Add sepolicy for /metadata/password_slots. am: d99b7fd3f9
am: 2fc6b0457d
Change-Id: I5cf61fabd78150a0e53433a359ba519740df2ca8
This commit is contained in:
David Anderson
android-build-merger
commit
0e347a5e3b
5 changed files with 24 additions and 0 deletions
|
|
@ -93,6 +93,7 @@
|
||||||
network_stack_service
|
network_stack_service
|
||||||
network_stack_tmpfs
|
network_stack_tmpfs
|
||||||
overlayfs_file
|
overlayfs_file
|
||||||
|
password_slot_metadata_file
|
||||||
permissionmgr_service
|
permissionmgr_service
|
||||||
postinstall_apex_mnt_dir
|
postinstall_apex_mnt_dir
|
||||||
recovery_socket
|
recovery_socket
|
||||||
|
|
|
||||||
|
|
@ -619,6 +619,7 @@
|
||||||
/metadata(/.*)? u:object_r:metadata_file:s0
|
/metadata(/.*)? u:object_r:metadata_file:s0
|
||||||
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
|
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
|
||||||
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
|
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
|
||||||
|
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# asec containers
|
# asec containers
|
||||||
|
|
|
||||||
|
|
@ -1018,6 +1018,12 @@ wakelock_use(system_server)
|
||||||
allow system_server apex_data_file:dir search;
|
allow system_server apex_data_file:dir search;
|
||||||
allow system_server apex_data_file:file r_file_perms;
|
allow system_server apex_data_file:file r_file_perms;
|
||||||
|
|
||||||
|
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
|
||||||
|
# communicate which slots are available for use.
|
||||||
|
allow system_server metadata_file:dir search;
|
||||||
|
allow system_server password_slot_metadata_file:dir rw_dir_perms;
|
||||||
|
allow system_server password_slot_metadata_file:file create_file_perms;
|
||||||
|
|
||||||
# dexoptanalyzer is currently used only for secondary dex files which
|
# dexoptanalyzer is currently used only for secondary dex files which
|
||||||
# system_server should never access.
|
# system_server should never access.
|
||||||
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
|
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
|
||||||
|
|
@ -1028,3 +1034,12 @@ neverallow system_server { domain -system_server }:process ptrace;
|
||||||
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
|
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
|
||||||
# file read access. However, that is now unnecessary (b/34951864)
|
# file read access. However, that is now unnecessary (b/34951864)
|
||||||
neverallow system_server system_server:global_capability_class_set sys_resource;
|
neverallow system_server system_server:global_capability_class_set sys_resource;
|
||||||
|
|
||||||
|
# Only system_server/init should access /metadata/password_slots.
|
||||||
|
neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
|
||||||
|
neverallow {
|
||||||
|
domain
|
||||||
|
-init
|
||||||
|
-system_server
|
||||||
|
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
|
||||||
|
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
|
||||||
|
|
|
||||||
|
|
@ -199,6 +199,8 @@ type metadata_file, file_type;
|
||||||
type vold_metadata_file, file_type;
|
type vold_metadata_file, file_type;
|
||||||
# GSI files within /metadata
|
# GSI files within /metadata
|
||||||
type gsi_metadata_file, file_type;
|
type gsi_metadata_file, file_type;
|
||||||
|
# system_server shares Weaver slot information in /metadata
|
||||||
|
type password_slot_metadata_file, file_type;
|
||||||
|
|
||||||
# Type for /dev/cpu_variant:.*.
|
# Type for /dev/cpu_variant:.*.
|
||||||
type dev_cpu_variant, file_type;
|
type dev_cpu_variant, file_type;
|
||||||
|
|
|
||||||
|
|
@ -50,6 +50,7 @@ allow vendor_init {
|
||||||
-exec_type
|
-exec_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-mnt_product_file
|
-mnt_product_file
|
||||||
|
-password_slot_metadata_file
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
|
|
@ -62,6 +63,7 @@ allow vendor_init {
|
||||||
file_type
|
file_type
|
||||||
-core_data_file_type
|
-core_data_file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
|
-password_slot_metadata_file
|
||||||
-runtime_event_log_tags_file
|
-runtime_event_log_tags_file
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-unlabeled
|
-unlabeled
|
||||||
|
|
@ -74,6 +76,7 @@ allow vendor_init {
|
||||||
file_type
|
file_type
|
||||||
-core_data_file_type
|
-core_data_file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
|
-password_slot_metadata_file
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
|
|
@ -86,6 +89,7 @@ allow vendor_init {
|
||||||
-apex_mnt_dir
|
-apex_mnt_dir
|
||||||
-core_data_file_type
|
-core_data_file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
|
-password_slot_metadata_file
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
|
|
@ -98,6 +102,7 @@ allow vendor_init {
|
||||||
-core_data_file_type
|
-core_data_file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
-mnt_product_file
|
-mnt_product_file
|
||||||
|
-password_slot_metadata_file
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue