Remove policy for non-existent devices
We still had policy for devices which do not currently exist in Microdroid. Remove the unused types and all references to them in the policy, since they have no effect and just bloat the policy. While I'm here, delete all the bug_map entries. We don't use the bug_map in Microdroid, and this is just an outdated snapshot from host policy. Bug: 274752167 Test: atest MicrodroidTests Test: composd-cmd test-compile Change-Id: I3ab90f8e3517c41eff0052a0c8f6610fa35ccdcb
This commit is contained in:
parent
1b382aa8b0
commit
4f92d5bd99
9 changed files with 0 additions and 88 deletions
|
@ -1,35 +0,0 @@
|
||||||
dnsmasq netd fifo_file b/77868789
|
|
||||||
dnsmasq netd unix_stream_socket b/77868789
|
|
||||||
gmscore_app system_data_file dir b/146166941
|
|
||||||
init app_data_file file b/77873135
|
|
||||||
init cache_file blk_file b/77873135
|
|
||||||
init logpersist file b/77873135
|
|
||||||
init nativetest_data_file dir b/77873135
|
|
||||||
init pstorefs dir b/77873135
|
|
||||||
init shell_data_file dir b/77873135
|
|
||||||
init shell_data_file file b/77873135
|
|
||||||
init shell_data_file lnk_file b/77873135
|
|
||||||
init shell_data_file sock_file b/77873135
|
|
||||||
init system_data_file chr_file b/77873135
|
|
||||||
isolated_app privapp_data_file dir b/119596573
|
|
||||||
isolated_app app_data_file dir b/120394782
|
|
||||||
mediaextractor app_data_file file b/77923736
|
|
||||||
mediaextractor radio_data_file file b/77923736
|
|
||||||
mediaprovider cache_file blk_file b/77925342
|
|
||||||
mediaprovider mnt_media_rw_file dir b/77925342
|
|
||||||
mediaprovider shell_data_file dir b/77925342
|
|
||||||
mediaswcodec ashmem_device chr_file b/142679232
|
|
||||||
netd priv_app unix_stream_socket b/77870037
|
|
||||||
netd untrusted_app unix_stream_socket b/77870037
|
|
||||||
netd untrusted_app_25 unix_stream_socket b/77870037
|
|
||||||
netd untrusted_app_27 unix_stream_socket b/77870037
|
|
||||||
netd untrusted_app_29 unix_stream_socket b/77870037
|
|
||||||
platform_app nfc_data_file dir b/74331887
|
|
||||||
system_server crash_dump process b/73128755
|
|
||||||
system_server overlayfs_file file b/142390309
|
|
||||||
system_server sdcardfs file b/77856826
|
|
||||||
system_server zygote process b/77856826
|
|
||||||
untrusted_app untrusted_app netlink_route_socket b/155595000
|
|
||||||
vold system_data_file file b/124108085
|
|
||||||
zygote untrusted_app_25 process b/77925912
|
|
||||||
zygote labeledfs filesystem b/170748799
|
|
|
@ -185,10 +185,6 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
||||||
# named pipes, and named sockets). We start off with a safe set.
|
# named pipes, and named sockets). We start off with a safe set.
|
||||||
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
|
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
|
||||||
|
|
||||||
# If a domain has ioctl access to tun_device, it must clearly enumerate the
|
|
||||||
# ioctls used. Safe defaults are listed below.
|
|
||||||
allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
|
|
||||||
|
|
||||||
# Allow a process to make a determination whether a file descriptor
|
# Allow a process to make a determination whether a file descriptor
|
||||||
# for a plain file or pipe (fifo_file) is a tty. Note that granting
|
# for a plain file or pipe (fifo_file) is a tty. Note that granting
|
||||||
# this allowlist to domain does not grant the ioctl permission to
|
# this allowlist to domain does not grant the ioctl permission to
|
||||||
|
@ -229,8 +225,6 @@ allow domain cgroup_v2:dir search;
|
||||||
allow { domain } cgroup_v2:dir w_dir_perms;
|
allow { domain } cgroup_v2:dir w_dir_perms;
|
||||||
allow { domain } cgroup_v2:file w_file_perms;
|
allow { domain } cgroup_v2:file w_file_perms;
|
||||||
|
|
||||||
allow domain cgroup_rc_file:dir search;
|
|
||||||
allow domain cgroup_rc_file:file r_file_perms;
|
|
||||||
allow domain task_profiles_file:file r_file_perms;
|
allow domain task_profiles_file:file r_file_perms;
|
||||||
allow domain task_profiles_api_file:file r_file_perms;
|
allow domain task_profiles_api_file:file r_file_perms;
|
||||||
|
|
||||||
|
@ -533,12 +527,6 @@ neverallow domain {
|
||||||
neverallow domain cgroup:file create;
|
neverallow domain cgroup:file create;
|
||||||
neverallow domain cgroup_v2:file create;
|
neverallow domain cgroup_v2:file create;
|
||||||
|
|
||||||
# Only apps targetting < Q are allowed to open /dev/ashmem directly.
|
|
||||||
# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
|
|
||||||
neverallow {
|
|
||||||
domain
|
|
||||||
} ashmem_device:chr_file open;
|
|
||||||
|
|
||||||
neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
|
neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
|
||||||
|
|
||||||
# Linux lockdown "integrity" level is enforced for user builds.
|
# Linux lockdown "integrity" level is enforced for user builds.
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
allow fs_type self:filesystem associate;
|
allow fs_type self:filesystem associate;
|
||||||
allow cgroup tmpfs:filesystem associate;
|
allow cgroup tmpfs:filesystem associate;
|
||||||
allow cgroup_v2 tmpfs:filesystem associate;
|
allow cgroup_v2 tmpfs:filesystem associate;
|
||||||
allow cgroup_rc_file tmpfs:filesystem associate;
|
|
||||||
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
|
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
|
||||||
allow dev_type tmpfs:filesystem associate;
|
allow dev_type tmpfs:filesystem associate;
|
||||||
allow encryptedstore_file encryptedstore_fs:filesystem associate;
|
allow encryptedstore_file encryptedstore_fs:filesystem associate;
|
||||||
|
|
|
@ -32,8 +32,6 @@
|
||||||
# Devices
|
# Devices
|
||||||
#
|
#
|
||||||
/dev(/.*)? u:object_r:device:s0
|
/dev(/.*)? u:object_r:device:s0
|
||||||
/dev/ashmem u:object_r:ashmem_device:s0
|
|
||||||
/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
|
|
||||||
/dev/block(/.*)? u:object_r:block_device:s0
|
/dev/block(/.*)? u:object_r:block_device:s0
|
||||||
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
|
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
|
||||||
/dev/block/loop[0-9]* u:object_r:loop_device:s0
|
/dev/block/loop[0-9]* u:object_r:loop_device:s0
|
||||||
|
@ -41,14 +39,8 @@
|
||||||
/dev/block/ram[0-9]* u:object_r:ram_device:s0
|
/dev/block/ram[0-9]* u:object_r:ram_device:s0
|
||||||
/dev/block/zram[0-9]* u:object_r:ram_device:s0
|
/dev/block/zram[0-9]* u:object_r:ram_device:s0
|
||||||
/dev/console u:object_r:console_device:s0
|
/dev/console u:object_r:console_device:s0
|
||||||
/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
|
|
||||||
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
|
|
||||||
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
|
|
||||||
/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
|
|
||||||
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
|
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
|
||||||
/dev/device-mapper u:object_r:dm_device:s0
|
/dev/device-mapper u:object_r:dm_device:s0
|
||||||
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
|
|
||||||
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
|
|
||||||
/dev/fuse u:object_r:fuse_device:s0
|
/dev/fuse u:object_r:fuse_device:s0
|
||||||
/dev/hvc0 u:object_r:serial_device:s0
|
/dev/hvc0 u:object_r:serial_device:s0
|
||||||
/dev/hvc1 u:object_r:serial_device:s0
|
/dev/hvc1 u:object_r:serial_device:s0
|
||||||
|
@ -59,7 +51,6 @@
|
||||||
/dev/ptmx u:object_r:ptmx_device:s0
|
/dev/ptmx u:object_r:ptmx_device:s0
|
||||||
/dev/kmsg u:object_r:kmsg_device:s0
|
/dev/kmsg u:object_r:kmsg_device:s0
|
||||||
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
|
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
|
||||||
/dev/kvm u:object_r:kvm_device:s0
|
|
||||||
/dev/null u:object_r:null_device:s0
|
/dev/null u:object_r:null_device:s0
|
||||||
/dev/open-dice0 u:object_r:open_dice_device:s0
|
/dev/open-dice0 u:object_r:open_dice_device:s0
|
||||||
/dev/random u:object_r:random_device:s0
|
/dev/random u:object_r:random_device:s0
|
||||||
|
@ -73,17 +64,10 @@
|
||||||
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
|
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
|
||||||
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
|
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
|
||||||
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
|
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
|
||||||
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
|
|
||||||
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
|
|
||||||
/dev/tty u:object_r:owntty_device:s0
|
/dev/tty u:object_r:owntty_device:s0
|
||||||
/dev/tty[0-9]* u:object_r:tty_device:s0
|
/dev/tty[0-9]* u:object_r:tty_device:s0
|
||||||
/dev/ttyS[0-9]* u:object_r:serial_device:s0
|
/dev/ttyS[0-9]* u:object_r:serial_device:s0
|
||||||
/dev/tun u:object_r:tun_device:s0
|
|
||||||
/dev/uhid u:object_r:uhid_device:s0
|
|
||||||
/dev/uinput u:object_r:uhid_device:s0
|
|
||||||
/dev/uio[0-9]* u:object_r:uio_device:s0
|
|
||||||
/dev/urandom u:object_r:random_device:s0
|
/dev/urandom u:object_r:random_device:s0
|
||||||
/dev/vhost-vsock u:object_r:kvm_device:s0
|
|
||||||
/dev/vsock u:object_r:vsock_device:s0
|
/dev/vsock u:object_r:vsock_device:s0
|
||||||
/dev/zero u:object_r:zero_device:s0
|
/dev/zero u:object_r:zero_device:s0
|
||||||
/dev/__properties__ u:object_r:properties_device:s0
|
/dev/__properties__ u:object_r:properties_device:s0
|
||||||
|
|
|
@ -27,7 +27,6 @@ allow init vd_device:blk_file relabelto;
|
||||||
allow init {
|
allow init {
|
||||||
dev_type
|
dev_type
|
||||||
-hw_random_device
|
-hw_random_device
|
||||||
-kvm_device
|
|
||||||
}:chr_file setattr;
|
}:chr_file setattr;
|
||||||
|
|
||||||
# /dev/__null__ node created by init.
|
# /dev/__null__ node created by init.
|
||||||
|
@ -40,9 +39,6 @@ allow init property_type:file { append create getattr map open read relabelto re
|
||||||
# /dev/__properties__/property_info
|
# /dev/__properties__/property_info
|
||||||
allow init properties_device:file create_file_perms;
|
allow init properties_device:file create_file_perms;
|
||||||
allow init property_info:file relabelto;
|
allow init property_info:file relabelto;
|
||||||
# /dev/event-log-tags
|
|
||||||
allow init device:file relabelfrom;
|
|
||||||
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
|
|
||||||
# /dev/socket
|
# /dev/socket
|
||||||
allow init { device socket_device dm_user_device }:dir relabelto;
|
allow init { device socket_device dm_user_device }:dir relabelto;
|
||||||
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
|
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
|
||||||
|
@ -114,7 +110,6 @@ allow init tmpfs:dir create_dir_perms;
|
||||||
allow init tmpfs:dir mounton;
|
allow init tmpfs:dir mounton;
|
||||||
allow init cgroup:dir create_dir_perms;
|
allow init cgroup:dir create_dir_perms;
|
||||||
allow init cgroup:file rw_file_perms;
|
allow init cgroup:file rw_file_perms;
|
||||||
allow init cgroup_rc_file:file rw_file_perms;
|
|
||||||
allow init cgroup_desc_file:file r_file_perms;
|
allow init cgroup_desc_file:file r_file_perms;
|
||||||
allow init cgroup_desc_api_file:file r_file_perms;
|
allow init cgroup_desc_api_file:file r_file_perms;
|
||||||
allow init cgroup_v2:dir { mounton create_dir_perms};
|
allow init cgroup_v2:dir { mounton create_dir_perms};
|
||||||
|
@ -181,7 +176,6 @@ allow init {
|
||||||
file_type
|
file_type
|
||||||
-apex_info_file
|
-apex_info_file
|
||||||
-exec_type
|
-exec_type
|
||||||
-runtime_event_log_tags_file
|
|
||||||
-shell_data_file
|
-shell_data_file
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
|
|
|
@ -1,8 +1,5 @@
|
||||||
typeattribute shell coredomain;
|
typeattribute shell coredomain;
|
||||||
|
|
||||||
# allow shell input injection
|
|
||||||
allow shell uhid_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
# Perform SELinux access checks, needed for CTS
|
# Perform SELinux access checks, needed for CTS
|
||||||
selinux_check_access(shell)
|
selinux_check_access(shell)
|
||||||
selinux_check_context(shell)
|
selinux_check_context(shell)
|
||||||
|
|
|
@ -1,24 +1,17 @@
|
||||||
type ashmem_device, dev_type;
|
|
||||||
type ashmem_libcutils_device, dev_type;
|
|
||||||
type block_device, dev_type;
|
type block_device, dev_type;
|
||||||
type console_device, dev_type;
|
type console_device, dev_type;
|
||||||
type device, dev_type, fs_type;
|
type device, dev_type, fs_type;
|
||||||
type dm_device, dev_type;
|
type dm_device, dev_type;
|
||||||
type dm_user_device, dev_type;
|
type dm_user_device, dev_type;
|
||||||
type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
|
|
||||||
type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
|
|
||||||
type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
|
|
||||||
type fuse_device, dev_type;
|
type fuse_device, dev_type;
|
||||||
type hw_random_device, dev_type;
|
type hw_random_device, dev_type;
|
||||||
type kmsg_debug_device, dev_type;
|
type kmsg_debug_device, dev_type;
|
||||||
type kmsg_device, dev_type;
|
type kmsg_device, dev_type;
|
||||||
type kvm_device, dev_type;
|
|
||||||
type loop_control_device, dev_type;
|
type loop_control_device, dev_type;
|
||||||
type loop_device, dev_type;
|
type loop_device, dev_type;
|
||||||
type null_device, dev_type;
|
type null_device, dev_type;
|
||||||
type open_dice_device, dev_type;
|
type open_dice_device, dev_type;
|
||||||
type owntty_device, dev_type;
|
type owntty_device, dev_type;
|
||||||
type ppp_device, dev_type;
|
|
||||||
type properties_device, dev_type;
|
type properties_device, dev_type;
|
||||||
type properties_serial, dev_type;
|
type properties_serial, dev_type;
|
||||||
type property_info, dev_type;
|
type property_info, dev_type;
|
||||||
|
@ -30,10 +23,6 @@ type serial_device, dev_type;
|
||||||
type log_device, dev_type;
|
type log_device, dev_type;
|
||||||
type socket_device, dev_type;
|
type socket_device, dev_type;
|
||||||
type tty_device, dev_type;
|
type tty_device, dev_type;
|
||||||
type tun_device, dev_type;
|
|
||||||
type uhid_device, dev_type;
|
|
||||||
type uio_device, dev_type;
|
|
||||||
type userdata_sysdev, dev_type;
|
|
||||||
type vd_device, dev_type;
|
type vd_device, dev_type;
|
||||||
type vsock_device, dev_type;
|
type vsock_device, dev_type;
|
||||||
type zero_device, dev_type;
|
type zero_device, dev_type;
|
||||||
|
|
|
@ -8,14 +8,12 @@ type authfs_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
type authfs_service_socket, file_type, coredomain_socket;
|
type authfs_service_socket, file_type, coredomain_socket;
|
||||||
type cgroup_desc_api_file, file_type, system_file_type;
|
type cgroup_desc_api_file, file_type, system_file_type;
|
||||||
type cgroup_desc_file, file_type, system_file_type;
|
type cgroup_desc_file, file_type, system_file_type;
|
||||||
type cgroup_rc_file, file_type;
|
|
||||||
type extra_apk_file, file_type;
|
type extra_apk_file, file_type;
|
||||||
type file_contexts_file, file_type, system_file_type;
|
type file_contexts_file, file_type, system_file_type;
|
||||||
type linkerconfig_file, file_type;
|
type linkerconfig_file, file_type;
|
||||||
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
|
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
type property_contexts_file, file_type, system_file_type;
|
type property_contexts_file, file_type, system_file_type;
|
||||||
type property_socket, file_type, coredomain_socket;
|
type property_socket, file_type, coredomain_socket;
|
||||||
type runtime_event_log_tags_file, file_type;
|
|
||||||
type sepolicy_file, file_type, system_file_type;
|
type sepolicy_file, file_type, system_file_type;
|
||||||
type service_contexts_file, file_type, system_file_type;
|
type service_contexts_file, file_type, system_file_type;
|
||||||
type shell_data_file, file_type, data_file_type, core_data_file_type;
|
type shell_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
|
@ -49,7 +49,6 @@ allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom }
|
||||||
allow vendor_init {
|
allow vendor_init {
|
||||||
file_type
|
file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
-runtime_event_log_tags_file
|
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
|
@ -144,6 +143,5 @@ allow vendor_init self:capability sys_nice;
|
||||||
# chown/chmod on devices, e.g. /dev/ttyHS0
|
# chown/chmod on devices, e.g. /dev/ttyHS0
|
||||||
allow vendor_init {
|
allow vendor_init {
|
||||||
dev_type
|
dev_type
|
||||||
-kvm_device
|
|
||||||
-hw_random_device
|
-hw_random_device
|
||||||
}:chr_file setattr;
|
}:chr_file setattr;
|
||||||
|
|
Loading…
Reference in a new issue