tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove proc and sysfs access from system_app and platform_app.

Browse source 
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
This commit is contained in:
Tri Vo 2018-01-10 12:51:51 -08:00
parent 04b70519cf
commit 06d7dca4a1
6 changed files with 8 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/compat/26.0/26.0.cil
View file

@ -476,7 +476,8 @@
proc_uid_concurrent_policy_time proc_uid_concurrent_policy_time
proc_uptime proc_uptime
proc_version proc_version
proc_vmallocinfo)) proc_vmallocinfo
proc_vmstat))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable)) (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo)) (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches)) (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))

3
private/domain.te
View file

@ -25,9 +25,7 @@ full_treble_only(`
neverallow { neverallow {
coredomain coredomain
-dumpstate -dumpstate
-platform_app
-priv_app -priv_app
-system_app
-vold -vold
-vendor_init -vendor_init
} proc:file no_rw_file_perms; } proc:file no_rw_file_perms;
@ -38,7 +36,6 @@ full_treble_only(`
-dumpstate -dumpstate
-init -init
-priv_app -priv_app
-system_app
-ueventd -ueventd
-vold -vold
-vendor_init -vendor_init

1
private/genfs_contexts
View file

@ -79,6 +79,7 @@ genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_
genfscon proc /uptime u:object_r:proc_uptime:s0 genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0 genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled. # selinuxfs booleans can be individually labeled.

4
private/platform_app.te
View file

@ -41,7 +41,9 @@ allow platform_app vfat:file create_file_perms;
allow platform_app rootfs:dir getattr; allow platform_app rootfs:dir getattr;
# com.android.captiveportallogin reads /proc/vmstat # com.android.captiveportallogin reads /proc/vmstat
allow platform_app proc:file r_file_perms; allow platform_app {
proc_vmstat
}:file r_file_perms;
allow platform_app audioserver_service:service_manager find; allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find; allow platform_app cameraserver_service:service_manager find;

6
private/system_app.te
View file

@ -102,12 +102,8 @@ allow system_app keystore:keystore_key {
user_changed user_changed
}; };
# /sys access # settings app reads /proc/version
r_dir_file(system_app, sysfs_type)
# settings app reads /proc/version and /proc/pagetypeinfo
allow system_app { allow system_app {
proc
proc_version proc_version
}:file r_file_perms; }:file r_file_perms;

1
public/file.te
View file

@ -57,6 +57,7 @@ type proc_uid_concurrent_policy_time, fs_type;
type proc_uptime, fs_type; type proc_uptime, fs_type;
type proc_version, fs_type; type proc_version, fs_type;
type proc_vmallocinfo, fs_type; type proc_vmallocinfo, fs_type;
type proc_vmstat, fs_type;
type proc_zoneinfo, fs_type; type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject; type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject; type cgroup, fs_type, mlstrustedobject;