diff options
author | samalin <samalin@google.com> | 2021-01-28 20:40:56 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-01-28 20:40:56 +0000 |
commit | b4ee294e14089dc4f522a4dfdb29a3aef79e0f0b (patch) | |
tree | 56ca7faa928f523feb4951c51c34b0bba1442bb7 | |
parent | 8dd7823ed12f385248c60e9ce4f43e65b9763280 (diff) | |
parent | 1842e0ee76a0b162a953d117e2d36e4a45077645 (diff) | |
download | barbet-sepolicy-b4ee294e14089dc4f522a4dfdb29a3aef79e0f0b.tar.gz |
sepolicy: add domain for wfcactivation app am: 1842e0ee76
Original change: https://googleplex-android-review.googlesource.com/c/device/google/barbet-sepolicy/+/13400165
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Ifb40a7994492b142eeeedc6aef9e2d1f6a71b854
-rw-r--r-- | private/certs/wfcactivation.x509.pem | 23 | ||||
-rw-r--r-- | private/keys.conf | 2 | ||||
-rw-r--r-- | private/mac_permissions.xml | 26 | ||||
-rw-r--r-- | private/seapp_contexts | 2 | ||||
-rw-r--r-- | private/wfc_activation_app.te | 9 |
5 files changed, 62 insertions, 0 deletions
diff --git a/private/certs/wfcactivation.x509.pem b/private/certs/wfcactivation.x509.pem new file mode 100644 index 0000000..bead020 --- /dev/null +++ b/private/certs/wfcactivation.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIJAODrqTpclyUkMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEXMBUG +A1UEAwwOd2ZjX2FjdGl2YXRpb24wHhcNMTgwMjIxMDA1NTM4WhcNNDUwNzA5MDA1 +NTM4WjB7MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UE +BwwNTW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsM +B0FuZHJvaWQxFzAVBgNVBAMMDndmY19hY3RpdmF0aW9uMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAruKdMaQjRrlTwLHWAhUwLXoq+1glzoQ5ibqHDg4i +GPPlwT7qPG8xWW6UmTiLNES6YSDpvCvptqrZccecviYfYIg7/JCF/xr2cFt9Gyyo +L0muemdUMFjGQJxKCQMi8jlqPVgfcy7ZEfVvoDWUupD7hVVA6TFkWH1nv/5GzJVK +h7D4vBaYE6qwM1+NJjrbk1O8SMMCES7MkJhpnfbRYr8d5uxSzDWqqeqvM6CFSvKw +cxqbCcNl0MDgSCgtnxzZZjg5AFuPECV8lgJpxFEqgEIK1fsebK5G8o4buokMW+W4 +ZT2LZtMq/qsZXl59h22KQX2w5mcI6KyV8WZOcPPOm8uf8wIDAQABo1AwTjAdBgNV +HQ4EFgQU9jpHDUfkIqBODCp9/c5TsraA9sowHwYDVR0jBBgwFoAU9jpHDUfkIqBO +DCp9/c5TsraA9sowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZMf+ +KD3oFS0cv/C0qQx28wW5BKFb/PM6RxDwTRF7yyJj4+uZU0+O8NJEqBNDgHusFJR6 +2ZXXiWDqzNb0scZxD95FP1YxiLPAcbn2oCTkGPYcCsBmT1i25RsIKTb7fR3UJ/bY +V55CQy1FjX5H1katVpezi1bs17stqrjL0aCk8s7wZPQ9KTy7SfMF9rUfg8ltrj8s +MD5cq21GJuJMpI2kNUV7IT+4B3CeHzpm0iy8NmbavgNezZAx1za4QIySNcKfdsSs +7PsNYPS0R9BeZK/4u4/yrQvRV0lXzQcIJPpwr0cfuhcgcHG8sbCLaw4Ph6go9kRL +hvY7ZX9pdBLS8ukQ4w== +-----END CERTIFICATE----- diff --git a/private/keys.conf b/private/keys.conf new file mode 100644 index 0000000..99a446a --- /dev/null +++ b/private/keys.conf @@ -0,0 +1,2 @@ +[@WFCACTIVATION] +ALL : device/google/barbet-sepolicy/private/certs/wfcactivation.x509.pem diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml new file mode 100644 index 0000000..636d579 --- /dev/null +++ b/private/mac_permissions.xml @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + +<!-- + + * A signature is a hex encoded X.509 certificate or a tag defined in + keys.conf and is required for each signer tag. + * A signer tag may contain a seinfo tag and multiple package stanzas. + * A default tag is allowed that can contain policy for all apps not signed with a + previously listed cert. It may not contain any inner package stanzas. + * Each signer/default/package tag is allowed to contain one seinfo tag. This tag + represents additional info that each app can use in setting a SELinux security + context on the eventual process. + * When a package is installed the following logic is used to determine what seinfo + value, if any, is assigned. + - All signatures used to sign the app are checked first. + - If a signer stanza has inner package stanzas, those stanza will be checked + to try and match the package name of the app. If the package name matches + then that seinfo tag is used. If no inner package matches then the outer + seinfo tag is assigned. + - The default tag is consulted last if needed. +--> + <signer signature="@WFCACTIVATION" > + <seinfo value="wfcactivation" /> + </signer> +</policy> diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 0000000..57a99de --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,2 @@ +# Domain for WfcActivation app +user=_app seinfo=wfcactivation name=com.google.android.wfcactivation domain=wfc_activation_app levelFrom=all diff --git a/private/wfc_activation_app.te b/private/wfc_activation_app.te new file mode 100644 index 0000000..cd32efc --- /dev/null +++ b/private/wfc_activation_app.te @@ -0,0 +1,9 @@ +type wfc_activation_app, domain, coredomain; + +app_domain(wfc_activation_app) +net_domain(wfc_activation_app) + +# Services +allow wfc_activation_app app_api_service:service_manager find; +allow wfc_activation_app qchook_service:service_manager find; +allow wfc_activation_app radio_service:service_manager find; |