Remove remaining APEX sepolicy types
Bug: 297794885 Test: boot cuttlefish Change-Id: I2ff465217adcf1bb0267ea6d487a9a46b6584458
This commit is contained in:
parent
fcc90e8af2
commit
2f0bcc1b0a
6 changed files with 0 additions and 57 deletions
|
@ -14,10 +14,6 @@ allow system_data_file tmpfs:filesystem associate;
|
||||||
|
|
||||||
type authfs_fuse, fs_type, contextmount_type;
|
type authfs_fuse, fs_type, contextmount_type;
|
||||||
|
|
||||||
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
|
||||||
# property labeled.
|
|
||||||
type sepolicy_test_file, file_type;
|
|
||||||
|
|
||||||
# /system/bin/mke2fs - used to format encryptedstore block device
|
# /system/bin/mke2fs - used to format encryptedstore block device
|
||||||
type e2fs_exec, system_file_type, exec_type, file_type;
|
type e2fs_exec, system_file_type, exec_type, file_type;
|
||||||
|
|
||||||
|
|
|
@ -81,16 +81,3 @@ allow kernel apexd:fd use;
|
||||||
|
|
||||||
#-----------------------------------------
|
#-----------------------------------------
|
||||||
allow kernel apkdmverity:fd use;
|
allow kernel apkdmverity:fd use;
|
||||||
|
|
||||||
# Some contexts are changed before the device is flipped into enforcing mode
|
|
||||||
# during the setup of Apex sepolicy. These denials can be suppressed since
|
|
||||||
# the permissions should not be allowed after the device is flipped into
|
|
||||||
# enforcing mode.
|
|
||||||
dontaudit kernel device:dir { open read relabelto };
|
|
||||||
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
|
||||||
dontaudit kernel {
|
|
||||||
file_contexts_file
|
|
||||||
property_contexts_file
|
|
||||||
sepolicy_test_file
|
|
||||||
service_contexts_file
|
|
||||||
}:file relabelto;
|
|
||||||
|
|
|
@ -13,14 +13,6 @@ allow apexd metadata_file:dir search;
|
||||||
allow apexd apex_metadata_file:dir create_dir_perms;
|
allow apexd apex_metadata_file:dir create_dir_perms;
|
||||||
allow apexd apex_metadata_file:file create_file_perms;
|
allow apexd apex_metadata_file:file create_file_perms;
|
||||||
|
|
||||||
# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
|
|
||||||
allow apexd sepolicy_metadata_file:dir create_dir_perms;
|
|
||||||
allow apexd sepolicy_metadata_file:file create_file_perms;
|
|
||||||
# Allow apexd to setup fs-verity for SEPolicy files in metadata
|
|
||||||
allowxperm apexd sepolicy_metadata_file:file ioctl {
|
|
||||||
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
|
||||||
};
|
|
||||||
|
|
||||||
# Allow reserving space on /data/apex/ota_reserved for apex decompression
|
# Allow reserving space on /data/apex/ota_reserved for apex decompression
|
||||||
allow apexd apex_ota_reserved_file:dir create_dir_perms;
|
allow apexd apex_ota_reserved_file:dir create_dir_perms;
|
||||||
allow apexd apex_ota_reserved_file:file create_file_perms;
|
allow apexd apex_ota_reserved_file:file create_file_perms;
|
||||||
|
|
|
@ -118,13 +118,6 @@ type compos_exec, exec_type, file_type, system_file_type;
|
||||||
# /apex/com.android.compos/bin/compos_key_helper
|
# /apex/com.android.compos/bin/compos_key_helper
|
||||||
type compos_key_helper_exec, exec_type, file_type, system_file_type;
|
type compos_key_helper_exec, exec_type, file_type, system_file_type;
|
||||||
|
|
||||||
# /metadata/sepolicy
|
|
||||||
type sepolicy_metadata_file, file_type;
|
|
||||||
|
|
||||||
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
|
||||||
# property labeled.
|
|
||||||
type sepolicy_test_file, file_type;
|
|
||||||
|
|
||||||
# /apex/com.android.art/bin/art_exec
|
# /apex/com.android.art/bin/art_exec
|
||||||
# This executable does not have its own domain because it is executed in the caller's domain. For
|
# This executable does not have its own domain because it is executed in the caller's domain. For
|
||||||
# example, it is executed in the `artd` domain when artd calls it.
|
# example, it is executed in the `artd` domain when artd calls it.
|
||||||
|
|
|
@ -205,14 +205,6 @@
|
||||||
#
|
#
|
||||||
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
|
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
|
||||||
|
|
||||||
# Apex sepoolicy files.
|
|
||||||
/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
|
|
||||||
/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
|
|
||||||
/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
|
|
||||||
/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
|
|
||||||
/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
|
||||||
/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
|
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# System files
|
# System files
|
||||||
#
|
#
|
||||||
|
@ -844,7 +836,6 @@
|
||||||
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
|
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
|
||||||
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
|
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
|
||||||
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
|
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
|
||||||
/metadata/sepolicy(/.*)? u:object_r:sepolicy_metadata_file:s0
|
|
||||||
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
|
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
|
||||||
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
|
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
|
||||||
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
|
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
|
||||||
|
|
|
@ -44,19 +44,3 @@ dontaudit kernel dm_user_device:dir { write add_name };
|
||||||
dontaudit kernel dm_user_device:chr_file { create setattr };
|
dontaudit kernel dm_user_device:chr_file { create setattr };
|
||||||
dontaudit kernel tmpfs:lnk_file read;
|
dontaudit kernel tmpfs:lnk_file read;
|
||||||
dontaudit kernel tmpfs:blk_file { open read };
|
dontaudit kernel tmpfs:blk_file { open read };
|
||||||
|
|
||||||
# Some contexts are changed before the device is flipped into enforcing mode
|
|
||||||
# during the setup of Apex sepolicy. These denials can be suppressed since
|
|
||||||
# the permissions should not be allowed after the device is flipped into
|
|
||||||
# enforcing mode.
|
|
||||||
dontaudit kernel device:dir { open read relabelto };
|
|
||||||
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
|
||||||
dontaudit kernel {
|
|
||||||
file_contexts_file
|
|
||||||
hwservice_contexts_file
|
|
||||||
mac_perms_file
|
|
||||||
property_contexts_file
|
|
||||||
seapp_contexts_file
|
|
||||||
sepolicy_test_file
|
|
||||||
service_contexts_file
|
|
||||||
}:file relabelto;
|
|
||||||
|
|
Loading…
Reference in a new issue