SEAndroid 028 - 어떤 친구들을 loose 하게 해야 할까?

/android/system/core/include/private/

android_filesystem_config.h 를 보면...

     42 #define AID_ROOT             0  /* traditional unix root user */

     43

     44 #define AID_SYSTEM        1000  /* system server */

     45

     46 #define AID_RADIO         1001  /* telephony subsystem, RIL */

     47 #define AID_BLUETOOTH     1002  /* bluetooth subsystem */

     48 #define AID_GRAPHICS      1003  /* graphics devices */

     49 #define AID_INPUT         1004  /* input devices */

     50 #define AID_AUDIO         1005  /* audio devices */

     51 #define AID_CAMERA        1006  /* camera devices */

     52 #define AID_LOG           1007  /* log devices */

     53 #define AID_COMPASS       1008  /* compass device */

     54 #define AID_MOUNT         1009  /* mountd socket */

     55 #define AID_WIFI          1010  /* wifi subsystem */

     56 #define AID_ADB           1011  /* android debug bridge (adbd) */

     57 #define AID_INSTALL       1012  /* group for installing packages */

     58 #define AID_MEDIA         1013  /* mediaserver process */

     59 #define AID_DHCP          1014  /* dhcp client */

     60 #define AID_SDCARD_RW     1015  /* external storage write access */

     61 #define AID_VPN           1016  /* vpn system */

     62 #define AID_KEYSTORE      1017  /* keystore subsystem */

     63 #define AID_USB           1018  /* USB devices */

     64 #define AID_DRM           1019  /* DRM server */

     65 #define AID_MDNSR         1020  /* MulticastDNSResponder (service discovery) */

     66 #define AID_GPS           1021  /* GPS daemon */

     67 #define AID_UNUSED1       1022  /* deprecated, DO NOT USE */

     68 #define AID_MEDIA_RW      1023  /* internal media storage write access */

     69 #define AID_MTP           1024  /* MTP USB driver access */

     70 #define AID_UNUSED2       1025  /* deprecated, DO NOT USE */

     71 #define AID_DRMRPC        1026  /* group for drm rpc */

     72 #define AID_NFC           1027  /* nfc subsystem */

     73 #define AID_SDCARD_R      1028  /* external storage read access */

     74 #define AID_CLAT          1029  /* clat part of nat464 */

     75 #define AID_LOOP_RADIO    1030  /* loop radio devices */

     76 #define AID_MEDIA_DRM     1031  /* MediaDrm plugins */

     77 #define AID_FM_RADIO      1032  /* FM radio */

     78 #define AID_CLATD         1033  /* clat part of nat464 */

     79 #if defined (SEC_PRODUCT_FEATURE_AUDIO_JAM)

     80 #define AID_JACK          1034  /* jack process */

     81 #endif

     82 #define AID_SMARTCARD     1101  /* smart card subsystem */

.

.

.

이런 애들이 나온다.

요런 애들은 룰을 loose 하게

/android/frameworks/native/cmds/dumpstate/dumpstate.c

를보면

572         /* switch to non-root user and group */

    573         gid_t groups[] = { AID_LOG, AID_SDCARD_R, AID_SDCARD_RW,

    574                 AID_MOUNT, AID_INET, AID_NET_BW_STATS };

이런 그룹 권한이 나온다.

해당 권한들은 가져도 된다는 이야기

allow rule도 이렇게 만들어야 겠지.