Hi,
I see that untrusted app can have these permission via a boolean. I wonder
why trusted app (e.g., system_app) do not?
# audit(1360619573.382:158):
# scontext="u:r:system_app:s0" tcontext="u:object_r:port:s0"
# class="tcp_socket" perms="name_bind"
# comm=".mortbay.ijetty" exe="" path=""
# message=" [ 58.612060] type=1400 audit(1360619573.382:158): avc:
denied {
# name_bind } for pid=807 comm=".mortbay.ijetty" src=8082
# scontext=u:r:system_app:s0 tcontext=u:object_r:port:s0
tclass=tcp_socket "
# audit(1360619581.945:242):
# scontext="u:r:system_app:s0" tcontext="u:object_r:port:s0"
# class="tcp_socket" perms="name_connect"
# comm="34950537461636B205461736" exe="" path=""
# message=" [ 67.174560] type=1400 audit(1360619581.945:242): avc:
denied {
# name_connect } for pid=1100 comm=534950537461636B205461736B dest=5060
# scontext=u:r:system_app:s0 tcontext=u:object_r:port:s0
tclass=tcp_socket "
# audit(1360619575.320:154):
# scontext="u:r:system_app:s0" tcontext="u:object_r:port:s0"
# class="tcp_socket" perms="name_bind"
# comm=".mortbay.ijetty" exe="" path=""
# message=" [ 61.107696] type=1400 audit(1360619575.320:154): avc:
denied {
# name_bind } for pid=813 comm=".mortbay.ijetty" src=8082
# scontext=u:r:system_app:s0 tcontext=u:object_r:port:s0
tclass=tcp_socket "
#
# Untrusted apps.
#
type untrusted_app, domain;
app_domain(untrusted_app)
# Boolean-controlled options for untrusted apps.
# Network access.
bool app_network true;
if (app_network) {
# Cannot use net_domain within a conditional - type attribute.
allow untrusted_app self:{ tcp_socket udp_socket } *;
allow untrusted_app port_type:tcp_socket name_connect;
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
allow untrusted_app port_type:udp_socket name_bind;
allow untrusted_app port_type:tcp_socket name_bind;
unix_socket_connect(untrusted_app, dnsproxyd, netd)
Thanks,
Tai
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
