Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.
Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.
Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.
Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:
avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/app.te b/app.te
index 9adb86a..2589f66 100644
--- a/app.te
+++ b/app.te
@@ -42,7 +42,7 @@
allow appdomain appdomain:fifo_file rw_file_perms;
# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
@@ -69,7 +69,7 @@
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
# Write to /proc/net/xt_qtaguid/ctrl file.
@@ -89,14 +89,11 @@
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
@@ -112,6 +109,10 @@
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow appdomain media_rw_data_file:file { read getattr };
+# Access SDcard.
+allow appdomain sdcard_type:dir create_dir_perms;
+allow appdomain sdcard_type:file create_file_perms;
+
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#