Add sepolicy for /metadata/password_slots. am: d99b7fd3f9

am: 2fc6b0457d

Change-Id: I5cf61fabd78150a0e53433a359ba519740df2ca8
This commit is contained in:
David Anderson 2019-03-07 13:04:26 -08:00 committed by android-build-merger
commit 0e347a5e3b
5 changed files with 24 additions and 0 deletions

View file

@ -93,6 +93,7 @@
network_stack_service
network_stack_tmpfs
overlayfs_file
password_slot_metadata_file
permissionmgr_service
postinstall_apex_mnt_dir
recovery_socket

View file

@ -619,6 +619,7 @@
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
#############################
# asec containers

View file

@ -1018,6 +1018,12 @@ wakelock_use(system_server)
allow system_server apex_data_file:dir search;
allow system_server apex_data_file:file r_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
@ -1028,3 +1034,12 @@ neverallow system_server { domain -system_server }:process ptrace;
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
# Only system_server/init should access /metadata/password_slots.
neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
neverallow {
domain
-init
-system_server
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;

View file

@ -199,6 +199,8 @@ type metadata_file, file_type;
type vold_metadata_file, file_type;
# GSI files within /metadata
type gsi_metadata_file, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;

View file

@ -50,6 +50,7 @@ allow vendor_init {
-exec_type
-system_file_type
-mnt_product_file
-password_slot_metadata_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@ -62,6 +63,7 @@ allow vendor_init {
file_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@ -74,6 +76,7 @@ allow vendor_init {
file_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@ -86,6 +89,7 @@ allow vendor_init {
-apex_mnt_dir
-core_data_file_type
-exec_type
-password_slot_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@ -98,6 +102,7 @@ allow vendor_init {
-core_data_file_type
-exec_type
-mnt_product_file
-password_slot_metadata_file
-system_file_type
-vendor_file_type
-vold_metadata_file