Merge "Prevent access to nonplat_service_contexts on full_treble." into oc-mr1-dev
This commit is contained in:
Martijn Coenen
Android (Google) Code Review
commit
346a913c34
4 changed files with 8 additions and 6 deletions
|
|
@ -538,7 +538,7 @@
|
|||
(typeattributeset serial_device_26_0 (serial_device))
|
||||
(typeattributeset serialno_prop_26_0 (serialno_prop))
|
||||
(typeattributeset serial_service_26_0 (serial_service))
|
||||
(typeattributeset service_contexts_file_26_0 (service_contexts_file))
|
||||
(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
|
||||
(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
|
||||
(typeattributeset servicemanager_26_0 (servicemanager))
|
||||
(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@
|
|||
/sepolicy u:object_r:sepolicy_file:s0
|
||||
/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/nonplat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
|
||||
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
|
||||
|
||||
|
|
@ -298,7 +298,7 @@
|
|||
|
||||
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
|
||||
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
|
||||
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
|
|
|
|||
|
|
@ -313,6 +313,9 @@ type sepolicy_file, file_type;
|
|||
# service_contexts file
|
||||
type service_contexts_file, file_type;
|
||||
|
||||
# nonplat service_contexts file (only accessible on non full-treble devices)
|
||||
type nonplat_service_contexts_file, file_type;
|
||||
|
||||
# hwservice_contexts file
|
||||
type hwservice_contexts_file, file_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -16,10 +16,9 @@ allow servicemanager {
|
|||
-vndservicemanager
|
||||
}:binder transfer;
|
||||
|
||||
# Access to all (system and vendor) service_contexts
|
||||
# TODO(b/36866029) access to nonplat_service_contexts
|
||||
# should not be allowed on full treble devices
|
||||
allow servicemanager service_contexts_file:file r_file_perms;
|
||||
# nonplat_service_contexts only accessible on non full-treble devices
|
||||
not_full_treble('allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(servicemanager)
|
||||
|
|
|
|||
Loading…
Reference in a new issue