diff options
| author | Robin Lee <rgl@google.com> | 2014-10-15 23:24:58 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2014-10-15 23:24:58 +0000 |
| commit | bdec09b9e867a72b07c8cb2fd554be49425da636 (patch) | |
| tree | c08dc837f7c97a1b6d3ab935cdf6448bba616cb1 | |
| parent | 7a527cd15f1f93874714ae0d9b51a497846bd1e4 (diff) | |
| parent | 51bfecf49d50982f64aba1fa73bbbdd2e40a444f (diff) | |
| download | sepolicy-bdec09b9e867a72b07c8cb2fd554be49425da636.tar.gz | |
am 51bfecf4: Pull keychain-data policy out of system-data
* commit '51bfecf49d50982f64aba1fa73bbbdd2e40a444f':
Pull keychain-data policy out of system-data
| -rw-r--r-- | app.te | 6 | ||||
| -rw-r--r-- | file.te | 2 | ||||
| -rw-r--r-- | file_contexts | 2 | ||||
| -rw-r--r-- | installd.te | 6 | ||||
| -rw-r--r-- | system_app.te | 8 | ||||
| -rw-r--r-- | system_server.te | 2 | ||||
| -rw-r--r-- | zygote.te | 3 |
7 files changed, 28 insertions, 1 deletions
@@ -53,6 +53,12 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms; allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:file { execute execute_no_trans open execmod }; +# Keychain and user-trusted credentials +allow appdomain keychain_data_file:dir r_dir_perms; +allow appdomain keychain_data_file:file r_file_perms; +allow appdomain misc_user_data_file:dir r_dir_perms; +allow appdomain misc_user_data_file:file r_file_perms; + # Access to OEM provided data and apps allow appdomain oemfs:dir r_dir_perms; allow appdomain oemfs:file rx_file_perms; @@ -78,9 +78,11 @@ type adb_keys_file, file_type, data_file_type; type audio_data_file, file_type, data_file_type; type bluetooth_data_file, file_type, data_file_type; type camera_data_file, file_type, data_file_type; +type keychain_data_file, file_type, data_file_type; type keystore_data_file, file_type, data_file_type; type media_data_file, file_type, data_file_type; type media_rw_data_file, file_type, data_file_type; +type misc_user_data_file, file_type, data_file_type; type net_data_file, file_type, data_file_type; type nfc_data_file, file_type, data_file_type; type radio_data_file, file_type, data_file_type; diff --git a/file_contexts b/file_contexts index 33ac8a3..ec91425 100644 --- a/file_contexts +++ b/file_contexts @@ -203,12 +203,14 @@ /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0 /data/misc/camera(/.*)? u:object_r:camera_data_file:s0 /data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0 +/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0 /data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 /data/misc/media(/.*)? u:object_r:media_data_file:s0 /data/misc/net(/.*)? u:object_r:net_data_file:s0 /data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 /data/misc/sms(/.*)? u:object_r:radio_data_file:s0 /data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0 +/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0 /data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0 /data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 /data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0 diff --git a/installd.te b/installd.te index 6257ede..6b1b2b8 100644 --- a/installd.te +++ b/installd.te @@ -37,6 +37,12 @@ allow installd media_rw_data_file:file { getattr unlink }; allow installd system_data_file:dir relabelfrom; allow installd media_rw_data_file:dir relabelto; +# Upgrade /data/misc/keychain for multi-user if necessary. +allow installd misc_user_data_file:dir create_dir_perms; +allow installd misc_user_data_file:file create_file_perms; +allow installd keychain_data_file:dir create_dir_perms; +allow installd keychain_data_file:file {r_file_perms unlink}; + # Create /data/.layout_version.* file type_transition installd system_data_file:file install_data_file; allow installd install_data_file:file create_file_perms; diff --git a/system_app.te b/system_app.te index 9a336f9..ea23c81 100644 --- a/system_app.te +++ b/system_app.te @@ -12,10 +12,16 @@ binder_service(system_app) allow system_app system_app_data_file:dir create_dir_perms; allow system_app system_app_data_file:file create_file_perms; +# Read /data/misc/keychain subdirectory. +allow system_app keychain_data_file:dir r_dir_perms; +allow system_app keychain_data_file:file r_file_perms; + # Read and write to other system-owned /data directories, such as -# /data/system/cache and /data/misc/keychain. +# /data/system/cache and /data/misc/user. allow system_app system_data_file:dir create_dir_perms; allow system_app system_data_file:file create_file_perms; +allow system_app misc_user_data_file:dir create_dir_perms; +allow system_app misc_user_data_file:file create_file_perms; # Audit writes to these directories and files so we can identify # and possibly move these directories into their own type in the future. auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; diff --git a/system_server.te b/system_server.te index 97d159d..fcec400 100644 --- a/system_server.te +++ b/system_server.te @@ -170,6 +170,8 @@ allow system_server tun_device:chr_file rw_file_perms; # Manage system data files. allow system_server system_data_file:dir create_dir_perms; allow system_server system_data_file:notdevfile_class_set create_file_perms; +allow system_server keychain_data_file:dir create_dir_perms; +allow system_server keychain_data_file:file create_file_perms; # Manage /data/app. allow system_server apk_data_file:dir create_dir_perms; @@ -21,6 +21,9 @@ allow zygote appdomain:process { getpgid setpgid }; # Read system data. allow zygote system_data_file:dir r_dir_perms; allow zygote system_data_file:file r_file_perms; +# Read system security data. +allow zygote keychain_data_file:dir r_dir_perms; +allow zygote keychain_data_file:file r_file_perms; # Write to /data/dalvik-cache. allow zygote dalvikcache_data_file:dir create_dir_perms; allow zygote dalvikcache_data_file:file create_file_perms; |