Remove SElinux audit to libart_file
am: 01ee59a7b4
Change-Id: I2d5889cd3faf16957ed329234ffd7b3bc6504203
This commit is contained in:
commit
2ce7f8362f
10 changed files with 3 additions and 36 deletions
|
@ -14,9 +14,6 @@ allow appdomain zygote_tmpfs:file read;
|
|||
# WebView and other application-specific JIT compilers
|
||||
allow appdomain self:process execmem;
|
||||
|
||||
# allow access to the interpreter
|
||||
allow appdomain libart_file:file { execute read open getattr };
|
||||
|
||||
allow appdomain ashmem_device:chr_file execute;
|
||||
|
||||
# Receive and use open file descriptors inherited from zygote.
|
||||
|
|
|
@ -239,8 +239,6 @@
|
|||
/system/bin/storaged u:object_r:storaged_exec:s0
|
||||
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
|
||||
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
|
||||
/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
|
||||
/system/lib(64)?/libart.* u:object_r:libart_file:s0
|
||||
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
|
||||
/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
|
||||
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
|
||||
|
|
|
@ -40,8 +40,6 @@ allow zygote dalvikcache_data_file:lnk_file create_file_perms;
|
|||
allow zygote resourcecache_data_file:dir rw_dir_perms;
|
||||
allow zygote resourcecache_data_file:file create_file_perms;
|
||||
|
||||
# For art.
|
||||
allow zygote libart_file:file { execute read open getattr };
|
||||
# When WITH_DEXPREOPT is true, the zygote does not load executable content from
|
||||
# /data/dalvik-cache.
|
||||
allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
|
||||
|
|
|
@ -24,9 +24,6 @@ allow crash_dump exec_type:file r_file_perms;
|
|||
allow crash_dump dalvikcache_data_file:dir { search getattr };
|
||||
allow crash_dump dalvikcache_data_file:file r_file_perms;
|
||||
|
||||
# Unwind through libart.
|
||||
allow crash_dump libart_file:file r_file_perms;
|
||||
|
||||
# Talk to tombstoned
|
||||
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
|
||||
|
||||
|
|
|
@ -6,9 +6,6 @@ r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
|
|||
|
||||
allow dex2oat tmpfs:file { read getattr };
|
||||
|
||||
# allow access to the interpreter
|
||||
allow dex2oat libart_file:file { execute read open getattr };
|
||||
|
||||
r_dir_file(dex2oat, dalvikcache_data_file)
|
||||
allow dex2oat dalvikcache_data_file:file write;
|
||||
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
|
||||
|
|
|
@ -94,21 +94,6 @@ allow domain system_file:dir { search getattr };
|
|||
allow domain system_file:file { execute read open getattr };
|
||||
allow domain system_file:lnk_file read;
|
||||
|
||||
# Initially grant all domains access to libart.
|
||||
# TODO move to a whitelist. b/29795519
|
||||
allow domain libart_file:file { execute read open getattr };
|
||||
auditallow {
|
||||
domain
|
||||
-appdomain
|
||||
-crash_dump
|
||||
-dex2oat
|
||||
-dumpstate
|
||||
-profman
|
||||
-recovery
|
||||
-webview_zygote
|
||||
-zygote
|
||||
} libart_file:file { execute read open getattr };
|
||||
|
||||
# read any sysfs symlinks
|
||||
allow domain sysfs:lnk_file read;
|
||||
|
||||
|
@ -308,7 +293,7 @@ neverallow {
|
|||
-system_server
|
||||
-webview_zygote
|
||||
-zygote
|
||||
} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
|
||||
} { file_type -system_file -exec_type -postinstall_file }:file execute;
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain # for oemfs
|
||||
|
|
|
@ -114,7 +114,6 @@ allow dumpstate zygote_exec:file rx_file_perms;
|
|||
allow dumpstate ashmem_device:chr_file execute;
|
||||
allow dumpstate self:process execmem;
|
||||
# For art.
|
||||
allow dumpstate libart_file:file { r_file_perms execute };
|
||||
allow dumpstate dalvikcache_data_file:dir { search getattr };
|
||||
allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
|
||||
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
|
||||
|
|
|
@ -78,8 +78,6 @@ type unlabeled, file_type;
|
|||
type system_file, file_type;
|
||||
# Speedup access for trusted applications to the runtime event tags
|
||||
type runtime_event_log_tags_file, file_type;
|
||||
# Type for /system/*/libart*
|
||||
type libart_file, file_type;
|
||||
# Type for /system/bin/logcat.
|
||||
type logcat_exec, exec_type, file_type;
|
||||
# /cores for coredumps on userdebug / eng builds
|
||||
|
|
|
@ -2,8 +2,6 @@
|
|||
type profman, domain;
|
||||
type profman_exec, exec_type, file_type;
|
||||
|
||||
allow profman libart_file:file r_file_perms;
|
||||
|
||||
allow profman user_profile_data_file:file { getattr read write lock };
|
||||
|
||||
# Dumping profile info opens the application APK file for pretty printing.
|
||||
|
|
|
@ -28,7 +28,7 @@ recovery_only(`
|
|||
|
||||
# Create and relabel files and directories under /system.
|
||||
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
||||
allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
||||
allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
||||
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
|
||||
|
||||
# We may be asked to set an SELinux label for a type not known to the
|
||||
|
|
Loading…
Reference in a new issue