Merge "Restrict access to uid_concurrent_*_time" am: 40ed4283e4 am: 5b17322a87
am: 3337c82e7c
Change-Id: Id7dba03c422e4f9a2d094c7b26a773ababe2ab47
This commit is contained in:
Marissa Wall
android-build-merger
commit
15ba57cce6
7 changed files with 21 additions and 3 deletions
|
|
@ -540,3 +540,12 @@ neverallow {
|
||||||
-bluetooth
|
-bluetooth
|
||||||
-system_app
|
-system_app
|
||||||
} bluetooth_prop:file create_file_perms;
|
} bluetooth_prop:file create_file_perms;
|
||||||
|
|
||||||
|
# Apps cannot access proc_uid_time_in_state
|
||||||
|
neverallow appdomain proc_uid_time_in_state:file *;
|
||||||
|
|
||||||
|
# Apps cannot access proc_uid_concurrent_active_time
|
||||||
|
neverallow appdomain proc_uid_concurrent_active_time:file *;
|
||||||
|
|
||||||
|
# Apps cannot access proc_uid_concurrent_policy_time
|
||||||
|
neverallow appdomain proc_uid_concurrent_policy_time:file *;
|
||||||
|
|
|
||||||
|
|
@ -127,9 +127,6 @@ neverallow all_untrusted_apps {
|
||||||
# Avoid all access to kernel configuration
|
# Avoid all access to kernel configuration
|
||||||
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
|
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
|
||||||
|
|
||||||
# Only system_server can access proc_uid_time_in_state
|
|
||||||
neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
|
|
||||||
|
|
||||||
# Do not allow untrusted apps access to preloads data files
|
# Do not allow untrusted apps access to preloads data files
|
||||||
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
|
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -474,6 +474,8 @@
|
||||||
proc_sched
|
proc_sched
|
||||||
proc_swaps
|
proc_swaps
|
||||||
proc_uid_time_in_state
|
proc_uid_time_in_state
|
||||||
|
proc_uid_concurrent_active_time
|
||||||
|
proc_uid_concurrent_policy_time
|
||||||
proc_uptime
|
proc_uptime
|
||||||
proc_version
|
proc_version
|
||||||
proc_vmallocinfo))
|
proc_vmallocinfo))
|
||||||
|
|
|
||||||
|
|
@ -74,6 +74,8 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
|
||||||
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
|
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
|
||||||
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
|
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
|
||||||
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
|
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
|
||||||
|
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
|
||||||
|
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
|
||||||
genfscon proc /uptime u:object_r:proc_uptime:s0
|
genfscon proc /uptime u:object_r:proc_uptime:s0
|
||||||
genfscon proc /version u:object_r:proc_version:s0
|
genfscon proc /version u:object_r:proc_version:s0
|
||||||
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
|
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
|
||||||
|
|
|
||||||
|
|
@ -696,6 +696,8 @@ allow system_server {
|
||||||
proc_stat
|
proc_stat
|
||||||
proc_uid_cputime_showstat
|
proc_uid_cputime_showstat
|
||||||
proc_uid_time_in_state
|
proc_uid_time_in_state
|
||||||
|
proc_uid_concurrent_active_time
|
||||||
|
proc_uid_concurrent_policy_time
|
||||||
proc_version
|
proc_version
|
||||||
proc_vmallocinfo
|
proc_vmallocinfo
|
||||||
}:file r_file_perms;
|
}:file r_file_perms;
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,8 @@ type proc_uid_cputime_removeuid, fs_type;
|
||||||
type proc_uid_io_stats, fs_type;
|
type proc_uid_io_stats, fs_type;
|
||||||
type proc_uid_procstat_set, fs_type;
|
type proc_uid_procstat_set, fs_type;
|
||||||
type proc_uid_time_in_state, fs_type;
|
type proc_uid_time_in_state, fs_type;
|
||||||
|
type proc_uid_concurrent_active_time, fs_type;
|
||||||
|
type proc_uid_concurrent_policy_time, fs_type;
|
||||||
type proc_uptime, fs_type;
|
type proc_uptime, fs_type;
|
||||||
type proc_version, fs_type;
|
type proc_version, fs_type;
|
||||||
type proc_vmallocinfo, fs_type;
|
type proc_vmallocinfo, fs_type;
|
||||||
|
|
|
||||||
|
|
@ -164,6 +164,8 @@ allow vendor_init {
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
-rootfs
|
-rootfs
|
||||||
-proc_uid_time_in_state
|
-proc_uid_time_in_state
|
||||||
|
-proc_uid_concurrent_active_time
|
||||||
|
-proc_uid_concurrent_policy_time
|
||||||
}:file { open read setattr };
|
}:file { open read setattr };
|
||||||
|
|
||||||
allow vendor_init {
|
allow vendor_init {
|
||||||
|
|
@ -172,6 +174,8 @@ allow vendor_init {
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
-rootfs
|
-rootfs
|
||||||
-proc_uid_time_in_state
|
-proc_uid_time_in_state
|
||||||
|
-proc_uid_concurrent_active_time
|
||||||
|
-proc_uid_concurrent_policy_time
|
||||||
}:dir { open read setattr search };
|
}:dir { open read setattr search };
|
||||||
|
|
||||||
# chown/chmod on devices, e.g. /dev/ttyHS0
|
# chown/chmod on devices, e.g. /dev/ttyHS0
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue