summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChad Brubaker2017-10-25 14:41:11 -0500
committerandroid-build-team Robot2017-10-27 09:48:11 -0500
commitd36de78b378cb94910acba34df408518ef79729d (patch)
tree669a18dc4d04ae329ee906e12ee91f2bc5f1bdcb
parent75ab1aa92556a1689af0c194abf283a5b097a635 (diff)
downloadsystem-sepolicy-d36de78b378cb94910acba34df408518ef79729d.tar.gz
system-sepolicy-d36de78b378cb94910acba34df408518ef79729d.tar.xz
system-sepolicy-d36de78b378cb94910acba34df408518ef79729d.zip
Allow Instant/V2 apps to load code from /data/data
This restriction causes issues with dynamite. Since untrusted_v2_app was about enforcing this constraint put installed v2 applications back into the normal untrusted_app domain. Bug: 64806320 Test: Manual test with app using dynamite module Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7 (cherry picked from commit fe836817942f21eaf6a33f137ea56eb1329d29fe)
-rw-r--r--private/ephemeral_app.te7
-rw-r--r--private/seapp_contexts1
2 files changed, 5 insertions, 3 deletions
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index de5c53c4..872892b7 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -19,6 +19,10 @@ app_domain(ephemeral_app)
19# Allow ephemeral apps to read/write files in visible storage if provided fds 19# Allow ephemeral apps to read/write files in visible storage if provided fds
20allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; 20allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
21 21
22# Some apps ship with shared libraries and binaries that they write out
23# to their sandbox directory and then execute.
24allow ephemeral_app app_data_file:file {r_file_perms execute};
25
22# services 26# services
23allow ephemeral_app audioserver_service:service_manager find; 27allow ephemeral_app audioserver_service:service_manager find;
24allow ephemeral_app cameraserver_service:service_manager find; 28allow ephemeral_app cameraserver_service:service_manager find;
@@ -35,8 +39,7 @@ allow ephemeral_app ephemeral_app_api_service:service_manager find;
35### neverallow rules 39### neverallow rules
36### 40###
37 41
38# Executable content should never be loaded from an ephemeral app home directory. 42neverallow ephemeral_app app_data_file:file execute_no_trans;
39neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
40 43
41# Receive or send uevent messages. 44# Receive or send uevent messages.
42neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; 45neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e3893..a97fc705 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -105,7 +105,6 @@ user=_isolated domain=isolated_app levelFrom=user
105user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user 105user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
106user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user 106user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
107user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user 107user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
108user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
109user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user 108user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
110user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user 109user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
111user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user 110user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user