Add default label and mapping for vendor services
Adding the default label/mapping is important because:
1. Lookups of services without an selinux label should generate
a denial.
2. In permissive mode, lookups of a service without a label should be
be allowed, without the default label service manager disallows
access.
3. We can neverallow use of the default label.
Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
Add/find of unlabeled vendor services generate a denial.
Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b842c)
This commit is contained in:
Jeff Vander Stoep
parent
393c8e9438
commit
082eae4e51
3 changed files with 6 additions and 9 deletions
|
|
@ -421,18 +421,13 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto;
|
|||
neverallow { domain -recovery } contextmount_type:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Do not allow service_manager add for default_android_service.
|
||||
# Do not allow service_manager add for default service labels.
|
||||
# Instead domains should use a more specific type such as
|
||||
# system_app_service rather than the generic type.
|
||||
# New service_types are defined in service.te and new mappings
|
||||
# from service name to service_type are defined in service_contexts.
|
||||
# New service_types are defined in {,hw,vnd}service.te and new mappings
|
||||
# from service name to service_type are defined in {,hw,vnd}service_contexts.
|
||||
neverallow * default_android_service:service_manager add;
|
||||
|
||||
# Do not allow hwservice_manager add for default_android_hwservice.
|
||||
# Instead domains should use a more specific type such as
|
||||
# hal_audio_hwservice rather than the generic type.
|
||||
# New service_types are defined in hwservice.te and new mappings
|
||||
# from service name to service_type are defined in hwservice_contexts.
|
||||
neverallow * default_android_vndservice:service_manager { add find };
|
||||
neverallow * default_android_hwservice:hwservice_manager { add find };
|
||||
|
||||
# Looking up the base class/interface of all HwBinder services is a bad idea.
|
||||
|
|
|
|||
1
public/vndservice.te
Normal file
1
public/vndservice.te
Normal file
|
|
@ -0,0 +1 @@
|
|||
type default_android_vndservice, vndservice_manager_type;
|
||||
1
vendor/vndservice_contexts
vendored
Normal file
1
vendor/vndservice_contexts
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
* u:object_r:default_android_vndservice:s0
|
||||
Loading…
Reference in a new issue