tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow compos_verify to write VM logs

Browse source 
Previously I've resisted granting write access to these files, since
it allows the instance image to be altered. But that doesn't allow an
attacker to do anything other than render it invalid, since it's
protected by the VM key.

Note that logs are only written when the VM is debuggable, which is
currently only when only non-protected VMs are available.

Bug: 235350758
Test: Force debug on, stage APEX, compile, reboot -> see vm logs
Test: Presubmit
Change-Id: I17c9a17db83d15adfab97b8cfe4ccd67393a08c1
This commit is contained in:
Alan Stokes 2022-06-14 16:54:29 +01:00
parent 5a7531590f
commit 1035ba1023
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
private/compos_verify.te
View file

@ -6,9 +6,10 @@ type compos_verify_exec, exec_type, file_type, system_file_type;
binder_use(compos_verify);
virtualizationservice_use(compos_verify);
# Access instance image files
# Read instance image & write VM logs
allow compos_verify apex_module_data_file:dir search;
r_dir_file(compos_verify, apex_compos_data_file)
allow compos_verify apex_compos_data_file:dir rw_dir_perms;
allow compos_verify apex_compos_data_file:file { rw_file_perms create };
# Read CompOS info & signature files
allow compos_verify apex_art_data_file:dir search;