Merge "Add rules for an unix domain socket for system_server" am: d1b9526ea0 am: 0542be7d19 am: ba4e8fd064

Change-Id: If8f56000150447ef7930161f8c5d24c03525f483
This commit is contained in:
Automerger Merge Worker 2020-01-17 22:30:22 +00:00
commit 4ba36837ee
7 changed files with 29 additions and 0 deletions

View file

@ -70,6 +70,9 @@ r_dir_file(app_zygote, vendor_overlay_file)
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
# Send unsolicited message to system_server
unix_socket_send(app_zygote, system_unsolzygote, system_server)
#####
##### Neverallow
#####
@ -136,6 +139,7 @@ neverallow app_zygote {
domain
-app_zygote
-logd
-system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_dgram_socket *;

View file

@ -65,6 +65,7 @@
system_group_file
system_jvmti_agent_prop
system_passwd_file
system_unsolzygote_socket
tethering_service
timezonedetector_service
usb_serial_device

View file

@ -465,6 +465,7 @@
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0

View file

@ -14,6 +14,9 @@ tmpfs_domain(system_server)
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
# Create a socket for connections from zygotes.
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
@ -656,6 +659,9 @@ get_prop(system_server, apk_verity_prop)
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Create a socket for connections from zygotes.
allow system_server system_unsolzygote_socket:sock_file create_file_perms;
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@ -974,6 +980,16 @@ neverallow system_server *:process dyntransition;
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
# Only allow zygotes to connect to system_unsolzygote_socket.
neverallow {
domain
-init
-system_server
-zygote
-app_zygote
-webview_zygote
} system_unsolzygote_socket:sock_file { open write };
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain

View file

@ -77,6 +77,9 @@ allow webview_zygote same_process_hal_file:file { execute read open getattr map
allow webview_zygote system_data_file:lnk_file r_file_perms;
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
#####
##### Neverallow
#####

View file

@ -176,6 +176,9 @@ dontaudit zygote self:global_capability_class_set sys_resource;
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
# Send unsolicited message to system_server
unix_socket_send(zygote, system_unsolzygote, system_server)
###
### neverallow rules
###

View file

@ -452,6 +452,7 @@ type rild_debug_socket, file_type;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;