sepolicy: Clean up policy for N
Change-Id: I39ddec0f60a9995de13b82f09705d246d7e0f454
This commit is contained in:
Steve Kondik
@@ -1,8 +1,3 @@
|
||||
# Access OBBs (sdcard_posix) mounted by vold
|
||||
# File write access allowed for FDs returned through Storage Access Framework
|
||||
allow appdomain sdcard_posix:dir r_dir_perms;
|
||||
allow appdomain sdcard_posix:file rw_file_perms;
|
||||
|
||||
# Themed resources (i.e. composed icons)
|
||||
allow appdomain themeservice_app_data_file:dir r_dir_perms;
|
||||
allow appdomain themeservice_app_data_file:file r_file_perms;
|
||||
|
||||
@@ -2,4 +2,3 @@ allow domain block_device:dir { search getattr };
|
||||
allow domain block_device:blk_file getattr;
|
||||
allow domain cache_block_device:blk_file getattr;
|
||||
allow domain userdata_block_device:blk_file getattr;
|
||||
allow domain fuse_device:chr_file getattr;
|
||||
|
||||
@@ -17,3 +17,8 @@ type persist_property_file, file_type;
|
||||
|
||||
# Knobs for LiveDisplay
|
||||
type livedisplay_sysfs, sysfs_type, file_type;
|
||||
|
||||
# Filesystems
|
||||
type exfat, sdcard_type, fs_type, mlstrustedobject;
|
||||
type fuseblk, sdcard_type, fs_type, mlstrustedobject;
|
||||
type ntfs, sdcard_type, fs_type, mlstrustedobject;
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
genfscon fuseblk / u:object_r:sdcard_external:s0
|
||||
genfscon exfat / u:object_r:sdcard_external:s0
|
||||
genfscon ntfs / u:object_r:sdcard_external:s0
|
||||
genfscon fuseblk / u:object_r:fuseblk:s0
|
||||
genfscon exfat / u:object_r:exfat:s0
|
||||
genfscon ntfs / u:object_r:ntfs:s0
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Allow querying of asec size on SD card
|
||||
allow installd sdcard_external:dir { search };
|
||||
allow installd sdcard_external:file { getattr };
|
||||
allow installd sdcard_type:dir { search };
|
||||
allow installd sdcard_type:file { getattr };
|
||||
|
||||
# Required for installd to create theme service's /data/data directory
|
||||
allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
|
||||
|
||||
@@ -1,3 +1,2 @@
|
||||
# used by sdcardfs to read package list
|
||||
allow kernel system_data_file:file open;
|
||||
allow kernel media_rw_data_file:file rw_file_perms;
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
# Themed resources (i.e. composed icons)
|
||||
allow mediaserver themeservice_app_data_file:dir r_dir_perms;
|
||||
allow mediaserver themeservice_app_data_file:file r_file_perms;
|
||||
|
||||
# For camera
|
||||
allow mediaserver media_rw_data_file:file write;
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
# Direct access to vold-mounted storage under /mnt/media_rw
|
||||
# This is a performance optimization that allows platform apps to bypass the FUSE layer
|
||||
allow platform_app sdcard_posix:dir create_dir_perms;
|
||||
allow platform_app sdcard_posix:file create_file_perms;
|
||||
|
||||
# Allow Gallery3D to crop user images
|
||||
allow platform_app system_app_data_file:file rw_file_perms;
|
||||
|
||||
# Allow Gallery3D to execute render scripts
|
||||
allow platform_app app_data_file:file execute;
|
||||
|
||||
# Allow batterymanager and batteryproperties services to be found
|
||||
allow platform_app battery_service:service_manager find;
|
||||
allow platform_app healthd_service:service_manager find;
|
||||
@@ -8,6 +8,3 @@ allow dumpstate fuse:file r_file_perms;
|
||||
allow dumpstate themeservice_app_data_file:dir r_dir_perms;
|
||||
allow dumpstate themeservice_app_data_file:file r_file_perms;
|
||||
allow dumpstate media_rw_data_file:dir search;
|
||||
allow dumpstate sdcardfs:file getattr;
|
||||
allow dumpstate sdcardfs:dir search;
|
||||
|
||||
|
||||
@@ -24,8 +24,8 @@ allow recovery media_rw_data_file:dir r_dir_perms;
|
||||
allow recovery media_rw_data_file:file r_file_perms;
|
||||
allow recovery vfat:dir r_dir_perms;
|
||||
allow recovery vfat:file r_file_perms;
|
||||
allow recovery sdcard_posix:dir r_dir_perms;
|
||||
allow recovery sdcard_posix:file r_file_perms;
|
||||
allow recovery sdcard_type:dir r_dir_perms;
|
||||
allow recovery sdcard_type:file r_file_perms;
|
||||
|
||||
# Control properties
|
||||
allow recovery recovery_prop:property_service set;
|
||||
|
||||
@@ -66,4 +66,7 @@ userdebug_or_eng(`
|
||||
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
|
||||
|
||||
allow kernel sudaemon:fd { use };
|
||||
|
||||
')
|
||||
|
||||
neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app -init -sudaemon') } su_exec:file no_x_file_perms;
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
domain_trans(init, rootfs, vold)
|
||||
|
||||
# Allow vold to manage ASEC
|
||||
allow vold sdcard_external:file create_file_perms;
|
||||
allow vold sdcard_type:file create_file_perms;
|
||||
allow vold vold_tmpfs:file create_file_perms;
|
||||
|
||||
# Allow vold to access fuse for fuse-based fs
|
||||
allow vold fuse_device:chr_file rw_file_perms;
|
||||
allow vold fuseblk:chr_file rw_file_perms;
|
||||
|
||||
# NTFS-3g wants to drop permission
|
||||
allow vold self:capability { setgid setuid };
|
||||
|
||||
Reference in New Issue
Block a user