tequilaOS/platform_device_qcom_sepolicy-legacy-um
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sepolicy: remove violators which are not to be used

Browse source 
As part of security hardening  following  violators are
been removed
1. untrusted_app_visible_hwservice_violators
2. data_between_core_and_vendor_violators

Security testing check for violators sharing data between core and
vendor so removed the violator exception  in vendor_init.

hwservice are not to be exposed to untrusted app so remove hal_perf
for this list untrusted_app_visible_hwservice_violators list

Test:
testNoExemptionsForDataBetweenCoreAndVendor
testNoUntrustedAppVisiblehwservice

Change-Id: I76f26848a0f148b1b332f68fd05f7632f9399af6
This commit is contained in:
Ravi Kumar Siddojigari 2019-04-22 15:28:20 +05:30 committed by Jaihind Yadav
parent 3233102de8
commit a26eb5586a
2 changed files with 2 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
generic/vendor/common/hwservice.te vendored
View file

@ -36,7 +36,7 @@ type hal_imsrtp_hwservice, hwservice_manager_type;
type hal_imscallinfo_hwservice, hwservice_manager_type;
type hal_ipacm_hwservice, hwservice_manager_type;
type hal_hbtp_hwservice, hwservice_manager_type;
type hal_perf_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice_violators;
type hal_perf_hwservice, hwservice_manager_type;
type hal_tui_comm_hwservice, hwservice_manager_type;
type hal_qdutils_disp_hwservice, hwservice_manager_type;
type hal_display_color_hwservice, hwservice_manager_type;

10
generic/vendor/common/vendor_init.te vendored
View file

@ -25,8 +25,6 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typeattribute vendor_init data_between_core_and_vendor_violators;
allow vendor_init persist_block_device:{ blk_file lnk_file } relabelto;
allow vendor_init unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vendor_init unlabeled:file { r_file_perms setattr relabelfrom };
@ -62,13 +60,7 @@ allow vendor_init sysfs_slpi:file write;
allow vendor_init vendor_file:system module_load;
allow vendor_init {
bluetooth_data_file
vendor_camera_data_file
dhcp_data_file
media_rw_data_file
nfc_data_file
system_data_file
tombstone_data_file
vendor_tui_data_file
}:dir create_dir_perms;
@ -95,4 +87,4 @@ set_prop(vendor_init, public_vendor_default_prop)
set_prop(vendor_init, exported_system_prop)
#Access vendor bluetooth properties
set_prop(vendor_init, vendor_bluetooth_prop)
set_prop(vendor_init, vendor_bluetooth_prop)