Sepolicy: Initial Apexd pre-/postinstall rules
Give apexd permission to execute sh. Add userdebug_or_eng domains and rules for the test APEX for pre- and post-install. Bug: 119260955 Bug: 119261380 Test: atest apexservice_test Change-Id: I0c4a5e35e096101a53c9d1f212d2db2e63728267
This commit is contained in:
parent
055286fc94
commit
261ea86192
3 changed files with 38 additions and 2 deletions
|
@ -1,2 +1,4 @@
|
|||
(/.*)? u:object_r:system_file:s0
|
||||
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
|
||||
/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
|
||||
/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
|
||||
(/.*)? u:object_r:system_file:s0
|
||||
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
|
||||
|
|
20
private/apex_test_prepostinstall.te
Normal file
20
private/apex_test_prepostinstall.te
Normal file
|
@ -0,0 +1,20 @@
|
|||
# APEX pre- & post-install test.
|
||||
#
|
||||
# Allow to run pre- and post-install hooks for APEX test modules
|
||||
# in debuggable builds.
|
||||
|
||||
type apex_test_prepostinstall, domain, coredomain;
|
||||
type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
# /dev/zero
|
||||
allow apex_test_prepostinstall apexd:fd use;
|
||||
# Logwrapper.
|
||||
create_pty(apex_test_prepostinstall)
|
||||
# Logwrapper executing sh.
|
||||
allow apex_test_prepostinstall shell_exec:file rx_file_perms;
|
||||
# Logwrapper exec.
|
||||
allow apex_test_prepostinstall system_file:file execute_no_trans;
|
||||
# Ls.
|
||||
allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
|
||||
')
|
|
@ -70,6 +70,20 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
|
|||
# Allow apexd to log to the kernel.
|
||||
allow apexd kmsg_device:chr_file w_file_perms;
|
||||
|
||||
# Apex pre- & post-install permission.
|
||||
|
||||
# Allow self-execute for the fork mount helper.
|
||||
allow apexd apexd_exec:file execute_no_trans;
|
||||
|
||||
# Allow to execute shell for pre- and postinstall scripts. A transition
|
||||
# rule is required, thus restricted to execute and not execute_no_trans.
|
||||
allow apexd shell_exec:file { r_file_perms execute };
|
||||
|
||||
# Allow transition to test APEX preinstall domain.
|
||||
userdebug_or_eng(`
|
||||
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
|
||||
')
|
||||
|
||||
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
|
||||
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
|
||||
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
|
||||
|
|
Loading…
Reference in a new issue