untrusted app rules

Tue, 12 Feb 2013 12:25:40 -0800 

Hi,

I see that untrusted app can have these permission via a boolean. I wonder
why trusted app (e.g., system_app) do not?

# audit(1360619573.382:158):
#  scontext="u:r:system_app:s0" tcontext="u:object_r:port:s0"
#  class="tcp_socket" perms="name_bind"
#  comm=".mortbay.ijetty" exe="" path=""
#  message=" [   58.612060] type=1400 audit(1360619573.382:158): avc:
denied  {
#   name_bind } for  pid=807 comm=".mortbay.ijetty" src=8082
#   scontext=u:r:system_app:s0 tcontext=u:object_r:port:s0
tclass=tcp_socket "
# audit(1360619581.945:242):
#  scontext="u:r:system_app:s0" tcontext="u:object_r:port:s0"
#  class="tcp_socket" perms="name_connect"
#  comm="34950537461636B205461736" exe="" path=""
#  message=" [   67.174560] type=1400 audit(1360619581.945:242): avc:
denied  {
#   name_connect } for  pid=1100 comm=534950537461636B205461736B dest=5060
#   scontext=u:r:system_app:s0 tcontext=u:object_r:port:s0
tclass=tcp_socket "
# audit(1360619575.320:154):
#  scontext="u:r:system_app:s0" tcontext="u:object_r:port:s0"
#  class="tcp_socket" perms="name_bind"
#  comm=".mortbay.ijetty" exe="" path=""
#  message=" [   61.107696] type=1400 audit(1360619575.320:154): avc:
denied  {
#   name_bind } for  pid=813 comm=".mortbay.ijetty" src=8082
#   scontext=u:r:system_app:s0 tcontext=u:object_r:port:s0
tclass=tcp_socket "



#
# Untrusted apps.
#
type untrusted_app, domain;
app_domain(untrusted_app)
# Boolean-controlled options for untrusted apps.
# Network access.
bool app_network true;
if (app_network) {
# Cannot use net_domain within a conditional - type attribute.
allow untrusted_app self:{ tcp_socket udp_socket } *;
allow untrusted_app port_type:tcp_socket name_connect;
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
allow untrusted_app port_type:udp_socket name_bind;
allow untrusted_app port_type:tcp_socket name_bind;
unix_socket_connect(untrusted_app, dnsproxyd, netd)


Thanks,
Tai




--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.

Reply via email to