1. seandroid
  2. Untitled project
  3. external/sepolicy


Stephen Smalley  committed 61c80d5

Update policy for Android 4.2 / latest master.

Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits eab2389
  • Branches master

Comments (0)

Files changed (8)

File adbd.te

View file
 allow adbd adb_device:chr_file rw_file_perms;
 allow adbd qemu_device:chr_file rw_file_perms;
 allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
-allow adbd rootfs:file entrypoint;
+allow adbd rootfs:file { read entrypoint };
 allow adbd init:process sigchld;
 allow adbd self:tcp_socket *;
 allow adbd self:unix_stream_socket *;

File bluetooth.te

View file
-# Domains that can create and use bluetooth sockets.
+# bluetooth subsystem
+type bluetooth, domain;
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+# bluetooth factory file accesses.
+r_dir_file(bluetooth, bluetooth_efs_file)
+# Device accesses.
+allow bluetooth hci_attach_dev:chr_file rw_file_perms;
+allow bluetooth input_device:chr_file write;
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+dontaudit bluetooth self:capability net_admin;
+# Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;

File file.te

View file
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type inotify, fs_type, mlstrustedobject;
 type devpts, fs_type;
 type bluetooth_efs_file, file_type;
 # Socket types
+type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dbus_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;

File file_contexts

View file
 /dev/s3c-mfc		u:object_r:graphics_device:s0
 /dev/snd(/.*)?		u:object_r:audio_device:s0
 /dev/socket		u:object_r:socket_device:s0
+/dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/bluetooth	u:object_r:bluetooth_socket:s0
 /dev/socket/dbus_bluetooth	u:object_r:bluetooth_socket:s0
 /dev/socket/dbus	u:object_r:dbus_socket:s0
 # Misc data
 /data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid(/.*)?	u:object_r:bluetooth_data_file:s0
 /data/misc/keystore(/.*)?	u:object_r:keystore_data_file:s0
 /data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
 /data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
 /sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
 # asec containers
 /mnt/asec(/.*)?         u:object_r:asec_apk_file:s0

File keystore.te

View file
 # keystore daemon
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };

File seapp_contexts

View file
 isSystemServer=true domain=system
 user=system domain=system_app type=system_data_file
+user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=_app domain=untrusted_app type=app_data_file levelFromUid=true

File system.te

View file
 allow system appdomain:process { sigkill signal };
 # Set scheduling info for apps.
-allow system appdomain:process setsched;
-allow system mediaserver:process setsched;
+allow system appdomain:process { getsched setsched };
+allow system mediaserver:process { getsched setsched };
 # Read /proc data for apps.
 allow system appdomain:dir r_dir_perms;

File zygote.te

View file
 # Read /seapp_contexts, presently on the rootfs.
 allow zygote rootfs:file r_file_perms;
+# Setting up /storage/emulated.
+allow zygote rootfs:dir mounton;
+allow zygote sdcard:dir { write search setattr create add_name mounton };
+dontaudit zygote self:capability fsetid;
+allow zygote tmpfs:dir { write create add_name setattr mounton };
+allow zygote tmpfs:filesystem mount;