Merge "IncFS: update SE policies for the new API"
This commit is contained in:
Yurii Zubrytskyi
Gerrit Code Review
commit
314e6d9450
9 changed files with 40 additions and 8 deletions
|
|
@ -625,6 +625,7 @@
|
|||
/data/incremental(/.*)? u:object_r:apk_data_file:s0
|
||||
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
|
||||
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
|
||||
/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
|
||||
|
||||
#############################
|
||||
# Expanded data files
|
||||
|
|
|
|||
|
|
@ -2000,7 +2000,7 @@
|
|||
(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
|
||||
(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
|
||||
(typeattributeset swap_block_device_30_0 (swap_block_device))
|
||||
(typeattributeset sysfs_30_0 (sysfs))
|
||||
(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
|
||||
(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
|
||||
(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
|
||||
(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
|
||||
|
|
|
|||
|
|
@ -668,6 +668,7 @@
|
|||
/data/incremental(/.*)? u:object_r:apk_data_file:s0
|
||||
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
|
||||
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
|
||||
/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
|
||||
|
||||
#############################
|
||||
# Expanded data files
|
||||
|
|
|
|||
|
|
@ -140,6 +140,7 @@ genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
|
|||
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
|
||||
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
|
||||
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
|
||||
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
|
||||
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
|
||||
genfscon sysfs /power/state u:object_r:sysfs_power:s0
|
||||
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
|
||||
|
|
|
|||
|
|
@ -152,9 +152,16 @@ dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
|
|||
allow priv_app system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
# Access the IncFS list of features
|
||||
r_dir_file(priv_app, sysfs_fs_incfs_features)
|
||||
|
||||
# allow apps like Phonesky to check the file signature of an apk installed on
|
||||
# the Incremental File System, and fill missing blocks in the apk
|
||||
allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
|
||||
# the Incremental File System, fill missing blocks and get the app status
|
||||
allowxperm priv_app apk_data_file:file ioctl {
|
||||
INCFS_IOCTL_READ_SIGNATURE
|
||||
INCFS_IOCTL_FILL_BLOCKS
|
||||
INCFS_IOCTL_GET_BLOCK_COUNT
|
||||
};
|
||||
|
||||
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
|
||||
allow priv_app incremental_control_file:file { read getattr ioctl };
|
||||
|
|
|
|||
|
|
@ -24,12 +24,27 @@ allow system_server appdomain_tmpfs:file { getattr map read write };
|
|||
# For Incremental Service to check if incfs is available
|
||||
allow system_server proc_filesystems:file r_file_perms;
|
||||
|
||||
# To create files and get permission to fill blocks on Incremental File System
|
||||
allow system_server incremental_control_file:file { ioctl r_file_perms };
|
||||
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
|
||||
# Access the IncFS list of features
|
||||
r_dir_file(system_server, sysfs_fs_incfs_features);
|
||||
|
||||
# To get signature of an APK installed on Incremental File System and fill in data blocks
|
||||
allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
|
||||
# To create files, get permission to fill blocks, and configure Incremental File System
|
||||
allow system_server incremental_control_file:file { ioctl r_file_perms };
|
||||
allowxperm system_server incremental_control_file:file ioctl {
|
||||
INCFS_IOCTL_CREATE_FILE
|
||||
INCFS_IOCTL_CREATE_MAPPED_FILE
|
||||
INCFS_IOCTL_PERMIT_FILL
|
||||
INCFS_IOCTL_GET_READ_TIMEOUTS
|
||||
INCFS_IOCTL_SET_READ_TIMEOUTS
|
||||
};
|
||||
|
||||
# To get signature of an APK installed on Incremental File System, and fill in data
|
||||
# blocks and get the filesystem state
|
||||
allowxperm system_server apk_data_file:file ioctl {
|
||||
INCFS_IOCTL_READ_SIGNATURE
|
||||
INCFS_IOCTL_FILL_BLOCKS
|
||||
INCFS_IOCTL_GET_FILLED_BLOCKS
|
||||
INCFS_IOCTL_GET_BLOCK_COUNT
|
||||
};
|
||||
|
||||
# For art.
|
||||
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -109,6 +109,7 @@ type sysfs_wakeup, fs_type, sysfs_type;
|
|||
type sysfs_wakeup_reasons, fs_type, sysfs_type;
|
||||
type sysfs_fs_ext4_features, sysfs_type, fs_type;
|
||||
type sysfs_fs_f2fs, sysfs_type, fs_type;
|
||||
type sysfs_fs_incfs_features, sysfs_type, fs_type;
|
||||
type fs_bpf, fs_type;
|
||||
type configfs, fs_type;
|
||||
# /sys/devices/cs_etm
|
||||
|
|
|
|||
|
|
@ -1066,6 +1066,10 @@ define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
|
|||
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
|
||||
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
|
||||
define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
|
||||
define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
|
||||
define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
|
||||
define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
|
||||
define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
|
||||
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
|
||||
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
|
||||
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
|
||||
|
|
|
|||
|
|
@ -126,6 +126,8 @@ allow vold mnt_expand_file:dir { create_dir_perms mounton };
|
|||
allow vold apk_data_file:dir { create getattr setattr };
|
||||
allow vold shell_data_file:dir { create getattr setattr };
|
||||
|
||||
# Access the IncFS list of features
|
||||
r_dir_file(vold, sysfs_fs_incfs_features);
|
||||
# Allow to mount incremental file system on /data/incremental and create files
|
||||
allow vold apk_data_file:dir { mounton rw_dir_perms };
|
||||
# Allow to create and write files in /data/incremental
|
||||
|
|
|
|||
Loading…
Reference in a new issue