Merge "Allow binder services to r/w su:tcp_socket" am: a66a5df13d
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729830 Change-Id: If3c55331bc2faaf65871b6e28752d8ae8949129d
This commit is contained in:
commit
34f017a2d0
10 changed files with 37 additions and 9 deletions
|
@ -95,7 +95,8 @@ neverallow audioserver { file_type fs_type }:file execute_no_trans;
|
|||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow audioserver domain:{ udp_socket rawip_socket } *;
|
||||
neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
||||
# Allow using wake locks
|
||||
wakelock_use(audioserver)
|
||||
|
|
|
@ -61,4 +61,5 @@ neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
|
|||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
|
||||
neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
|
|
@ -53,7 +53,8 @@ neverallow cameraserver { file_type fs_type }:file execute_no_trans;
|
|||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow cameraserver domain:{ udp_socket rawip_socket } *;
|
||||
neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
||||
# Allow shell commands from ADB for CTS testing/dumping
|
||||
allow cameraserver adbd:fd use;
|
||||
|
|
|
@ -25,7 +25,21 @@ neverallow {
|
|||
-hal_wifi_hostapd_server
|
||||
-hal_wifi_supplicant_server
|
||||
-hal_telephony_server
|
||||
} domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
} domain:{ udp_socket rawip_socket } *;
|
||||
|
||||
neverallow {
|
||||
halserverdomain
|
||||
-hal_automotive_socket_exemption
|
||||
-hal_can_controller_server
|
||||
-hal_tetheroffload_server
|
||||
-hal_wifi_server
|
||||
-hal_wifi_hostapd_server
|
||||
-hal_wifi_supplicant_server
|
||||
-hal_telephony_server
|
||||
} {
|
||||
domain
|
||||
userdebug_or_eng(`-su')
|
||||
}:tcp_socket *;
|
||||
|
||||
###
|
||||
# HALs are defined as an attribute and so a given domain could hypothetically
|
||||
|
|
|
@ -46,4 +46,5 @@ neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
|
|||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
|
||||
neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
|
|
@ -94,4 +94,5 @@ neverallow iorapd {
|
|||
}:binder call;
|
||||
|
||||
neverallow { domain -init } iorapd:process { transition dyntransition };
|
||||
neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow iorapd domain:{ udp_socket rawip_socket } *;
|
||||
neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
|
|
@ -59,7 +59,8 @@ neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
|
|||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
|
||||
neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
||||
# mediaextractor should not be opening /data files directly. Any files
|
||||
# it touches (with a few exceptions) need to be passed to it via a file
|
||||
|
|
|
@ -42,4 +42,5 @@ neverallow mediametrics { file_type fs_type }:file execute_no_trans;
|
|||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow mediametrics domain:{ udp_socket rawip_socket } *;
|
||||
neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
|
|
@ -670,6 +670,12 @@ define(`use_drmservice', `
|
|||
define(`add_service', `
|
||||
allow $1 $2:service_manager { add find };
|
||||
neverallow { domain -$1 } $2:service_manager add;
|
||||
|
||||
# On debug builds with root, allow binder services to use binder over TCP.
|
||||
# Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
|
||||
userdebug_or_eng(`
|
||||
allow $1 su:tcp_socket { accept getopt read write };
|
||||
')
|
||||
')
|
||||
|
||||
###########################################
|
||||
|
|
3
vendor/mediacodec.te
vendored
3
vendor/mediacodec.te
vendored
|
@ -34,5 +34,6 @@ neverallow mediacodec { file_type fs_type }:file execute_no_trans;
|
|||
# permissions and be isolated from the rest of the system and network.
|
||||
# Lengthier explanation here:
|
||||
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
||||
neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow mediacodec domain:{ udp_socket rawip_socket } *;
|
||||
neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
||||
|
|
Loading…
Reference in a new issue