Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 45731c70ef446b5981697b9675b2d738da09a23d^! / .
commit45731c70ef446b5981697b9675b2d738da09a23d[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Mon Sep 08 16:06:40 2014 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Mon Sep 08 16:06:40 2014 -0400
tree61306413e7118ce18c93ac7233a58033dad156b6
parent5fc825c91715ad0b983b42986e93070eb7ce333d [diff]
Annotate MLS trusted subjects and objects.

When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/adbd.te b/adbd.te
index 3b654a1..a9a6355 100644
--- a/adbd.te
+++ b/adbd.te

@@ -1,6 +1,6 @@
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type adbd, domain;
+type adbd, domain, mlstrustedsubject;
 
 userdebug_or_eng(`
   allow adbd self:process setcurrent;

diff --git a/file.te b/file.te
index 7df06d3..0721c32 100644
--- a/file.te
+++ b/file.te

@@ -133,8 +133,8 @@
 type lmkd_socket, file_type;
 type logd_debug, file_type;
 type logd_socket, file_type;
-type logdr_socket, file_type;
-type logdw_socket, file_type;
+type logdr_socket, file_type, mlstrustedobject;
+type logdw_socket, file_type, mlstrustedobject;
 type mdns_socket, file_type;
 type mdnsd_socket, file_type;
 type mtpd_socket, file_type;

diff --git a/logd.te b/logd.te
index cde721a..ca6719a 100644
--- a/logd.te
+++ b/logd.te

@@ -1,5 +1,5 @@
 # android user-space log manager
-type logd, domain;
+type logd, domain, mlstrustedsubject;
 type logd_exec, exec_type, file_type;
 
 init_daemon_domain(logd)

diff --git a/mdnsd.te b/mdnsd.te
index 7e14b52..e5fe1e2 100644
--- a/mdnsd.te
+++ b/mdnsd.te

@@ -1,5 +1,5 @@
 # mdns daemon
-type mdnsd, domain;
+type mdnsd, domain, mlstrustedsubject;
 type mdnsd_exec, exec_type, file_type;
 
 init_daemon_domain(mdnsd)

diff --git a/netd.te b/netd.te
index 81275a7..ce89421 100644
--- a/netd.te
+++ b/netd.te

@@ -1,5 +1,5 @@
 # network manager
-type netd, domain;
+type netd, domain, mlstrustedsubject;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)

diff --git a/servicemanager.te b/servicemanager.te
index d20872c..9947aa7 100644
--- a/servicemanager.te
+++ b/servicemanager.te

@@ -1,5 +1,5 @@
 # servicemanager - the Binder context manager
-type servicemanager, domain;
+type servicemanager, domain, mlstrustedsubject;
 type servicemanager_exec, exec_type, file_type;
 
 init_daemon_domain(servicemanager)