Merge "Add rules for an unix domain socket for system_server"
am: d1b9526ea0
Change-Id: I0ceb427b6db004764b234db6939d5a40735c4390
This commit is contained in:
Jing Ji
android-build-merger
commit
0542be7d19
7 changed files with 29 additions and 0 deletions
|
|
@ -70,6 +70,9 @@ r_dir_file(app_zygote, vendor_overlay_file)
|
||||||
allow app_zygote system_data_file:lnk_file r_file_perms;
|
allow app_zygote system_data_file:lnk_file r_file_perms;
|
||||||
allow app_zygote system_data_file:file { getattr read map };
|
allow app_zygote system_data_file:file { getattr read map };
|
||||||
|
|
||||||
|
# Send unsolicited message to system_server
|
||||||
|
unix_socket_send(app_zygote, system_unsolzygote, system_server)
|
||||||
|
|
||||||
#####
|
#####
|
||||||
##### Neverallow
|
##### Neverallow
|
||||||
#####
|
#####
|
||||||
|
|
@ -136,6 +139,7 @@ neverallow app_zygote {
|
||||||
domain
|
domain
|
||||||
-app_zygote
|
-app_zygote
|
||||||
-logd
|
-logd
|
||||||
|
-system_server
|
||||||
userdebug_or_eng(`-su')
|
userdebug_or_eng(`-su')
|
||||||
userdebug_or_eng(`-heapprofd')
|
userdebug_or_eng(`-heapprofd')
|
||||||
}:unix_dgram_socket *;
|
}:unix_dgram_socket *;
|
||||||
|
|
|
||||||
|
|
@ -65,6 +65,7 @@
|
||||||
system_group_file
|
system_group_file
|
||||||
system_jvmti_agent_prop
|
system_jvmti_agent_prop
|
||||||
system_passwd_file
|
system_passwd_file
|
||||||
|
system_unsolzygote_socket
|
||||||
tethering_service
|
tethering_service
|
||||||
timezonedetector_service
|
timezonedetector_service
|
||||||
usb_serial_device
|
usb_serial_device
|
||||||
|
|
|
||||||
|
|
@ -465,6 +465,7 @@
|
||||||
/data/backup(/.*)? u:object_r:backup_data_file:s0
|
/data/backup(/.*)? u:object_r:backup_data_file:s0
|
||||||
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
|
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
|
||||||
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
|
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
|
||||||
|
/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
|
||||||
/data/drm(/.*)? u:object_r:drm_data_file:s0
|
/data/drm(/.*)? u:object_r:drm_data_file:s0
|
||||||
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
|
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
|
||||||
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
|
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,9 @@ tmpfs_domain(system_server)
|
||||||
# Create a socket for connections from crash_dump.
|
# Create a socket for connections from crash_dump.
|
||||||
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
||||||
|
|
||||||
|
# Create a socket for connections from zygotes.
|
||||||
|
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
|
||||||
|
|
||||||
allow system_server zygote_tmpfs:file read;
|
allow system_server zygote_tmpfs:file read;
|
||||||
allow system_server appdomain_tmpfs:file { getattr map read write };
|
allow system_server appdomain_tmpfs:file { getattr map read write };
|
||||||
|
|
||||||
|
|
@ -657,6 +660,9 @@ get_prop(system_server, apk_verity_prop)
|
||||||
# Create a socket for connections from debuggerd.
|
# Create a socket for connections from debuggerd.
|
||||||
allow system_server system_ndebug_socket:sock_file create_file_perms;
|
allow system_server system_ndebug_socket:sock_file create_file_perms;
|
||||||
|
|
||||||
|
# Create a socket for connections from zygotes.
|
||||||
|
allow system_server system_unsolzygote_socket:sock_file create_file_perms;
|
||||||
|
|
||||||
# Manage cache files.
|
# Manage cache files.
|
||||||
allow system_server cache_file:lnk_file r_file_perms;
|
allow system_server cache_file:lnk_file r_file_perms;
|
||||||
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
|
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
|
||||||
|
|
@ -975,6 +981,16 @@ neverallow system_server *:process dyntransition;
|
||||||
# Only allow crash_dump to connect to system_ndebug_socket.
|
# Only allow crash_dump to connect to system_ndebug_socket.
|
||||||
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
|
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
|
||||||
|
|
||||||
|
# Only allow zygotes to connect to system_unsolzygote_socket.
|
||||||
|
neverallow {
|
||||||
|
domain
|
||||||
|
-init
|
||||||
|
-system_server
|
||||||
|
-zygote
|
||||||
|
-app_zygote
|
||||||
|
-webview_zygote
|
||||||
|
} system_unsolzygote_socket:sock_file { open write };
|
||||||
|
|
||||||
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
|
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
|
||||||
neverallow {
|
neverallow {
|
||||||
domain
|
domain
|
||||||
|
|
|
||||||
|
|
@ -77,6 +77,9 @@ allow webview_zygote same_process_hal_file:file { execute read open getattr map
|
||||||
|
|
||||||
allow webview_zygote system_data_file:lnk_file r_file_perms;
|
allow webview_zygote system_data_file:lnk_file r_file_perms;
|
||||||
|
|
||||||
|
# Send unsolicited message to system_server
|
||||||
|
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
|
||||||
|
|
||||||
#####
|
#####
|
||||||
##### Neverallow
|
##### Neverallow
|
||||||
#####
|
#####
|
||||||
|
|
|
||||||
|
|
@ -176,6 +176,9 @@ dontaudit zygote self:global_capability_class_set sys_resource;
|
||||||
# Allow zygote to use ashmem fds from system_server.
|
# Allow zygote to use ashmem fds from system_server.
|
||||||
allow zygote system_server:fd use;
|
allow zygote system_server:fd use;
|
||||||
|
|
||||||
|
# Send unsolicited message to system_server
|
||||||
|
unix_socket_send(zygote, system_unsolzygote, system_server)
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
||||||
|
|
@ -452,6 +452,7 @@ type rild_debug_socket, file_type;
|
||||||
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
|
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||||
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
|
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
|
||||||
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
|
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
|
||||||
|
type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
|
||||||
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
|
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||||
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
|
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
|
||||||
type tombstoned_intercept_socket, file_type, coredomain_socket;
|
type tombstoned_intercept_socket, file_type, coredomain_socket;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue