
+++ b/system_app.te
@@ -4,5 +4,32 @@
# server.
#
type system_app, domain;
+permissive system_app;
app_domain(system_app)
-unconfined_domain(system_app)
+
+# Perform binder IPC to any app domain.
+binder_call(system_app, appdomain)
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+unix_socket_connect(system_app, keystore, keystore)
+
+# Read SELinux enforcing status.
+selinux_getenforce(system_app)
+
+# Settings app reads sdcard for storage stats
+allow system_app sdcard_type:dir r_dir_perms;
+
+# Allow settings app to read from asec
+allow system_app asec_apk_file:dir search;
+allow system_app asec_apk_file:file r_file_perms;