summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorandroid-build-team Robot2017-10-27 09:49:55 -0500
committerandroid-build-team Robot2017-10-27 09:49:55 -0500
commitf77a0b157b5a6efeb65df01579adc753280ecca2 (patch)
tree669a18dc4d04ae329ee906e12ee91f2bc5f1bdcb
parent75ab1aa92556a1689af0c194abf283a5b097a635 (diff)
parentd36de78b378cb94910acba34df408518ef79729d (diff)
downloadsystem-sepolicy-android-8.1.0_r15.tar.gz
system-sepolicy-android-8.1.0_r15.tar.xz
system-sepolicy-android-8.1.0_r15.zip
Merge cherrypicks of [3134552, 3130583, 3131953, 3131954, 3131955, 3131956, 3131957, 3131958, 3131959, 3132062, 3132336, 3131074, 3133939, 3131024, 3131025, 3131026, 3130584, 3130879, 3130880] into oc-mr1-releaseandroid-cts-8.1_r1android-8.1.0_r6android-8.1.0_r5android-8.1.0_r4android-8.1.0_r3android-8.1.0_r23android-8.1.0_r19android-8.1.0_r16android-8.1.0_r15android-8.1.0_r12android-8.1.0_r11android-8.1.0_r10android-8.1.0_r1
Change-Id: If68afda5ce15c6fd6b6868f115e2975c2aeb1320
-rw-r--r--private/ephemeral_app.te7
-rw-r--r--private/seapp_contexts1
2 files changed, 5 insertions, 3 deletions
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index de5c53c4..872892b7 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -19,6 +19,10 @@ app_domain(ephemeral_app)
19# Allow ephemeral apps to read/write files in visible storage if provided fds 19# Allow ephemeral apps to read/write files in visible storage if provided fds
20allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; 20allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
21 21
22# Some apps ship with shared libraries and binaries that they write out
23# to their sandbox directory and then execute.
24allow ephemeral_app app_data_file:file {r_file_perms execute};
25
22# services 26# services
23allow ephemeral_app audioserver_service:service_manager find; 27allow ephemeral_app audioserver_service:service_manager find;
24allow ephemeral_app cameraserver_service:service_manager find; 28allow ephemeral_app cameraserver_service:service_manager find;
@@ -35,8 +39,7 @@ allow ephemeral_app ephemeral_app_api_service:service_manager find;
35### neverallow rules 39### neverallow rules
36### 40###
37 41
38# Executable content should never be loaded from an ephemeral app home directory. 42neverallow ephemeral_app app_data_file:file execute_no_trans;
39neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
40 43
41# Receive or send uevent messages. 44# Receive or send uevent messages.
42neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 45neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e3893..a97fc705 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -105,7 +105,6 @@ user=_isolated domain=isolated_app levelFrom=user
105user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user 105user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
106user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user 106user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
107user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user 107user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
108user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
109user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user 108user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
110user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user 109user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
111user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user 110user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user