Merge "selinux: Allow system_server to access files in iorapd dir." into rvc-dev am: 50f13cfc82

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/11796673

Change-Id: I0f2f0f4565c6bdde474ee8d12863303ccbfa219d
This commit is contained in:
TreeHugger Robot 2020-06-10 22:07:25 +00:00 committed by Automerger Merge Worker
commit 5dff749c63
2 changed files with 16 additions and 0 deletions

View file

@ -46,6 +46,12 @@ allow iorapd system_file:file rx_file_perms;
allow iorapd iorap_inode2filename:process signull; allow iorapd iorap_inode2filename:process signull;
allow iorapd iorap_prefetcherd:process signull; allow iorapd iorap_prefetcherd:process signull;
# Allowing system_server to check for the existence and size of files under iorapd
# dir without collecting any sensitive app data.
# This is used to predict if iorapd is doing prefetching or not.
allow system_server iorapd_data_file:dir { getattr open read search };
allow system_server iorapd_data_file:file getattr;
### ###
### neverallow rules ### neverallow rules
### ###
@ -59,6 +65,7 @@ neverallow {
domain domain
-init -init
-iorapd -iorapd
-system_server
} iorapd_data_file:dir *; } iorapd_data_file:dir *;
neverallow { neverallow {
@ -73,6 +80,7 @@ neverallow {
-kernel -kernel
-vendor_init -vendor_init
-iorapd -iorapd
-system_server
} { iorapd_data_file }:notdevfile_class_set *; } { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder # Only system_server and shell (for dumpsys) can interact with iorapd over binder

View file

@ -46,6 +46,12 @@ allow iorapd system_file:file rx_file_perms;
allow iorapd iorap_inode2filename:process signull; allow iorapd iorap_inode2filename:process signull;
allow iorapd iorap_prefetcherd:process signull; allow iorapd iorap_prefetcherd:process signull;
# Allowing system_server to check for the existence and size of files under iorapd
# dir without collecting any sensitive app data.
# This is used to predict if iorapd is doing prefetching or not.
allow system_server iorapd_data_file:dir { getattr open read search };
allow system_server iorapd_data_file:file getattr;
### ###
### neverallow rules ### neverallow rules
### ###
@ -59,6 +65,7 @@ neverallow {
domain domain
-init -init
-iorapd -iorapd
-system_server
} iorapd_data_file:dir *; } iorapd_data_file:dir *;
neverallow { neverallow {
@ -73,6 +80,7 @@ neverallow {
-kernel -kernel
-vendor_init -vendor_init
-iorapd -iorapd
-system_server
} { iorapd_data_file }:notdevfile_class_set *; } { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder # Only system_server and shell (for dumpsys) can interact with iorapd over binder