Merge "microdroid: allow init_debug_policy.sh to handle AVF debug policy" am: 11feefd839
am: 7a942187a1
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2439933 Change-Id: I2ea1fe124cb173a5e60162a86243cde3abbe2f71 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
154e678fe8
6 changed files with 42 additions and 1 deletions
|
@ -208,6 +208,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
|
||||||
get_prop(domain, arm64_memtag_prop)
|
get_prop(domain, arm64_memtag_prop)
|
||||||
get_prop(domain, bootloader_prop)
|
get_prop(domain, bootloader_prop)
|
||||||
get_prop(domain, build_prop)
|
get_prop(domain, build_prop)
|
||||||
|
get_prop(domain, debuggable_prop)
|
||||||
get_prop(domain, debug_prop)
|
get_prop(domain, debug_prop)
|
||||||
get_prop(domain, fingerprint_prop)
|
get_prop(domain, fingerprint_prop)
|
||||||
get_prop(domain, init_service_status_prop)
|
get_prop(domain, init_service_status_prop)
|
||||||
|
@ -391,6 +392,7 @@ neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_fi
|
||||||
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
|
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
|
||||||
|
|
||||||
neverallow { domain -init } build_prop:property_service set;
|
neverallow { domain -init } build_prop:property_service set;
|
||||||
|
neverallow { domain -init -init_debug_policy } debuggable_prop:property_service set;
|
||||||
|
|
||||||
# Never allow anyone to connect or write to
|
# Never allow anyone to connect or write to
|
||||||
# the tombstoned intercept socket.
|
# the tombstoned intercept socket.
|
||||||
|
|
|
@ -106,6 +106,7 @@
|
||||||
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
|
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
|
||||||
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
|
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
|
||||||
/system/bin/init u:object_r:init_exec:s0
|
/system/bin/init u:object_r:init_exec:s0
|
||||||
|
/system/bin/init_debug_policy u:object_r:init_debug_policy_exec:s0
|
||||||
/system/bin/logcat -- u:object_r:logcat_exec:s0
|
/system/bin/logcat -- u:object_r:logcat_exec:s0
|
||||||
/system/bin/logd u:object_r:logd_exec:s0
|
/system/bin/logd u:object_r:logd_exec:s0
|
||||||
/system/bin/sh -- u:object_r:shell_exec:s0
|
/system/bin/sh -- u:object_r:shell_exec:s0
|
||||||
|
|
|
@ -137,6 +137,7 @@ genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
|
||||||
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
|
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
|
||||||
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
|
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
|
||||||
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
|
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
|
||||||
|
genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
|
||||||
genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
|
genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
|
||||||
genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
|
genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
|
||||||
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
|
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
|
||||||
|
|
32
microdroid/system/private/init_debug_policy.te
Normal file
32
microdroid/system/private/init_debug_policy.te
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
# init_debug_policy is its own domain.
|
||||||
|
type init_debug_policy, domain, coredomain;
|
||||||
|
type init_debug_policy_exec, system_file_type, exec_type, file_type;
|
||||||
|
|
||||||
|
# Transition from init -> init_debug_policy_exec
|
||||||
|
init_daemon_domain(init_debug_policy);
|
||||||
|
|
||||||
|
# init_debug_policy is using bootstrap bionic
|
||||||
|
use_bootstrap_libs(init_debug_policy)
|
||||||
|
|
||||||
|
# Allow init_debug_policy to write /dev/kmsg (specified by stdio_to_kmsg)
|
||||||
|
allow init_debug_policy kmsg_debug_device:chr_file w_file_perms;
|
||||||
|
|
||||||
|
# Allow init_debug_policy to use xxd and set/getprop
|
||||||
|
allow init_debug_policy toolbox_exec:file rx_file_perms;
|
||||||
|
|
||||||
|
# Allow init_debug_policy to set ro.debuggable to enable/disable adb root
|
||||||
|
set_prop(init_debug_policy, debuggable_prop)
|
||||||
|
|
||||||
|
# Allow init_debug_policy to set ro.log.file_logger.path to enable/disable console log
|
||||||
|
set_prop(init_debug_policy, log_prop)
|
||||||
|
|
||||||
|
# Allow init_debug_policy to get ro.boot.microdroid.debuggable and ro.boot.adb.enabled
|
||||||
|
get_prop(init_debug_policy, bootloader_prop)
|
||||||
|
|
||||||
|
# Allow init_debug_policy to set init_debug_policy.adbd.enabled
|
||||||
|
set_prop(init_debug_policy, init_debug_policy_prop)
|
||||||
|
|
||||||
|
# Allow init_debug_policy to read AVF debug policy
|
||||||
|
allow init_debug_policy sysfs_dt_avf:dir search;
|
||||||
|
allow init_debug_policy sysfs_dt_avf:file { open read };
|
||||||
|
|
|
@ -108,10 +108,11 @@ ro.build.version.release u:object_r:build_prop:s0 exact string
|
||||||
ro.build.version.sdk u:object_r:build_prop:s0 exact int
|
ro.build.version.sdk u:object_r:build_prop:s0 exact int
|
||||||
ro.build.version.security_patch u:object_r:build_prop:s0 exact string
|
ro.build.version.security_patch u:object_r:build_prop:s0 exact string
|
||||||
ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
|
ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
|
||||||
ro.debuggable u:object_r:build_prop:s0 exact bool
|
|
||||||
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
|
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
|
||||||
ro.adb.secure u:object_r:build_prop:s0 exact bool
|
ro.adb.secure u:object_r:build_prop:s0 exact bool
|
||||||
|
|
||||||
|
ro.debuggable u:object_r:debuggable_prop:s0 exact bool
|
||||||
|
|
||||||
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
|
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
|
||||||
|
|
||||||
apex_config.done u:object_r:apex_config_prop:s0 exact bool
|
apex_config.done u:object_r:apex_config_prop:s0 exact bool
|
||||||
|
@ -125,6 +126,8 @@ microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact boo
|
||||||
microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
|
microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
|
||||||
microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
|
microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
|
||||||
|
|
||||||
|
init_debug_policy.adbd.enabled u:object_r:init_debug_policy_prop:s0 exact bool
|
||||||
|
|
||||||
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
|
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
|
||||||
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
|
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
|
||||||
dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
|
dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
|
||||||
|
|
|
@ -6,6 +6,7 @@ type arm64_memtag_prop, property_type;
|
||||||
type bootloader_prop, property_type;
|
type bootloader_prop, property_type;
|
||||||
type boottime_prop, property_type;
|
type boottime_prop, property_type;
|
||||||
type build_prop, property_type;
|
type build_prop, property_type;
|
||||||
|
type debuggable_prop, property_type;
|
||||||
type cold_boot_done_prop, property_type;
|
type cold_boot_done_prop, property_type;
|
||||||
type ctl_adbd_prop, property_type;
|
type ctl_adbd_prop, property_type;
|
||||||
type ctl_apexd_prop, property_type;
|
type ctl_apexd_prop, property_type;
|
||||||
|
@ -35,6 +36,7 @@ type init_perf_lsm_hooks_prop, property_type;
|
||||||
type init_service_status_private_prop, property_type;
|
type init_service_status_private_prop, property_type;
|
||||||
type init_service_status_prop, property_type;
|
type init_service_status_prop, property_type;
|
||||||
type init_svc_debug_prop, property_type;
|
type init_svc_debug_prop, property_type;
|
||||||
|
type init_debug_policy_prop, property_type;
|
||||||
type libc_debug_prop, property_type;
|
type libc_debug_prop, property_type;
|
||||||
type log_prop, property_type;
|
type log_prop, property_type;
|
||||||
type log_tag_prop, property_type;
|
type log_tag_prop, property_type;
|
||||||
|
|
Loading…
Reference in a new issue