Merge "Split preloads into media_file and data_file"
This commit is contained in:
Fyodor Kupolov
Gerrit Code Review
commit
2d22fd814f
9 changed files with 21 additions and 5 deletions
|
|
@ -97,3 +97,6 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
|
||||||
# Avoid reads from generically labeled /proc files
|
# Avoid reads from generically labeled /proc files
|
||||||
# Create a more specific label if needed
|
# Create a more specific label if needed
|
||||||
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
|
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
|
||||||
|
|
||||||
|
# Do not allow untrusted apps access to preloads data files
|
||||||
|
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
|
||||||
|
|
|
||||||
|
|
@ -291,6 +291,8 @@
|
||||||
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
|
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
|
||||||
/data/property(/.*)? u:object_r:property_data_file:s0
|
/data/property(/.*)? u:object_r:property_data_file:s0
|
||||||
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
|
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
|
||||||
|
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
|
||||||
|
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
|
||||||
|
|
||||||
# Misc data
|
# Misc data
|
||||||
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
|
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
|
||||||
|
|
|
||||||
|
|
@ -56,5 +56,7 @@ allow platform_app vr_manager_service:service_manager find;
|
||||||
# Access to /data/preloads
|
# Access to /data/preloads
|
||||||
allow platform_app preloads_data_file:file r_file_perms;
|
allow platform_app preloads_data_file:file r_file_perms;
|
||||||
allow platform_app preloads_data_file:dir r_dir_perms;
|
allow platform_app preloads_data_file:dir r_dir_perms;
|
||||||
|
allow platform_app preloads_media_file:file r_file_perms;
|
||||||
|
allow platform_app preloads_media_file:dir r_dir_perms;
|
||||||
|
|
||||||
read_runtime_log_tags(platform_app)
|
read_runtime_log_tags(platform_app)
|
||||||
|
|
|
||||||
|
|
@ -96,6 +96,8 @@ allow priv_app ringtone_file:file { getattr read write };
|
||||||
# Access to /data/preloads
|
# Access to /data/preloads
|
||||||
allow priv_app preloads_data_file:file r_file_perms;
|
allow priv_app preloads_data_file:file r_file_perms;
|
||||||
allow priv_app preloads_data_file:dir r_dir_perms;
|
allow priv_app preloads_data_file:dir r_dir_perms;
|
||||||
|
allow priv_app preloads_media_file:file r_file_perms;
|
||||||
|
allow priv_app preloads_media_file:dir r_dir_perms;
|
||||||
|
|
||||||
# TODO: revert this as part of fixing 33574909
|
# TODO: revert this as part of fixing 33574909
|
||||||
# android.process.media uses /dev/mtp_usb
|
# android.process.media uses /dev/mtp_usb
|
||||||
|
|
|
||||||
|
|
@ -599,6 +599,8 @@ allow system_server update_engine:fifo_file write;
|
||||||
# Access to /data/preloads
|
# Access to /data/preloads
|
||||||
allow system_server preloads_data_file:file { r_file_perms unlink };
|
allow system_server preloads_data_file:file { r_file_perms unlink };
|
||||||
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
||||||
|
allow system_server preloads_media_file:file { r_file_perms unlink };
|
||||||
|
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
||||||
|
|
||||||
r_dir_file(system_server, cgroup)
|
r_dir_file(system_server, cgroup)
|
||||||
allow system_server ion_device:chr_file r_file_perms;
|
allow system_server ion_device:chr_file r_file_perms;
|
||||||
|
|
|
||||||
|
|
@ -88,6 +88,7 @@ allow untrusted_app_all self:process ptrace;
|
||||||
allow untrusted_app_all sysfs_hwrandom:dir search;
|
allow untrusted_app_all sysfs_hwrandom:dir search;
|
||||||
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
|
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
|
||||||
|
|
||||||
# Allow apps to view preloaded content
|
# Allow apps to view preloaded media content
|
||||||
allow untrusted_app_all preloads_data_file:dir r_dir_perms;
|
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
|
||||||
allow untrusted_app_all preloads_data_file:file r_file_perms;
|
allow untrusted_app_all preloads_media_file:file r_file_perms;
|
||||||
|
allow untrusted_app_all preloads_data_file:dir search;
|
||||||
|
|
|
||||||
|
|
@ -132,6 +132,8 @@ type nativetest_data_file, file_type, data_file_type;
|
||||||
type ringtone_file, file_type, data_file_type, mlstrustedobject;
|
type ringtone_file, file_type, data_file_type, mlstrustedobject;
|
||||||
# /data/preloads
|
# /data/preloads
|
||||||
type preloads_data_file, file_type, data_file_type;
|
type preloads_data_file, file_type, data_file_type;
|
||||||
|
# /data/preloads/media
|
||||||
|
type preloads_media_file, file_type, data_file_type;
|
||||||
|
|
||||||
# Mount locations managed by vold
|
# Mount locations managed by vold
|
||||||
type mnt_media_rw_file, file_type;
|
type mnt_media_rw_file, file_type;
|
||||||
|
|
|
||||||
|
|
@ -132,6 +132,8 @@ allow installd labeledfs:filesystem { quotaget quotamod };
|
||||||
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
|
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
|
||||||
allow installd preloads_data_file:file { r_file_perms unlink };
|
allow installd preloads_data_file:file { r_file_perms unlink };
|
||||||
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
||||||
|
allow installd preloads_media_file:file { r_file_perms unlink };
|
||||||
|
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
||||||
|
|
||||||
###
|
###
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
|
|
|
||||||
|
|
@ -124,8 +124,8 @@ allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
|
||||||
allow mediaserver media_rw_data_file:dir create_dir_perms;
|
allow mediaserver media_rw_data_file:dir create_dir_perms;
|
||||||
allow mediaserver media_rw_data_file:file create_file_perms;
|
allow mediaserver media_rw_data_file:file create_file_perms;
|
||||||
|
|
||||||
# Access to /data/preloads
|
# Access to media in /data/preloads
|
||||||
allow mediaserver preloads_data_file:file { getattr read ioctl };
|
allow mediaserver preloads_media_file:file { getattr read ioctl };
|
||||||
|
|
||||||
allow mediaserver ion_device:chr_file r_file_perms;
|
allow mediaserver ion_device:chr_file r_file_perms;
|
||||||
allow mediaserver hal_graphics_allocator:fd use;
|
allow mediaserver hal_graphics_allocator:fd use;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue