Prevent apps from causing presubmit failures am: 607bc67cc9
am: 0cc9c77efe
Change-Id: I20ce41e1533c710ba30afe9f70fcaa655e4fbdc3
This commit is contained in:
commit
1baec27a32
5 changed files with 16 additions and 29 deletions
|
@ -4,6 +4,22 @@ get_prop(appdomain, test_harness_prop)
|
|||
|
||||
userdebug_or_eng(`perfetto_producer({ appdomain })')
|
||||
|
||||
# Prevent apps from causing presubmit failures.
|
||||
# Apps can cause selinux denials by accessing CE storage
|
||||
# and/or external storage. In either case, the selinux denial is
|
||||
# not the cause of the failure, but just a symptom that
|
||||
# storage isn't ready. Many apps handle the failure appropriately.
|
||||
#
|
||||
# Apps cannot access external storage before it becomes available.
|
||||
dontaudit appdomain storage_stub_file:dir getattr;
|
||||
# Attempts to write to system_data_file is generally a sign
|
||||
# that apps are attempting to access encrypted storage before
|
||||
# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
|
||||
# allowed to write to CE storage before it's available.
|
||||
# Attempting to do so will be blocked by both selinux and unix
|
||||
# permissions.
|
||||
dontaudit appdomain system_data_file:dir write;
|
||||
|
||||
neverallow appdomain system_server:udp_socket {
|
||||
accept append bind create ioctl listen lock name_bind
|
||||
relabelfrom relabelto setattr shutdown };
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
bluetooth storage_stub_file dir b/145267097
|
||||
dnsmasq netd fifo_file b/77868789
|
||||
dnsmasq netd unix_stream_socket b/77868789
|
||||
gmscore_app storage_stub_file dir b/145267097
|
||||
gmscore_app system_data_file dir b/146166941
|
||||
init app_data_file file b/77873135
|
||||
init cache_file blk_file b/77873135
|
||||
|
@ -26,15 +24,9 @@ netd untrusted_app unix_stream_socket b/77870037
|
|||
netd untrusted_app_25 unix_stream_socket b/77870037
|
||||
netd untrusted_app_27 unix_stream_socket b/77870037
|
||||
platform_app nfc_data_file dir b/74331887
|
||||
platform_app storage_stub_file dir b/145267097
|
||||
priv_app storage_stub_file dir b/145267097
|
||||
system_server crash_dump process b/73128755
|
||||
system_server overlayfs_file file b/142390309
|
||||
system_server sdcardfs file b/77856826
|
||||
system_server storage_stub_file dir b/145267097
|
||||
system_server zygote process b/77856826
|
||||
untrusted_app storage_stub_file dir b/145267097
|
||||
untrusted_app_25 storage_stub_file dir b/145267097
|
||||
untrusted_app_27 storage_stub_file dir b/145267097
|
||||
vold system_data_file file b/124108085
|
||||
zygote untrusted_app_25 process b/77925912
|
||||
|
|
|
@ -63,15 +63,6 @@ dontaudit gmscore_app sysfs_dm:file r_file_perms;
|
|||
dontaudit gmscore_app sysfs_loop:file r_file_perms;
|
||||
dontaudit gmscore_app wifi_prop:file r_file_perms;
|
||||
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
|
||||
|
||||
|
||||
# Attempts to write to system_data_file is generally a sign
|
||||
# that apps are attempting to access encrypted storage before
|
||||
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
|
||||
# denial to prevent apps from spamming the logs.
|
||||
dontaudit gmscore_app system_data_file:dir write;
|
||||
|
||||
# suppress denials for scanning /data_mirror
|
||||
dontaudit gmscore_app mirror_data_file:dir search;
|
||||
|
||||
# Access the network
|
||||
|
|
|
@ -213,12 +213,6 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
|
|||
allow priv_app system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
# Attempts to write to system_data_file is generally a sign
|
||||
# that apps are attempting to access encrypted storage before
|
||||
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
|
||||
# denial to prevent apps from spamming the logs.
|
||||
dontaudit priv_app system_data_file:dir write;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
@ -162,12 +162,6 @@ dontaudit untrusted_app_all proc_uptime:file read;
|
|||
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
|
||||
create_pty(untrusted_app_all)
|
||||
|
||||
# Attempts to write to system_data_file is generally a sign
|
||||
# that apps are attempting to access encrypted storage before
|
||||
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
|
||||
# denial to prevent third party apps from spamming the logs.
|
||||
dontaudit untrusted_app_all system_data_file:dir write;
|
||||
|
||||
# Allow access to kcov via its ioctl interface for coverage
|
||||
# guided kernel fuzzing.
|
||||
userdebug_or_eng(`
|
||||
|
|
Loading…
Reference in a new issue