Merge "Allow odsign to stop itself."

This commit is contained in:
Martijn Coenen 2021-07-28 11:50:22 +00:00 committed by Gerrit Code Review
commit 359aea7d49
6 changed files with 14 additions and 0 deletions

View file

@ -54,6 +54,9 @@ domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
# Allow odsign to stop itself
set_prop(odsign, ctl_odsign_prop)
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;

View file

@ -36,6 +36,7 @@ system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules

View file

@ -168,6 +168,9 @@ ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
# Restrict access to stopping odsign
ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0

View file

@ -58,6 +58,9 @@ domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
# Allow odsign to stop itself
set_prop(odsign, ctl_odsign_prop)
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;

View file

@ -37,6 +37,7 @@ system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules

View file

@ -169,6 +169,9 @@ ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
# Restrict access to stopping odsign
ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
# Restrict access to starting media.transcoding.
ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0