Commits

Stephen Smalley committed c710806 Merge

Merge branch 'seandroid' into intent_mac

Comments (0)

Files changed (4)

+# Domain for init-spawned shell processes (e.g. console service).
+type init_shell, domain, shelldomain, mlstrustedsubject;
+
+# Rules for init-spawned shells.
+binder_use(init_shell)
+binder_call(init_shell, system)
+
+# Inherits shelldomain rules from shell.te
-# Type for /system/bin/sh and friends.
-type shell_exec, file_type, exec_type;
-
-# Domain for adb shell process.
+# Domain for shell processes spawned by ADB
 type shell, domain, shelldomain, mlstrustedsubject;
-
-# Domain for init-spawned shell processes (e.g. console service).
-type init_shell, domain, shelldomain, mlstrustedsubject;
+type shell_exec, file_type, exec_type;
 
 # Rules for adb shell.
 # Access /data/local/tmp.
 # XXX Split into its own domain?
 app_domain(shell)
 
-# Rules for init-spawned shells.
-binder_use(init_shell)
-binder_call(init_shell, system)
-
 # Rules for all shell domains.
 allow shelldomain rootfs:dir r_dir_perms;
 allow shelldomain devpts:chr_file rw_file_perms;
 #
-# Apps that run with the system UID, e.g. com.android.system.ui,
-# com.android.settings.  These are not as privileged as the system
-# server.
-#
-type system_app, domain;
-app_domain(system_app)
-
-# Perform binder IPC to any app domain.
-binder_call(system_app, appdomain)
-
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Write to dalvikcache.
-allow system_app dalvikcache_data_file:file { write setattr };
-
-# Talk to keystore.
-unix_socket_connect(system_app, keystore, keystore)
-
-# Read SELinux enforcing status.
-selinux_getenforce(system)
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
-# Allow settings app to read from asec
-allow system_app asec_apk_file:dir search;
-allow system_app asec_apk_file:file r_file_perms;
-
-#
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
 #
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings.  These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+app_domain(system_app)
+
+# Perform binder IPC to any app domain.
+binder_call(system_app, appdomain)
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+unix_socket_connect(system_app, keystore, keystore)
+
+# Read SELinux enforcing status.
+selinux_getenforce(system_app)
+
+# Settings app reads sdcard for storage stats
+allow system_app sdcard_type:dir r_dir_perms;
+
+# Allow settings app to read from asec
+allow system_app asec_apk_file:dir search;
+allow system_app asec_apk_file:file r_file_perms;