Merge "selinux: Allow system_server to access files in iorapd dir." into rvc-dev am: 50f13cfc82
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/11796673 Change-Id: I0f2f0f4565c6bdde474ee8d12863303ccbfa219d
This commit is contained in:
commit
5dff749c63
2 changed files with 16 additions and 0 deletions
|
@ -46,6 +46,12 @@ allow iorapd system_file:file rx_file_perms;
|
||||||
allow iorapd iorap_inode2filename:process signull;
|
allow iorapd iorap_inode2filename:process signull;
|
||||||
allow iorapd iorap_prefetcherd:process signull;
|
allow iorapd iorap_prefetcherd:process signull;
|
||||||
|
|
||||||
|
# Allowing system_server to check for the existence and size of files under iorapd
|
||||||
|
# dir without collecting any sensitive app data.
|
||||||
|
# This is used to predict if iorapd is doing prefetching or not.
|
||||||
|
allow system_server iorapd_data_file:dir { getattr open read search };
|
||||||
|
allow system_server iorapd_data_file:file getattr;
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
@ -59,6 +65,7 @@ neverallow {
|
||||||
domain
|
domain
|
||||||
-init
|
-init
|
||||||
-iorapd
|
-iorapd
|
||||||
|
-system_server
|
||||||
} iorapd_data_file:dir *;
|
} iorapd_data_file:dir *;
|
||||||
|
|
||||||
neverallow {
|
neverallow {
|
||||||
|
@ -73,6 +80,7 @@ neverallow {
|
||||||
-kernel
|
-kernel
|
||||||
-vendor_init
|
-vendor_init
|
||||||
-iorapd
|
-iorapd
|
||||||
|
-system_server
|
||||||
} { iorapd_data_file }:notdevfile_class_set *;
|
} { iorapd_data_file }:notdevfile_class_set *;
|
||||||
|
|
||||||
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
||||||
|
|
|
@ -46,6 +46,12 @@ allow iorapd system_file:file rx_file_perms;
|
||||||
allow iorapd iorap_inode2filename:process signull;
|
allow iorapd iorap_inode2filename:process signull;
|
||||||
allow iorapd iorap_prefetcherd:process signull;
|
allow iorapd iorap_prefetcherd:process signull;
|
||||||
|
|
||||||
|
# Allowing system_server to check for the existence and size of files under iorapd
|
||||||
|
# dir without collecting any sensitive app data.
|
||||||
|
# This is used to predict if iorapd is doing prefetching or not.
|
||||||
|
allow system_server iorapd_data_file:dir { getattr open read search };
|
||||||
|
allow system_server iorapd_data_file:file getattr;
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
@ -59,6 +65,7 @@ neverallow {
|
||||||
domain
|
domain
|
||||||
-init
|
-init
|
||||||
-iorapd
|
-iorapd
|
||||||
|
-system_server
|
||||||
} iorapd_data_file:dir *;
|
} iorapd_data_file:dir *;
|
||||||
|
|
||||||
neverallow {
|
neverallow {
|
||||||
|
@ -73,6 +80,7 @@ neverallow {
|
||||||
-kernel
|
-kernel
|
||||||
-vendor_init
|
-vendor_init
|
||||||
-iorapd
|
-iorapd
|
||||||
|
-system_server
|
||||||
} { iorapd_data_file }:notdevfile_class_set *;
|
} { iorapd_data_file }:notdevfile_class_set *;
|
||||||
|
|
||||||
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
||||||
|
|
Loading…
Reference in a new issue