diff options
author | Adam Shih <adamshih@google.com> | 2018-06-26 14:52:14 +0800 |
---|---|---|
committer | Meng Wang <mewan@google.com> | 2020-05-13 22:59:56 +0000 |
commit | 72c61bf69265a114f44b87a60e40085b1ce8a320 (patch) | |
tree | 1a90176f80d0cf95a470c348a0fb3dda75c9100a | |
parent | 7c1ecf5fa1456cb199e9c7e80791be62da709de9 (diff) | |
download | coral-sepolicy-72c61bf69265a114f44b87a60e40085b1ce8a320.tar.gz |
coral-sepolicy: Add selinux rules for verizon OBDM app
Bug: 155809686
Test: build pass and make sure the contents are the same as before
- check the domain in device can be changed to obdm_app to
apply the rules
Note: OBDM is a prebuilt app and tested on old projects with these rules,
and we have no environment to do local test now,
just sync patch from B1C1(http://ag/4059061, http://ag/4418057)
Change-Id: I991b90c345043311077f3e65807432642ddad64c
-rw-r--r-- | coral-sepolicy.mk | 1 | ||||
-rw-r--r-- | vendor/verizon/keys.conf | 2 | ||||
-rw-r--r-- | vendor/verizon/mac_permissions.xml | 6 | ||||
-rw-r--r-- | vendor/verizon/obdm_app.te | 21 | ||||
-rw-r--r-- | vendor/verizon/seapp_contexts | 3 | ||||
-rw-r--r-- | vendor/verizon/verizon.x509.pem | 21 |
6 files changed, 54 insertions, 0 deletions
diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk index 8ea3e0a..094e701 100644 --- a/coral-sepolicy.mk +++ b/coral-sepolicy.mk @@ -7,3 +7,4 @@ BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/common BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150 BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials +BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/verizon diff --git a/vendor/verizon/keys.conf b/vendor/verizon/keys.conf new file mode 100644 index 0000000..03f85b8 --- /dev/null +++ b/vendor/verizon/keys.conf @@ -0,0 +1,2 @@ +[@VERIZON] +ALL : device/google/coral-sepolicy/vendor/verizon/verizon.x509.pem diff --git a/vendor/verizon/mac_permissions.xml b/vendor/verizon/mac_permissions.xml new file mode 100644 index 0000000..770f40a --- /dev/null +++ b/vendor/verizon/mac_permissions.xml @@ -0,0 +1,6 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + <signer signature="@VERIZON" > + <seinfo value="verizon" /> + </signer> +</policy> diff --git a/vendor/verizon/obdm_app.te b/vendor/verizon/obdm_app.te new file mode 100644 index 0000000..cd7c17f --- /dev/null +++ b/vendor/verizon/obdm_app.te @@ -0,0 +1,21 @@ +type obdm_app, domain, coredomain; + +app_domain(obdm_app) +net_domain(obdm_app) + +allow obdm_app app_api_service:service_manager find; +allow obdm_app radio_service:service_manager find; +allow obdm_app surfaceflinger_service:service_manager find; + +userdebug_or_eng(` + allow obdm_app proc_stat:file r_file_perms; + + # talk to /dev/diag + allow obdm_app diag_device:chr_file rw_file_perms; + + allow obdm_app self:socket create_socket_perms; + allowxperm obdm_app self:socket ioctl { 0x0000c302 0x0000c304 }; + + allow obdm_app sysfs:dir r_dir_perms; + r_dir_file(obdm_app, sysfs_msm_subsys) +') diff --git a/vendor/verizon/seapp_contexts b/vendor/verizon/seapp_contexts new file mode 100644 index 0000000..951fef3 --- /dev/null +++ b/vendor/verizon/seapp_contexts @@ -0,0 +1,3 @@ +# Verizon for OBDM tool +user=_app seinfo=verizon name=com.verizon.obdm domain=obdm_app type=app_data_file levelFrom=all +user=_app seinfo=verizon name=com.verizon.obdm:background domain=obdm_app type=app_data_file levelFrom=all diff --git a/vendor/verizon/verizon.x509.pem b/vendor/verizon/verizon.x509.pem new file mode 100644 index 0000000..a06efc2 --- /dev/null +++ b/vendor/verizon/verizon.x509.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDczCCAlugAwIBAgIEMzx+mzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV +UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpv +biBXaXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MCAX +DTE2MTAxMTIxMzgzN1oYDzIxMTYwOTE3MjEzODM3WjBpMQswCQYDVQQGEwJVUzEL +MAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpvbiBX +aXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr8y6pz1KPVolO8wj02oWSzuLZHWg +HuatQ5RlbXFBqS9/ScPSw3t/Yt+jg2++VUG726qL7ydx8g3AzMktWHNkdhg6j8Dz +fkEMa/oqcr+VOAQyPw4X0xkUs6ICsEuULRaAwY1NwSVCrTuSlxzlmumbTCg+tp4Y +m2FXEct8VNayJcrLnTwl/IiYmFLNLLiZPrwqbSkMVfYbfxws7c2lVZI4qhIC7WWA +HW5PyhO3Vdhjoj4E1QzkyabtB6el3kfE0xIta1IHV2iJdoAlESjaj3UT1i9d+Twt +7DCsu/ZevIl/g/vwbYi2uqQuSs/a3/qeUcawvcQZR4vWHo/Gx8PyiTZHJwIDAQAB +oyEwHzAdBgNVHQ4EFgQUMytyC5Cq0A2kE99nyokx0kTzVH0wDQYJKoZIhvcNAQEL +BQADggEBAE8AexGFmzTp0ZGgRaiv80ONc5PVA12T7h2F5ZN1Yqg99yhpoS6kBIsw +EG149nIcgOnSYk7ukTcjfsKcbFaB7tV1dw6SUqjmsqLpzVxGI32/DVdIorfxwaHZ +dKjvlC9Yh1uDEipKuEzR+nXRnzMdMzEv6KOXeIXJxTHY/f538oPVuiXksdnjllmV +xL1waQrZzdS15hfeBpGlC0WXk9wMiBbJNfEqQ5/J0EaFu+zPk8R3VLQ8WvKcXPyK +30vZ56McQuwz2MT/gQxnR84LRXUhLGoWOr0MYFzOwhTso2vhIlEysGX+HtkEJh3L +Hc+p+viW7lz17QqvZmOxjb6atkRpOVY= +-----END CERTIFICATE----- |