Commits

Stephen Smalley committed b05e602

Sync with seandroid-4.4.2.

Dropping booleans.
Dropping levelFrom=app.
Switching mdnsd to enforcing.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits b5a313a
  • Branches seandroid, seandroid-4.4

Comments (0)

Files changed (10)

 sepolicy_policy.conf := $(intermediates)/policy.conf
 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes bools *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
+$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
 r_dir_file(bluetooth, bluetooth_efs_file)
 
 # Device accesses.
-if (!disableBluetooth) {
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
 
 # Other domains that can create and use bluetooth sockets.
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
-}
 
 # Allow clients to use a socket provided by the bluetooth app.
 # TODO:  See if this is still required under bluedroid.

bools

-bool disableAudioCapture false;
-bool disableAudio false;
-bool disableBluetooth false;
-bool disableCamera false;
 type adb_device, dev_type;
 type ashmem_device, dev_type, mlstrustedobject;
 type audio_device, dev_type;
-type audio_capture_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type block_device, dev_type;
 type camera_device, dev_type;
 allow dhcp netd:fifo_file rw_file_perms;
 allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
 allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
-# netdev-bt-pan driver loading
-allow dhcp kernel:system module_request;
 /dev/rpmsg-omx[0-9]	u:object_r:rpmsg_device:s0
 /dev/rproc_user	u:object_r:rpmsg_device:s0
 /dev/snd(/.*)?		u:object_r:audio_device:s0
-/dev/snd/pcmC[0-9]*D[0-9]*c u:object_r:audio_capture_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 # mdns daemon
 type mdnsd, domain;
-permissive_or_unconfined(mdnsd)
 type mdnsd_exec, exec_type, file_type;
 
 init_daemon_domain(mdnsd)
 allow mediaserver audio_prop:property_service set;
 
 # Access audio devices at all.
-if (!disableAudio) {
 allow mediaserver audio_device:chr_file rw_file_perms;
-}
-
-# Access audio capture devices.
-if (!disableAudio && !disableAudioCapture) {
-allow mediaserver audio_capture_device:chr_file rw_file_perms;
-}
 
 # XXX Label with a specific type?
 allow mediaserver sysfs:file rw_file_perms;
 allow mediaserver apk_data_file:file { read getattr };
 
 # Access camera device.
-if (!disableCamera) {
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver rpmsg_device:chr_file rw_file_perms;
-}
 
 # Inter System processes communicate over named pipe (FIFO)
 allow mediaserver system_server:fifo_file r_file_perms;
 # XXX Split into its own type.
 allow netd sysfs:file write;
 
-# Network driver loading.
-allow netd kernel:system module_request;
 # Set dhcp lease for PAN connection
 unix_socket_connect(netd, property, init)
 allow netd system_prop:property_service set;
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
-user=_app domain=untrusted_app type=app_data_file levelFrom=app
+user=_app domain=untrusted_app type=app_data_file
 user=_app seinfo=platform domain=platform_app type=platform_app_data_file
 user=_app seinfo=shared domain=shared_app type=platform_app_data_file
 user=_app seinfo=media domain=media_app type=platform_app_data_file