diff options
-rw-r--r-- | binderservicedomain.te | 3 | ||||
-rw-r--r-- | system_server.te | 6 | ||||
-rw-r--r-- | untrusted_app.te | 4 |
3 files changed, 12 insertions, 1 deletions
diff --git a/binderservicedomain.te b/binderservicedomain.te index 0bfd33a..36993eb 100644 --- a/binderservicedomain.te +++ b/binderservicedomain.te @@ -13,6 +13,9 @@ allow binderservicedomain console_device:chr_file rw_file_perms; allow binderservicedomain appdomain:fd use; allow binderservicedomain appdomain:fifo_file write; +# allow all services to run permission checks +allow binderservicedomain permission_service:service_manager find; + allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore(binderservicedomain) diff --git a/system_server.te b/system_server.te index 0b18eb4..c9d8f3b 100644 --- a/system_server.te +++ b/system_server.te @@ -101,9 +101,13 @@ allow system_server proc_sysrq:file rw_file_perms; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs:file r_file_perms; -# WifiWatchdog uses a packet_socket +# The DhcpClient and WifiWatchdog use packet_sockets allow system_server self:packet_socket create_socket_perms; +# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same +# as raw sockets, but the kernel doesn't yet distinguish between the two. +allow system_server node:rawip_socket node_bind; + # 3rd party VPN clients require a tun_socket to be created allow system_server self:tun_socket create_socket_perms; diff --git a/untrusted_app.te b/untrusted_app.te index 693a13c..fb76317 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -80,7 +80,11 @@ allow untrusted_app mnt_media_rw_file:dir search; allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; +# allow cts to query all services +allow untrusted_app servicemanager:service_manager list; + allow untrusted_app drmserver_service:service_manager find; +allow untrusted_app healthd_service:service_manager find; allow untrusted_app mediaserver_service:service_manager find; allow untrusted_app nfc_service:service_manager find; allow untrusted_app radio_service:service_manager find; |