tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Allow system_server access to hidraw devices." into main am: 27bb0c60f6

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2855126

Change-Id: I6afaec68f2dc3f3436c6894d36e30ebcce874642
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Daniel Norman 2023-12-01 18:45:33 +00:00 committed by Automerger Merge Worker
commit 4ea95b1730
6 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
contexts/plat_file_contexts_test
View file

@ -150,6 +150,8 @@
/dev/gnss10 gnss_device /dev/gnss10 gnss_device
/dev/graphics graphics_device /dev/graphics graphics_device
/dev/graphics/test graphics_device /dev/graphics/test graphics_device
/dev/hidraw0 hidraw_device
/dev/hidraw1 hidraw_device
/dev/hw_random hw_random_device /dev/hw_random hw_random_device
/dev/hwbinder hwbinder_device /dev/hwbinder hwbinder_device
/dev/input input_device /dev/input input_device

3
private/app_neverallows.te
View file

@ -295,3 +295,6 @@ neverallow {
# anon_inode usages like userfaultfd and io_uring. This prevents us from # anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage. # creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *; neverallow all_untrusted_apps domain:anon_inode *;
# Do not allow untrusted app access to hidraw devices.
neverallow all_untrusted_apps hidraw_device:chr_file *;

1
private/compat/34.0/34.0.ignore.cil
View file

@ -16,6 +16,7 @@
hal_macsec_service hal_macsec_service
hal_remotelyprovisionedcomponent_avf_service hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service hal_threadnetwork_service
hidraw_device
virtual_camera_service virtual_camera_service
ot_daemon_service ot_daemon_service
pm_archiving_enabled_prop pm_archiving_enabled_prop

1
private/file_contexts
View file

@ -127,6 +127,7 @@
/dev/fuse u:object_r:fuse_device:s0 /dev/fuse u:object_r:fuse_device:s0
/dev/gnss[0-9]+ u:object_r:gnss_device:s0 /dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0 /dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hidraw[0-9]+ u:object_r:hidraw_device:s0
/dev/hw_random u:object_r:hw_random_device:s0 /dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0 /dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0 /dev/input(/.*)? u:object_r:input_device:s0

2
private/system_server.te
View file

@ -480,6 +480,8 @@ allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server rtc_device:chr_file rw_file_perms; allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms; allow system_server audio_device:dir r_dir_perms;
allow system_server uhid_device:chr_file rw_file_perms; allow system_server uhid_device:chr_file rw_file_perms;
allow system_server hidraw_device:dir r_dir_perms;
allow system_server hidraw_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI # write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms; allow system_server audio_device:chr_file rw_file_perms;

1
public/device.te
View file

@ -64,6 +64,7 @@ type gnss_device, dev_type;
type properties_device, dev_type; type properties_device, dev_type;
type properties_serial, dev_type; type properties_serial, dev_type;
type property_info, dev_type; type property_info, dev_type;
type hidraw_device, dev_type;
# All devices have a uart for the hci # All devices have a uart for the hci
# attach service. The uart dev node # attach service. The uart dev node