Merge "Add rules for an unix domain socket for system_server" am: d1b9526ea0
am: 0542be7d19
am: ba4e8fd064
Change-Id: If8f56000150447ef7930161f8c5d24c03525f483
This commit is contained in:
commit
4ba36837ee
7 changed files with 29 additions and 0 deletions
|
@ -70,6 +70,9 @@ r_dir_file(app_zygote, vendor_overlay_file)
|
|||
allow app_zygote system_data_file:lnk_file r_file_perms;
|
||||
allow app_zygote system_data_file:file { getattr read map };
|
||||
|
||||
# Send unsolicited message to system_server
|
||||
unix_socket_send(app_zygote, system_unsolzygote, system_server)
|
||||
|
||||
#####
|
||||
##### Neverallow
|
||||
#####
|
||||
|
@ -136,6 +139,7 @@ neverallow app_zygote {
|
|||
domain
|
||||
-app_zygote
|
||||
-logd
|
||||
-system_server
|
||||
userdebug_or_eng(`-su')
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
}:unix_dgram_socket *;
|
||||
|
|
|
@ -65,6 +65,7 @@
|
|||
system_group_file
|
||||
system_jvmti_agent_prop
|
||||
system_passwd_file
|
||||
system_unsolzygote_socket
|
||||
tethering_service
|
||||
timezonedetector_service
|
||||
usb_serial_device
|
||||
|
|
|
@ -465,6 +465,7 @@
|
|||
/data/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
|
||||
/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
|
||||
/data/drm(/.*)? u:object_r:drm_data_file:s0
|
||||
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
|
||||
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
|
|
|
@ -14,6 +14,9 @@ tmpfs_domain(system_server)
|
|||
# Create a socket for connections from crash_dump.
|
||||
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
||||
|
||||
# Create a socket for connections from zygotes.
|
||||
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
|
||||
|
||||
allow system_server zygote_tmpfs:file read;
|
||||
allow system_server appdomain_tmpfs:file { getattr map read write };
|
||||
|
||||
|
@ -656,6 +659,9 @@ get_prop(system_server, apk_verity_prop)
|
|||
# Create a socket for connections from debuggerd.
|
||||
allow system_server system_ndebug_socket:sock_file create_file_perms;
|
||||
|
||||
# Create a socket for connections from zygotes.
|
||||
allow system_server system_unsolzygote_socket:sock_file create_file_perms;
|
||||
|
||||
# Manage cache files.
|
||||
allow system_server cache_file:lnk_file r_file_perms;
|
||||
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
|
||||
|
@ -974,6 +980,16 @@ neverallow system_server *:process dyntransition;
|
|||
# Only allow crash_dump to connect to system_ndebug_socket.
|
||||
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
|
||||
|
||||
# Only allow zygotes to connect to system_unsolzygote_socket.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-system_server
|
||||
-zygote
|
||||
-app_zygote
|
||||
-webview_zygote
|
||||
} system_unsolzygote_socket:sock_file { open write };
|
||||
|
||||
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -77,6 +77,9 @@ allow webview_zygote same_process_hal_file:file { execute read open getattr map
|
|||
|
||||
allow webview_zygote system_data_file:lnk_file r_file_perms;
|
||||
|
||||
# Send unsolicited message to system_server
|
||||
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
|
||||
|
||||
#####
|
||||
##### Neverallow
|
||||
#####
|
||||
|
|
|
@ -176,6 +176,9 @@ dontaudit zygote self:global_capability_class_set sys_resource;
|
|||
# Allow zygote to use ashmem fds from system_server.
|
||||
allow zygote system_server:fd use;
|
||||
|
||||
# Send unsolicited message to system_server
|
||||
unix_socket_send(zygote, system_unsolzygote, system_server)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
@ -452,6 +452,7 @@ type rild_debug_socket, file_type;
|
|||
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
|
||||
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
|
||||
type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
|
||||
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
|
||||
type tombstoned_intercept_socket, file_type, coredomain_socket;
|
||||
|
|
Loading…
Reference in a new issue