diff options
| -rw-r--r-- | app.te | 2 | ||||
| -rw-r--r-- | dex2oat.te | 2 | ||||
| -rw-r--r-- | domain.te | 4 | ||||
| -rw-r--r-- | file.te | 2 | ||||
| -rw-r--r-- | file_contexts | 3 | ||||
| -rw-r--r-- | isolated_app.te | 3 | ||||
| -rw-r--r-- | radio.te | 3 | ||||
| -rw-r--r-- | zygote.te | 5 |
8 files changed, 20 insertions, 4 deletions
@@ -90,7 +90,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms; # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. -allow appdomain gpu_device:chr_file { rw_file_perms execute }; +allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute }; # Use the Binder. binder_use(appdomain) @@ -3,6 +3,8 @@ type dex2oat, domain; type dex2oat_exec, exec_type, file_type; allow dex2oat dalvikcache_data_file:file write; +# Read symlinks in /data/dalvik-cache +allow dex2oat dalvikcache_data_file:lnk_file read; allow dex2oat installd:fd use; # Read already open asec_apk_file file descriptors passed by installd. @@ -59,6 +59,10 @@ userdebug_or_eng(` # allow "gdbserver --attach" to work for su. allow domain su:process sigchld; + + # Allow writing coredumps to /cores/* + allow domain coredump_file:file create_file_perms; + allow domain coredump_file:dir ra_dir_perms; ') ### @@ -43,6 +43,8 @@ type usbfs, fs_type; type unlabeled, file_type; # Default type for anything under /system. type system_file, file_type; +# /cores for coredumps on userdebug / eng builds +type coredump_file, file_type; # Default type for anything under /data. type system_data_file, file_type, data_file_type; # /data/.layout_version or other installd-created files that diff --git a/file_contexts b/file_contexts index fce051b..62802e0 100644 --- a/file_contexts +++ b/file_contexts @@ -219,6 +219,9 @@ /data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0 /data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 +# coredump directory for userdebug/eng devices +/cores(/.*)? u:object_r:coredump_file:s0 + # Wallpaper file for other users /data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0 ############################# diff --git a/isolated_app.te b/isolated_app.te index a156838..a035901 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -13,6 +13,9 @@ type isolated_app, domain; app_domain(isolated_app) net_domain(isolated_app) +# Isolated apps shouldn't be able to access the driver directly. +neverallow isolated_app gpu_device:file { rw_file_perms execute }; + # read and write access to app_data_file is already # granted via app.te. Allow execute. # Needed to allow dlopen() from Chrome renderer processes. @@ -17,6 +17,9 @@ allow radio radio_data_file:notdevfile_class_set create_file_perms; allow radio alarm_device:chr_file rw_file_perms; +allow radio net_data_file:dir search; +allow radio net_data_file:file r_file_perms; + # Property service allow radio radio_prop:property_service set; allow radio net_radio_prop:property_service set; @@ -21,12 +21,11 @@ allow zygote appdomain:process { getpgid setpgid }; # Read system data. allow zygote system_data_file:dir r_dir_perms; allow zygote system_data_file:file r_file_perms; -# Read system security data. -allow zygote keychain_data_file:dir r_dir_perms; -allow zygote keychain_data_file:file r_file_perms; # Write to /data/dalvik-cache. allow zygote dalvikcache_data_file:dir create_dir_perms; allow zygote dalvikcache_data_file:file create_file_perms; +# Create symlinks in /data/dalvik-cache +allow zygote dalvikcache_data_file:lnk_file create_file_perms; # Write to /data/resource-cache allow zygote resourcecache_data_file:dir rw_dir_perms; allow zygote resourcecache_data_file:file create_file_perms; |