Snap for 11881322 from 95059f3ae7 to 24Q3-release
Change-Id: Ib640ffbf160c7223220aa220d2be8c53c41b2aef
This commit is contained in:
Android Build Coastguard Worker
commit
1817c1c6c5
7 changed files with 27 additions and 5 deletions
|
|
@ -9,6 +9,7 @@
|
|||
fs_bpf_lmkd_memevents_rb
|
||||
fs_bpf_lmkd_memevents_prog
|
||||
binderfs_logs_transactions
|
||||
binderfs_logs_transaction_history
|
||||
proc_compaction_proactiveness
|
||||
proc_cgroups
|
||||
))
|
||||
|
|
|
|||
|
|
@ -505,7 +505,17 @@ get_prop(domain, binder_cache_system_server_prop)
|
|||
get_prop(domain, binder_cache_telephony_server_prop)
|
||||
|
||||
# Binderfs logs contain sensitive information about other processes.
|
||||
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transactions:file no_rw_file_perms;
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-vendor_init
|
||||
userdebug_or_eng(`-dumpstate')
|
||||
userdebug_or_eng(`-system_server')
|
||||
} binderfs_logs_transactions:file no_rw_file_perms;
|
||||
|
||||
# Binderfs transaction history is less sensitive than transactions, but it
|
||||
# still contains global information about the system.
|
||||
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;
|
||||
|
||||
# Allow access to fsverity keyring.
|
||||
allow domain kernel:key search;
|
||||
|
|
|
|||
|
|
@ -129,7 +129,9 @@ set_prop(dumpstate, ctl_gsid_prop)
|
|||
binder_call(dumpstate, gsid)
|
||||
|
||||
#Allow access to /dev/binderfs/binder_logs
|
||||
allow dumpstate binderfs_logs_transactions:file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
allow dumpstate binderfs_logs_transactions:file r_file_perms;
|
||||
')
|
||||
|
||||
r_dir_file(dumpstate, ota_metadata_file)
|
||||
|
||||
|
|
|
|||
|
|
@ -309,6 +309,8 @@ genfscon binder /binder_logs u:object_r:binderfs_logs:s0
|
|||
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
|
||||
genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
|
||||
genfscon binder /binder_logs/transactions u:object_r:binderfs_logs_transactions:s0
|
||||
genfscon binder /binder_logs/transaction_log u:object_r:binderfs_logs_transaction_history:s0
|
||||
genfscon binder /binder_logs/failed_transaction_log u:object_r:binderfs_logs_transaction_history:s0
|
||||
genfscon binder /features u:object_r:binderfs_features:s0
|
||||
|
||||
genfscon inotifyfs / u:object_r:inotify:s0
|
||||
|
|
|
|||
|
|
@ -1620,8 +1620,11 @@ set_prop(system_server, dalvik_dynamic_config_prop)
|
|||
# Allow system server to read binderfs
|
||||
allow system_server binderfs_logs:dir r_dir_perms;
|
||||
allow system_server binderfs_logs_stats:file r_file_perms;
|
||||
|
||||
# For ANRs
|
||||
allow system_server binderfs_logs_transactions:file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
allow system_server binderfs_logs_transactions:file r_file_perms;
|
||||
')
|
||||
|
||||
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
|
||||
set_prop(system_server, game_manager_config_prop)
|
||||
|
|
@ -1642,6 +1645,11 @@ neverallow {
|
|||
# in Pre-reboot Dexopt.
|
||||
allow system_server pre_reboot_dexopt_file:dir { getattr search };
|
||||
|
||||
# Allow system_server to reopen its own memfd.
|
||||
# system_server needs to copy the new service-art.jar to a memfd and reopen it with the path
|
||||
# /proc/self/fd/<fd> with a classloader.
|
||||
allow system_server system_server_tmpfs:file open;
|
||||
|
||||
# Do not allow any domain other than init or system server to get or set the property
|
||||
neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
|
||||
neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ type binderfs_logs_stats, fs_type;
|
|||
|
||||
starting_at_board_api(202504, `
|
||||
type binderfs_logs_transactions, fs_type;
|
||||
type binderfs_logs_transaction_history, fs_type;
|
||||
')
|
||||
|
||||
type binderfs_features, fs_type;
|
||||
|
|
|
|||
2
vendor/ot_rcp.te
vendored
2
vendor/ot_rcp.te
vendored
|
|
@ -5,7 +5,6 @@
|
|||
type ot_rcp, domain;
|
||||
type ot_rcp_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
domain_auto_trans(hal_threadnetwork_default, ot_rcp_exec, ot_rcp)
|
||||
allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
|
||||
allow hal_threadnetwork_default ot_rcp:process signal;
|
||||
|
|
@ -16,4 +15,3 @@ allow ot_rcp self:udp_socket { bind create ioctl read setopt write };
|
|||
allow ot_rcp node:udp_socket node_bind;
|
||||
allow ot_rcp port:udp_socket name_bind;
|
||||
allow ot_rcp self:netlink_route_socket { nlmsg_read nlmsg_readpriv create read write };
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in a new issue