tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "More neverallows for default_android_service."

Browse source 
am: 64c8ddb123

Change-Id: I54336f7f52cbd19b56ea6c6584a921d655d23f71
This commit is contained in:
Steven Moreland 2020-01-21 14:18:44 -08:00 committed by android-build-merger
commit 41e8d29253
6 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/atrace.te
View file

@ -37,6 +37,7 @@ allow atrace {
-installd_service
-vold_service
-lpdump_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;

1
private/system_app.te
View file

@ -93,6 +93,7 @@ allow system_app {
-virtual_touchpad_service
-vold_service
-vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {

6
public/domain.te
View file

@ -500,9 +500,9 @@ neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmou
# system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager add;
neverallow * default_android_vndservice:service_manager { add find };
neverallow * default_android_hwservice:hwservice_manager { add find };
neverallow * default_android_service:service_manager *;
neverallow * default_android_vndservice:service_manager *;
neverallow * default_android_hwservice:hwservice_manager *;
# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security

1
public/dumpstate.te
View file

@ -230,6 +230,7 @@ allow dumpstate {
-virtual_touchpad_service
-vold_service
-vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {

1
public/shell.te
View file

@ -127,6 +127,7 @@ allow shell {
-virtual_touchpad_service
-vold_service
-vr_hwc_service
-default_android_service
}:service_manager find;
allow shell dumpstate:binder call;

1
public/traceur_app.te
View file

@ -21,6 +21,7 @@ allow traceur_app {
-virtual_touchpad_service
-vold_service
-vr_hwc_service
-default_android_service
}:service_manager find;
# Allow traceur_app to use atrace HAL