am 6766cc9e: Merge "allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access"
* commit '6766cc9e3c1d5dcec5db445a8d06bb6d4f301562':
allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access
diff --git a/app.te b/app.te
index 7984f10..1540f08 100644
--- a/app.te
+++ b/app.te
@@ -24,8 +24,7 @@
allow platform_app shell_data_file:lnk_file read;
# Populate /data/app/vmdl*.tmp file created by system server.
allow platform_app apk_tmp_file:file rw_file_perms;
-# Read/[open] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow platform_app qtaguid_proc:file { open };
+# Read /dev/xt_qtaguid
allow platform_app qtaguid_device:chr_file r_file_perms;
# Apps signed with the media key.
@@ -41,8 +40,7 @@
# Write to /cache.
allow media_app cache_file:dir rw_dir_perms;
allow media_app cache_file:file create_file_perms;
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow media_app qtaguid_proc:file rw_file_perms;
+# Read /dev/xt_qtaguid
allow media_app qtaguid_device:chr_file r_file_perms;
# Apps signed with the shared key.
@@ -66,9 +64,13 @@
bluetooth_domain(release_app)
# Read logs.
allow release_app log_device:chr_file read;
+# Read /dev/xt_qtaguid
+allow release_app qtaguid_device:chr_file r_file_perms;
# Services with isolatedProcess=true in their manifest.
-type isolated_app, domain;
+# In order for isolated_apps to interact with apps that have levelFromUid=true
+# set it must be an mlstrustedsubject.
+type isolated_app, domain, mlstrustedsubject;
app_domain(isolated_app)
#
@@ -128,6 +130,7 @@
bool app_ndk false;
if (app_ndk or android_cts) {
allow untrusted_app system_data_file:file { execute open };
+allow isolated_app system_data_file:file { open execute };
}
# Read Logs
bool app_read_logs false;
@@ -139,6 +142,9 @@
# Rules for all app domains.
#
+# Allow apps to connect to the keystore
+unix_socket_connect(appdomain, keystore, keystore)
+
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
@@ -173,7 +179,7 @@
allow appdomain anr_data_file:file { open append };
# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file write;
+allow appdomain qtaguid_proc:file rw_file_perms;
# Use the Binder.
binder_use(appdomain)
@@ -183,3 +189,13 @@
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
binder_transfer(appdomain, appdomain)
+
+# Appdomain interaction with isolated apps
+r_dir_file(appdomain, isolated_app)
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain isolated_app:unix_stream_socket { read write };
+allow isolated_app appdomain:unix_stream_socket { read write };
diff --git a/dhcp.te b/dhcp.te
index b596479..1cf7af5 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -11,6 +11,7 @@
allow dhcp self:netlink_route_socket { write nlmsg_write read create bind };
allow dhcp self:udp_socket { create ioctl };
allow dhcp shell_exec:file { read open execute };
+allow dhcp system_file:file execute_no_trans;
allow dhcp proc:file write;
allow dhcp property_socket:sock_file write ;
allow dhcp system_prop:property_service set ;
@@ -19,4 +20,5 @@
unix_socket_connect(dhcp, property, init)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-allow dhcp dhcp_data_file:dir { write add_name search };
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;
diff --git a/mtp.te b/mtp.te
index 4fc04b6..b458e69 100644
--- a/mtp.te
+++ b/mtp.te
@@ -3,6 +3,7 @@
type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
+net_domain(mtp)
# pptp policy
allow mtp self:tcp_socket { create setopt connect write read };
@@ -11,3 +12,4 @@
allow mtp self:capability net_raw;
allow mtp ppp:process signal;
allow mtp port:tcp_socket name_connect;
+allow mtp vpn_data_file:dir search;
diff --git a/seapp_contexts b/seapp_contexts
index 25d7316..f63da7c 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -41,4 +41,4 @@
user=_app seinfo=media domain=media_app type=platform_app_data_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_app seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
-user=_isolated domain=isolated_app levelFromUid=true
+user=_isolated domain=isolated_app
diff --git a/system.te b/system.te
index 557a385..bace071 100644
--- a/system.te
+++ b/system.te
@@ -89,10 +89,13 @@
allow system appdomain:dir r_dir_perms;
allow system appdomain:{ file lnk_file } rw_file_perms;
-# Write to /proc/net/xt_qtaguid/ctrl.
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system qtaguid_proc:file rw_file_perms;
allow system qtaguid_device:chr_file rw_file_perms;
+# WifiWatchdog uses a packet_socket
+allow system self:packet_socket *;
+
# Notify init of death.
allow system init:process sigchld;
