Google Git
Sign in
ara-mdk / platform / external / sepolicy / 0ecb0f886660da5ddfd6945e4b993048727caac8^! / .
commit0ecb0f886660da5ddfd6945e4b993048727caac8[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Thu Mar 28 10:05:08 2013 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Thu Mar 28 10:14:25 2013 -0400
tree22d032066d8ea5914d6c81fefe18f6acf02fdbd0
parent96c109e8f6de0a2541aabccacecec65bd5ec4c31 [diff]
Eliminate most of the app policy booleans.

Just allow them unconditionally for compatibility.

Change-Id: I85b56532c6389bdfa25731042b98d8f254bd80ee
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/app.te b/app.te
index 90dfd96..a689a29 100644
--- a/app.te
+++ b/app.te

@@ -71,6 +71,7 @@
 # set it must be an mlstrustedsubject.
 type isolated_app, domain, mlstrustedsubject;
 app_domain(isolated_app)
+allow isolated_app system_data_file:file { open execute };
 
 #
 # An example of a specific domain for a specific app
@@ -99,29 +100,12 @@
 #
 type untrusted_app, domain;
 app_domain(untrusted_app)
-# Boolean-controlled options for untrusted apps.
-# Network access.
-bool app_network true;
-if (app_network) {
-# Cannot use net_domain within a conditional - type attribute.
-allow untrusted_app self:{ tcp_socket udp_socket } *;
-allow untrusted_app port_type:tcp_socket name_connect;
-allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
-allow untrusted_app port_type:udp_socket name_bind;
-allow untrusted_app port_type:tcp_socket name_bind;
-unix_socket_connect(untrusted_app, dnsproxyd, netd)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
 allow untrusted_app tun_device:chr_file rw_file_perms;
-allow untrusted_app untrusted_app:netlink_route_socket write;
-# Get route information.
-allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
-}
-# Bluetooth access.
-bool app_bluetooth false;
-if (app_bluetooth or android_cts) {
-# No specific SELinux class for bluetooth sockets presently.
-allow untrusted_app self:socket *;
-allow untrusted_app bluetooth:unix_stream_socket { read write shutdown };
-}
+allow untrusted_app system_data_file:file { execute open };
+allow untrusted_app log_device:chr_file read;
+
 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;
 if (app_internal_sdcard_rw) {
@@ -134,17 +118,6 @@
 allow untrusted_app sdcard_external:dir create_dir_perms;
 allow untrusted_app sdcard_external:file create_file_perms;
 }
-# Native app support.
-bool app_ndk false;
-if (app_ndk or android_cts) {
-allow untrusted_app system_data_file:file { execute open };
-allow isolated_app system_data_file:file { open execute };
-}
-# Read Logs
-bool app_read_logs false;
-if (app_read_logs or android_cts) {
-allow untrusted_app log_device:chr_file read;
-}
 
 #
 # Rules for all app domains.