Merge "microdroid: allow init_debug_policy.sh to handle AVF debug policy" am: 11feefd839 am: 7a942187a1

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2439933

Change-Id: I2ea1fe124cb173a5e60162a86243cde3abbe2f71
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Jaewan Kim 2023-03-07 11:29:54 +00:00 committed by Automerger Merge Worker
commit 154e678fe8
6 changed files with 42 additions and 1 deletions

View file

@ -208,6 +208,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
get_prop(domain, arm64_memtag_prop) get_prop(domain, arm64_memtag_prop)
get_prop(domain, bootloader_prop) get_prop(domain, bootloader_prop)
get_prop(domain, build_prop) get_prop(domain, build_prop)
get_prop(domain, debuggable_prop)
get_prop(domain, debug_prop) get_prop(domain, debug_prop)
get_prop(domain, fingerprint_prop) get_prop(domain, fingerprint_prop)
get_prop(domain, init_service_status_prop) get_prop(domain, init_service_status_prop)
@ -391,6 +392,7 @@ neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_fi
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set; neverallow { domain -init } build_prop:property_service set;
neverallow { domain -init -init_debug_policy } debuggable_prop:property_service set;
# Never allow anyone to connect or write to # Never allow anyone to connect or write to
# the tombstoned intercept socket. # the tombstoned intercept socket.

View file

@ -106,6 +106,7 @@
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0 /system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/init u:object_r:init_exec:s0 /system/bin/init u:object_r:init_exec:s0
/system/bin/init_debug_policy u:object_r:init_debug_policy_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0 /system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0 /system/bin/logd u:object_r:logd_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0 /system/bin/sh -- u:object_r:shell_exec:s0

View file

@ -137,6 +137,7 @@ genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0 genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0 genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0 genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0 genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0 genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0

View file

@ -0,0 +1,32 @@
# init_debug_policy is its own domain.
type init_debug_policy, domain, coredomain;
type init_debug_policy_exec, system_file_type, exec_type, file_type;
# Transition from init -> init_debug_policy_exec
init_daemon_domain(init_debug_policy);
# init_debug_policy is using bootstrap bionic
use_bootstrap_libs(init_debug_policy)
# Allow init_debug_policy to write /dev/kmsg (specified by stdio_to_kmsg)
allow init_debug_policy kmsg_debug_device:chr_file w_file_perms;
# Allow init_debug_policy to use xxd and set/getprop
allow init_debug_policy toolbox_exec:file rx_file_perms;
# Allow init_debug_policy to set ro.debuggable to enable/disable adb root
set_prop(init_debug_policy, debuggable_prop)
# Allow init_debug_policy to set ro.log.file_logger.path to enable/disable console log
set_prop(init_debug_policy, log_prop)
# Allow init_debug_policy to get ro.boot.microdroid.debuggable and ro.boot.adb.enabled
get_prop(init_debug_policy, bootloader_prop)
# Allow init_debug_policy to set init_debug_policy.adbd.enabled
set_prop(init_debug_policy, init_debug_policy_prop)
# Allow init_debug_policy to read AVF debug policy
allow init_debug_policy sysfs_dt_avf:dir search;
allow init_debug_policy sysfs_dt_avf:file { open read };

View file

@ -108,10 +108,11 @@ ro.build.version.release u:object_r:build_prop:s0 exact string
ro.build.version.sdk u:object_r:build_prop:s0 exact int ro.build.version.sdk u:object_r:build_prop:s0 exact int
ro.build.version.security_patch u:object_r:build_prop:s0 exact string ro.build.version.security_patch u:object_r:build_prop:s0 exact string
ro.build.version.known_codenames u:object_r:build_prop:s0 exact string ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
ro.debuggable u:object_r:build_prop:s0 exact bool
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.adb.secure u:object_r:build_prop:s0 exact bool ro.adb.secure u:object_r:build_prop:s0 exact bool
ro.debuggable u:object_r:debuggable_prop:s0 exact bool
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
apex_config.done u:object_r:apex_config_prop:s0 exact bool apex_config.done u:object_r:apex_config_prop:s0 exact bool
@ -125,6 +126,8 @@ microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact boo
microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
init_debug_policy.adbd.enabled u:object_r:init_debug_policy_prop:s0 exact bool
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string

View file

@ -6,6 +6,7 @@ type arm64_memtag_prop, property_type;
type bootloader_prop, property_type; type bootloader_prop, property_type;
type boottime_prop, property_type; type boottime_prop, property_type;
type build_prop, property_type; type build_prop, property_type;
type debuggable_prop, property_type;
type cold_boot_done_prop, property_type; type cold_boot_done_prop, property_type;
type ctl_adbd_prop, property_type; type ctl_adbd_prop, property_type;
type ctl_apexd_prop, property_type; type ctl_apexd_prop, property_type;
@ -35,6 +36,7 @@ type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type; type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type; type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type; type init_svc_debug_prop, property_type;
type init_debug_policy_prop, property_type;
type libc_debug_prop, property_type; type libc_debug_prop, property_type;
type log_prop, property_type; type log_prop, property_type;
type log_tag_prop, property_type; type log_tag_prop, property_type;