Merge "SEPolicy for boringssl_self_test." am: 02924043e3

am: 8b6e14f3c9

Change-Id: Ieb0f0e4ecc1f1bfa87f4ffec0b1179bcc714cbb2
This commit is contained in:
Tobias Thierer 2019-09-07 17:17:24 -07:00 committed by android-build-merger
commit 444e8290c1
5 changed files with 31 additions and 2 deletions

View file

@ -3,3 +3,4 @@
#
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0

View file

@ -0,0 +1,22 @@
type boringssl_self_test, domain;
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
type boringssl_self_test_marker, file_type;
typeattribute boringssl_self_test coredomain;
# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
init_daemon_domain(boringssl_self_test)
# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
# files.
allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
# No other process should be able to create these files because their existence causes the
# boringssl self test to be skipped.
neverallow {
domain
-boringssl_self_test
-init
-vendor_init
} boringssl_self_test_marker:file no_rw_file_perms;

View file

@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
boringssl_self_test
charger_prop
cold_boot_done_prop
platform_compat_service

View file

@ -89,6 +89,9 @@ userdebug_or_eng(`
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {

View file

@ -83,6 +83,7 @@
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
@ -188,6 +189,7 @@
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0