From 5e37271df876e5334586cb1ffc923f375eb736cb Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Thu, 27 Sep 2018 10:21:37 -0700 Subject: [PATCH] Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 --- private/atrace.te | 2 +- private/audioserver.te | 2 +- private/blank_screen.te | 2 +- private/blkid.te | 2 +- private/bpfloader.te | 2 +- private/dexoptanalyzer.te | 2 +- private/hal_allocator_default.te | 2 +- private/hal_system_suspend_default.te | 2 +- private/incident.te | 2 +- private/incident_helper.te | 2 +- private/incidentd.te | 2 +- private/mdnsd.te | 2 +- private/perfetto.te | 2 +- private/stats.te | 2 +- private/storaged.te | 2 +- private/surfaceflinger.te | 2 +- private/traced.te | 2 +- private/traced_probes.te | 2 +- private/wait_for_keymaster.te | 2 +- public/adbd.te | 2 +- public/attributes | 4 ++++ public/bootanim.te | 2 +- public/bootstat.te | 2 +- public/bufferhubd.te | 2 +- public/cameraserver.te | 2 +- public/clatd.te | 2 +- public/cppreopts.te | 2 +- public/crash_dump.te | 2 +- public/dex2oat.te | 2 +- public/dhcp.te | 2 +- public/dnsmasq.te | 2 +- public/domain.te | 10 ++++----- public/drmserver.te | 2 +- public/dumpstate.te | 2 +- public/e2fs.te | 2 +- public/file.te | 30 +++++++++++++-------------- public/fingerprintd.te | 2 +- public/fsck.te | 2 +- public/gatekeeperd.te | 2 +- public/healthd.te | 2 +- public/hwservicemanager.te | 2 +- public/idmap.te | 2 +- public/init.te | 14 ++++++------- public/inputflinger.te | 2 +- public/install_recovery.te | 2 +- public/installd.te | 2 +- public/keystore.te | 2 +- public/llkd.te | 2 +- public/lmkd.te | 2 +- public/logd.te | 2 +- public/mediadrmserver.te | 2 +- public/mediaextractor.te | 2 +- public/mediametrics.te | 2 +- public/mediaserver.te | 2 +- public/mtp.te | 2 +- public/netd.te | 2 +- public/netutils_wrapper.te | 2 +- public/otapreopt_chroot.te | 2 +- public/otapreopt_slot.te | 2 +- public/performanced.te | 2 +- public/perfprofd.te | 2 +- public/ppp.te | 2 +- public/preopt2cachename.te | 2 +- public/profman.te | 2 +- public/racoon.te | 2 +- public/recovery_persist.te | 2 +- public/recovery_refresh.te | 2 +- public/runas.te | 2 +- public/sdcardd.te | 2 +- public/servicemanager.te | 2 +- public/sgdisk.te | 2 +- public/shell.te | 2 +- public/statsd.te | 2 +- public/su.te | 2 +- public/thermalserviced.te | 2 +- public/tombstoned.te | 2 +- public/toolbox.te | 2 +- public/tzdatacheck.te | 2 +- public/uncrypt.te | 2 +- public/update_engine.te | 2 +- public/update_verifier.te | 2 +- public/usbd.te | 2 +- public/vdc.te | 2 +- public/vendor_init.te | 13 +++++++----- public/virtual_touchpad.te | 2 +- public/vold.te | 2 +- public/vold_prepare_subdirs.te | 2 +- public/vr_hwc.te | 2 +- public/watchdogd.te | 2 +- public/wificond.te | 2 +- public/wpantund.te | 2 +- public/zygote.te | 2 +- tests/sepolicy_tests.py | 6 ++++++ 93 files changed, 132 insertions(+), 119 deletions(-) diff --git a/private/atrace.te b/private/atrace.te index 1b86d3e1d..ac9bedbfa 100644 --- a/private/atrace.te +++ b/private/atrace.te @@ -2,7 +2,7 @@ # It is spawned either by traced_probes or by init for the boottrace service. type atrace, domain, coredomain; -type atrace_exec, exec_type, file_type; +type atrace_exec, exec_type, file_type, system_file_type; # boottrace services uses /data/misc/boottrace/categories allow atrace boottrace_data_file:dir search; diff --git a/private/audioserver.te b/private/audioserver.te index 3c20268ea..09a0a9743 100644 --- a/private/audioserver.te +++ b/private/audioserver.te @@ -2,7 +2,7 @@ typeattribute audioserver coredomain; -type audioserver_exec, exec_type, file_type; +type audioserver_exec, exec_type, file_type, system_file_type; init_daemon_domain(audioserver) r_dir_file(audioserver, sdcard_type) diff --git a/private/blank_screen.te b/private/blank_screen.te index 43d273bd0..51310d180 100644 --- a/private/blank_screen.te +++ b/private/blank_screen.te @@ -1,5 +1,5 @@ type blank_screen, domain, coredomain; -type blank_screen_exec, exec_type, file_type; +type blank_screen_exec, exec_type, file_type, system_file_type; init_daemon_domain(blank_screen) diff --git a/private/blkid.te b/private/blkid.te index 090912b82..4e972ab95 100644 --- a/private/blkid.te +++ b/private/blkid.te @@ -2,7 +2,7 @@ typeattribute blkid coredomain; -type blkid_exec, exec_type, file_type; +type blkid_exec, system_file_type, exec_type, file_type; # Allowed read-only access to encrypted devices to extract UUID/label allow blkid block_device:dir search; diff --git a/private/bpfloader.te b/private/bpfloader.te index 0b3381177..83a74a209 100644 --- a/private/bpfloader.te +++ b/private/bpfloader.te @@ -1,6 +1,6 @@ # bpf program loader type bpfloader, domain; -type bpfloader_exec, exec_type, file_type; +type bpfloader_exec, system_file_type, exec_type, file_type; typeattribute bpfloader coredomain; # Process need CAP_NET_ADMIN to run bpf programs as cgroup filter diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te index 7d01ef5b8..212608bca 100644 --- a/private/dexoptanalyzer.te +++ b/private/dexoptanalyzer.te @@ -1,6 +1,6 @@ # dexoptanalyzer type dexoptanalyzer, domain, coredomain, mlstrustedsubject; -type dexoptanalyzer_exec, exec_type, file_type; +type dexoptanalyzer_exec, system_file_type, exec_type, file_type; # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te index 49ef1781b..7aa28aa29 100644 --- a/private/hal_allocator_default.te +++ b/private/hal_allocator_default.te @@ -1,5 +1,5 @@ type hal_allocator_default, domain, coredomain; hal_server_domain(hal_allocator_default, hal_allocator) -type hal_allocator_default_exec, exec_type, file_type; +type hal_allocator_default_exec, system_file_type, exec_type, file_type; init_daemon_domain(hal_allocator_default) diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te index 293f3ded5..c948051eb 100644 --- a/private/hal_system_suspend_default.te +++ b/private/hal_system_suspend_default.te @@ -1,5 +1,5 @@ type hal_system_suspend_default, domain, coredomain; hal_server_domain(hal_system_suspend_default, hal_system_suspend) -type hal_system_suspend_default_exec, exec_type, file_type; +type hal_system_suspend_default_exec, system_file_type, exec_type, file_type; init_daemon_domain(hal_system_suspend_default) diff --git a/private/incident.te b/private/incident.te index 1844898ea..98101e031 100644 --- a/private/incident.te +++ b/private/incident.te @@ -1,6 +1,6 @@ typeattribute incident coredomain; -type incident_exec, exec_type, file_type; +type incident_exec, system_file_type, exec_type, file_type; # switch to incident domain for incident command domain_auto_trans(shell, incident_exec, incident) diff --git a/private/incident_helper.te b/private/incident_helper.te index e1e3fc826..078aa246b 100644 --- a/private/incident_helper.te +++ b/private/incident_helper.te @@ -1,6 +1,6 @@ typeattribute incident_helper coredomain; -type incident_helper_exec, exec_type, file_type; +type incident_helper_exec, system_file_type, exec_type, file_type; # switch to incident_helper domain for incident_helper command domain_auto_trans(incidentd, incident_helper_exec, incident_helper) diff --git a/private/incidentd.te b/private/incidentd.te index 334c24369..7ad3a30c2 100644 --- a/private/incidentd.te +++ b/private/incidentd.te @@ -2,7 +2,7 @@ typeattribute incidentd coredomain; typeattribute incidentd mlstrustedsubject; init_daemon_domain(incidentd) -type incidentd_exec, exec_type, file_type; +type incidentd_exec, system_file_type, exec_type, file_type; binder_use(incidentd) wakelock_use(incidentd) diff --git a/private/mdnsd.te b/private/mdnsd.te index 943f9794c..98e95dab3 100644 --- a/private/mdnsd.te +++ b/private/mdnsd.te @@ -3,7 +3,7 @@ typeattribute mdnsd coredomain; typeattribute mdnsd mlstrustedsubject; -type mdnsd_exec, exec_type, file_type; +type mdnsd_exec, system_file_type, exec_type, file_type; init_daemon_domain(mdnsd) net_domain(mdnsd) diff --git a/private/perfetto.te b/private/perfetto.te index 9ac5d8761..c068dc517 100644 --- a/private/perfetto.te +++ b/private/perfetto.te @@ -4,7 +4,7 @@ # daemon. type perfetto, domain, coredomain; -type perfetto_exec, exec_type, file_type; +type perfetto_exec, system_file_type, exec_type, file_type; tmpfs_domain(perfetto); diff --git a/private/stats.te b/private/stats.te index 4b29cf37f..818d9f9d3 100644 --- a/private/stats.te +++ b/private/stats.te @@ -1,6 +1,6 @@ type stats, domain; typeattribute stats coredomain; -type stats_exec, exec_type, file_type; +type stats_exec, system_file_type, exec_type, file_type; # switch to stats domain for stats command domain_auto_trans(shell, stats_exec, stats) diff --git a/private/storaged.te b/private/storaged.te index 8f70531a7..0e31483ff 100644 --- a/private/storaged.te +++ b/private/storaged.te @@ -1,6 +1,6 @@ # storaged daemon type storaged, domain, coredomain, mlstrustedsubject; -type storaged_exec, exec_type, file_type; +type storaged_exec, system_file_type, exec_type, file_type; init_daemon_domain(storaged) diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index a5ebfb0e0..000ebe1c3 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -2,7 +2,7 @@ typeattribute surfaceflinger coredomain; -type surfaceflinger_exec, exec_type, file_type; +type surfaceflinger_exec, system_file_type, exec_type, file_type; init_daemon_domain(surfaceflinger) typeattribute surfaceflinger mlstrustedsubject; diff --git a/private/traced.te b/private/traced.te index 49edc5174..6571938fb 100644 --- a/private/traced.te +++ b/private/traced.te @@ -1,6 +1,6 @@ # Perfetto user-space tracing daemon (unprivileged) type traced, domain, coredomain, mlstrustedsubject; -type traced_exec, exec_type, file_type; +type traced_exec, system_file_type, exec_type, file_type; # Allow init to exec the daemon. init_daemon_domain(traced) diff --git a/private/traced_probes.te b/private/traced_probes.te index 83dbe45b3..e17329363 100644 --- a/private/traced_probes.te +++ b/private/traced_probes.te @@ -1,5 +1,5 @@ # Perfetto tracing probes, has tracefs access. -type traced_probes_exec, exec_type, file_type; +type traced_probes_exec, system_file_type, exec_type, file_type; # Allow init to exec the daemon. init_daemon_domain(traced_probes) diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te index 8b8dd2927..85a28da5f 100644 --- a/private/wait_for_keymaster.te +++ b/private/wait_for_keymaster.te @@ -1,6 +1,6 @@ # wait_for_keymaster service type wait_for_keymaster, domain, coredomain; -type wait_for_keymaster_exec, exec_type, file_type; +type wait_for_keymaster_exec, system_file_type, exec_type, file_type; init_daemon_domain(wait_for_keymaster) diff --git a/public/adbd.te b/public/adbd.te index 82373fd1d..68a176ca6 100644 --- a/public/adbd.te +++ b/public/adbd.te @@ -1,7 +1,7 @@ # adbd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type adbd, domain; -type adbd_exec, exec_type, file_type; +type adbd_exec, exec_type, file_type, system_file_type; # Only init is allowed to enter the adbd domain via exec() neverallow { domain -init } adbd:process transition; diff --git a/public/attributes b/public/attributes index ecfe37391..1ef92263d 100644 --- a/public/attributes +++ b/public/attributes @@ -33,6 +33,10 @@ expandattribute data_file_type false; # All types in /data, not in /data/vendor attribute core_data_file_type; expandattribute core_data_file_type false; + +# All types in /system +attribute system_file_type; + # All types in /vendor attribute vendor_file_type; diff --git a/public/bootanim.te b/public/bootanim.te index 32602273d..e8cb98bbc 100644 --- a/public/bootanim.te +++ b/public/bootanim.te @@ -1,6 +1,6 @@ # bootanimation oneshot service type bootanim, domain; -type bootanim_exec, exec_type, file_type; +type bootanim_exec, system_file_type, exec_type, file_type; hal_client_domain(bootanim, hal_configstore) hal_client_domain(bootanim, hal_graphics_allocator) diff --git a/public/bootstat.te b/public/bootstat.te index 7ba023815..ce14c2f73 100644 --- a/public/bootstat.te +++ b/public/bootstat.te @@ -1,6 +1,6 @@ # bootstat command type bootstat, domain; -type bootstat_exec, exec_type, file_type; +type bootstat_exec, system_file_type, exec_type, file_type; read_runtime_log_tags(bootstat) diff --git a/public/bufferhubd.te b/public/bufferhubd.te index 10826d3dd..7acfa6952 100644 --- a/public/bufferhubd.te +++ b/public/bufferhubd.te @@ -1,6 +1,6 @@ # bufferhubd type bufferhubd, domain, mlstrustedsubject; -type bufferhubd_exec, exec_type, file_type; +type bufferhubd_exec, system_file_type, exec_type, file_type; hal_client_domain(bufferhubd, hal_graphics_allocator) diff --git a/public/cameraserver.te b/public/cameraserver.te index 3fdca537e..ba4522858 100644 --- a/public/cameraserver.te +++ b/public/cameraserver.te @@ -1,6 +1,6 @@ # cameraserver - camera daemon type cameraserver, domain; -type cameraserver_exec, exec_type, file_type; +type cameraserver_exec, system_file_type, exec_type, file_type; binder_use(cameraserver) binder_call(cameraserver, binderservicedomain) diff --git a/public/clatd.te b/public/clatd.te index 53d6582c1..5c9d724db 100644 --- a/public/clatd.te +++ b/public/clatd.te @@ -1,6 +1,6 @@ # 464xlat daemon type clatd, domain; -type clatd_exec, exec_type, file_type; +type clatd_exec, system_file_type, exec_type, file_type; net_domain(clatd) diff --git a/public/cppreopts.te b/public/cppreopts.te index fb9855eea..623391e8b 100644 --- a/public/cppreopts.te +++ b/public/cppreopts.te @@ -5,7 +5,7 @@ # directories. type cppreopts, domain, mlstrustedsubject; -type cppreopts_exec, exec_type, file_type; +type cppreopts_exec, system_file_type, exec_type, file_type; # Allow cppreopts copy files into the dalvik-cache allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write }; diff --git a/public/crash_dump.te b/public/crash_dump.te index 65e6a65e9..ec33df329 100644 --- a/public/crash_dump.te +++ b/public/crash_dump.te @@ -1,5 +1,5 @@ type crash_dump, domain; -type crash_dump_exec, exec_type, file_type; +type crash_dump_exec, system_file_type, exec_type, file_type; # crash_dump might inherit CAP_SYS_PTRACE from a privileged process, # which will result in an audit log even when it's allowed to trace. diff --git a/public/dex2oat.te b/public/dex2oat.te index 2e96352fc..0a046c65f 100644 --- a/public/dex2oat.te +++ b/public/dex2oat.te @@ -1,6 +1,6 @@ # dex2oat type dex2oat, domain; -type dex2oat_exec, exec_type, file_type; +type dex2oat_exec, system_file_type, exec_type, file_type; r_dir_file(dex2oat, apk_data_file) # Access to /vendor/app diff --git a/public/dhcp.te b/public/dhcp.te index 6ed983260..4f2369d2d 100644 --- a/public/dhcp.te +++ b/public/dhcp.te @@ -1,5 +1,5 @@ type dhcp, domain; -type dhcp_exec, exec_type, file_type; +type dhcp_exec, system_file_type, exec_type, file_type; net_domain(dhcp) diff --git a/public/dnsmasq.te b/public/dnsmasq.te index e97e964e5..62e1a328e 100644 --- a/public/dnsmasq.te +++ b/public/dnsmasq.te @@ -1,6 +1,6 @@ # DNS, DHCP services type dnsmasq, domain; -type dnsmasq_exec, exec_type, file_type; +type dnsmasq_exec, system_file_type, exec_type, file_type; net_domain(dnsmasq) allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls; diff --git a/public/domain.te b/public/domain.te index 669c3c2eb..5e8fb230b 100644 --- a/public/domain.te +++ b/public/domain.te @@ -454,7 +454,7 @@ neverallow { userdebug_or_eng(`-mediaextractor') } { file_type - -system_file + -system_file_type -system_lib_file -system_linker_exec -vendor_file_type @@ -503,16 +503,16 @@ neverallow { domain with_asan(`-asan_extract') } { - system_file + system_file_type vendor_file_type exec_type }:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; -neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; +neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto; # Don't allow mounting on top of /system files or directories neverallow * exec_type:dir_file_class_set mounton; -neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton; +neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton; # Nothing should be writing to files in the rootfs. neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; @@ -1109,7 +1109,7 @@ full_treble_only(` # -appdomain # -coredomain # -vendor_executes_system_violators -# } system_file:file *; +# } system_file_type:file *; #') # Only authorized processes should be writing to files in /data/dalvik-cache diff --git a/public/drmserver.te b/public/drmserver.te index 23ba9a6d7..4a101478a 100644 --- a/public/drmserver.te +++ b/public/drmserver.te @@ -1,6 +1,6 @@ # drmserver - DRM service type drmserver, domain; -type drmserver_exec, exec_type, file_type; +type drmserver_exec, system_file_type, exec_type, file_type; typeattribute drmserver mlstrustedsubject; diff --git a/public/dumpstate.te b/public/dumpstate.te index 295217dfd..2d226afb3 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -1,6 +1,6 @@ # dumpstate type dumpstate, domain, mlstrustedsubject; -type dumpstate_exec, exec_type, file_type; +type dumpstate_exec, system_file_type, exec_type, file_type; net_domain(dumpstate) binder_use(dumpstate) diff --git a/public/e2fs.te b/public/e2fs.te index 6fcd0c2fb..ea9981dd0 100644 --- a/public/e2fs.te +++ b/public/e2fs.te @@ -1,5 +1,5 @@ type e2fs, domain, coredomain; -type e2fs_exec, exec_type, file_type; +type e2fs_exec, system_file_type, exec_type, file_type; allow e2fs devpts:chr_file { read write getattr ioctl }; diff --git a/public/file.te b/public/file.te index 44162271a..e567a6560 100644 --- a/public/file.te +++ b/public/file.te @@ -131,19 +131,19 @@ type app_fusefs, fs_type, contextmount_type; type unlabeled, file_type; # Default type for anything under /system. -type system_file, file_type; +type system_file, system_file_type, file_type; # Default type for anything under /system/lib[64]. -type system_lib_file, file_type; +type system_lib_file, system_file_type, file_type; # Default type for linker executable /system/bin/linker[64]. -type system_linker_exec, file_type; +type system_linker_exec, system_file_type, file_type; # Default type for linker config /system/etc/ld.config.*. -type system_linker_config_file, file_type; +type system_linker_config_file, system_file_type, file_type; # Default type for linker config /system/etc/seccomp_policy/*. -type system_seccomp_policy_file, file_type; +type system_seccomp_policy_file, system_file_type, file_type; # Default type for cacerts in /system/etc/security/cacerts/*. -type system_security_cacerts_file, file_type; +type system_security_cacerts_file, system_file_type, file_type; # Default type for zoneinfo files in /system/usr/share/zoneinfo/*. -type system_zoneinfo_file, file_type; +type system_zoneinfo_file, system_file_type, file_type; # Default type for directories search for # HAL implementations @@ -175,7 +175,7 @@ type vold_metadata_file, file_type; # Speedup access for trusted applications to the runtime event tags type runtime_event_log_tags_file, file_type; # Type for /system/bin/logcat. -type logcat_exec, exec_type, file_type; +type logcat_exec, system_file_type, exec_type, file_type; # /cores for coredumps on userdebug / eng builds type coredump_file, file_type; # Default type for anything under /data. @@ -385,28 +385,28 @@ pdx_service_socket_types(performance_client, pdx_performance_dir) pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) # file_contexts files -type file_contexts_file, file_type; +type file_contexts_file, system_file_type, file_type; # mac_permissions file -type mac_perms_file, file_type; +type mac_perms_file, system_file_type, file_type; # property_contexts file -type property_contexts_file, file_type; +type property_contexts_file, system_file_type, file_type; # seapp_contexts file -type seapp_contexts_file, file_type; +type seapp_contexts_file, system_file_type, file_type; # sepolicy files binary and others -type sepolicy_file, file_type; +type sepolicy_file, system_file_type, file_type; # service_contexts file -type service_contexts_file, file_type; +type service_contexts_file, system_file_type, file_type; # nonplat service_contexts file (only accessible on non full-treble devices) type nonplat_service_contexts_file, file_type; # hwservice_contexts file -type hwservice_contexts_file, file_type; +type hwservice_contexts_file, system_file_type, file_type; # vndservice_contexts file type vndservice_contexts_file, file_type; diff --git a/public/fingerprintd.te b/public/fingerprintd.te index 2dc110721..ff7a884e3 100644 --- a/public/fingerprintd.te +++ b/public/fingerprintd.te @@ -1,5 +1,5 @@ type fingerprintd, domain; -type fingerprintd_exec, exec_type, file_type; +type fingerprintd_exec, system_file_type, exec_type, file_type; binder_use(fingerprintd) diff --git a/public/fsck.te b/public/fsck.te index c5219d8ab..32462ea5b 100644 --- a/public/fsck.te +++ b/public/fsck.te @@ -1,6 +1,6 @@ # Any fsck program run by init type fsck, domain; -type fsck_exec, exec_type, file_type; +type fsck_exec, system_file_type, exec_type, file_type; # /dev/__null__ created by init prior to policy load, # open fd inherited by fsck. diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te index 2fc36279d..40c9a075b 100644 --- a/public/gatekeeperd.te +++ b/public/gatekeeperd.te @@ -1,5 +1,5 @@ type gatekeeperd, domain; -type gatekeeperd_exec, exec_type, file_type; +type gatekeeperd_exec, system_file_type, exec_type, file_type; # gatekeeperd binder_service(gatekeeperd) diff --git a/public/healthd.te b/public/healthd.te index a3dd58bad..a383dcf21 100644 --- a/public/healthd.te +++ b/public/healthd.te @@ -1,6 +1,6 @@ # healthd - battery/charger monitoring service daemon type healthd, domain; -type healthd_exec, exec_type, file_type; +type healthd_exec, system_file_type, exec_type, file_type; # Write to /dev/kmsg allow healthd kmsg_device:chr_file rw_file_perms; diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te index 1ffd2a67e..7f0381564 100644 --- a/public/hwservicemanager.te +++ b/public/hwservicemanager.te @@ -1,6 +1,6 @@ # hwservicemanager - the Binder context manager for HAL services type hwservicemanager, domain, mlstrustedsubject; -type hwservicemanager_exec, exec_type, file_type; +type hwservicemanager_exec, system_file_type, exec_type, file_type; # Note that we do not use the binder_* macros here. # hwservicemanager provides name service (aka context manager) diff --git a/public/idmap.te b/public/idmap.te index 3f336a32d..0899faa2a 100644 --- a/public/idmap.te +++ b/public/idmap.te @@ -1,6 +1,6 @@ # idmap, when executed by installd type idmap, domain; -type idmap_exec, exec_type, file_type; +type idmap_exec, system_file_type, exec_type, file_type; # Use open file to /data/resource-cache file inherited from installd. allow idmap installd:fd use; diff --git a/public/init.te b/public/init.te index 36d9800ea..101c0c863 100644 --- a/public/init.te +++ b/public/init.te @@ -2,7 +2,7 @@ type init, domain, mlstrustedsubject; # The init domain is entered by execing init. -type init_exec, exec_type, file_type; +type init_exec, system_file_type, exec_type, file_type; # /dev/__null__ node created by init. allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; @@ -147,7 +147,7 @@ allow init { -nativetest_data_file -privapp_data_file -system_app_data_file - -system_file + -system_file_type -vendor_file_type }:dir { create search getattr open read setattr ioctl }; @@ -161,7 +161,7 @@ allow init { -privapp_data_file -shell_data_file -system_app_data_file - -system_file + -system_file_type -vendor_file_type -vold_data_file }:dir { write add_name remove_name rmdir relabelfrom }; @@ -177,7 +177,7 @@ allow init { -runtime_event_log_tags_file -shell_data_file -system_app_data_file - -system_file + -system_file_type -vendor_file_type -vold_data_file }:file { create getattr open read write setattr relabelfrom unlink map }; @@ -192,7 +192,7 @@ allow init { -privapp_data_file -shell_data_file -system_app_data_file - -system_file + -system_file_type -vendor_file_type -vold_data_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; @@ -207,14 +207,14 @@ allow init { -privapp_data_file -shell_data_file -system_app_data_file - -system_file + -system_file_type -vendor_file_type -vold_data_file }:lnk_file { create getattr setattr relabelfrom unlink }; allow init cache_file:lnk_file r_file_perms; -allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto; +allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto; # does init really need to relabel app data? userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;') allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; diff --git a/public/inputflinger.te b/public/inputflinger.te index e5f12a0c1..f206c05e7 100644 --- a/public/inputflinger.te +++ b/public/inputflinger.te @@ -1,6 +1,6 @@ # inputflinger type inputflinger, domain; -type inputflinger_exec, exec_type, file_type; +type inputflinger_exec, system_file_type, exec_type, file_type; binder_use(inputflinger) binder_service(inputflinger) diff --git a/public/install_recovery.te b/public/install_recovery.te index 24819c2ea..0aee9ab03 100644 --- a/public/install_recovery.te +++ b/public/install_recovery.te @@ -1,6 +1,6 @@ # service flash_recovery in init.rc type install_recovery, domain; -type install_recovery_exec, exec_type, file_type; +type install_recovery_exec, system_file_type, exec_type, file_type; allow install_recovery self:global_capability_class_set { dac_override dac_read_search }; diff --git a/public/installd.te b/public/installd.te index 12495c435..8a761663e 100644 --- a/public/installd.te +++ b/public/installd.te @@ -1,6 +1,6 @@ # installer daemon type installd, domain; -type installd_exec, exec_type, file_type; +type installd_exec, system_file_type, exec_type, file_type; typeattribute installd mlstrustedsubject; allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin }; diff --git a/public/keystore.te b/public/keystore.te index 49355bd95..e869f32d2 100644 --- a/public/keystore.te +++ b/public/keystore.te @@ -1,5 +1,5 @@ type keystore, domain; -type keystore_exec, exec_type, file_type; +type keystore_exec, system_file_type, exec_type, file_type; # keystore daemon typeattribute keystore mlstrustedsubject; diff --git a/public/llkd.te b/public/llkd.te index afc508d4f..1faa42995 100644 --- a/public/llkd.te +++ b/public/llkd.te @@ -1,3 +1,3 @@ # llkd Live LocK Daemon type llkd, domain, mlstrustedsubject; -type llkd_exec, exec_type, file_type; +type llkd_exec, system_file_type, exec_type, file_type; diff --git a/public/lmkd.te b/public/lmkd.te index 2eb2ccaca..54199e10a 100644 --- a/public/lmkd.te +++ b/public/lmkd.te @@ -1,6 +1,6 @@ # lmkd low memory killer daemon type lmkd, domain, mlstrustedsubject; -type lmkd_exec, exec_type, file_type; +type lmkd_exec, system_file_type, exec_type, file_type; allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill }; diff --git a/public/logd.te b/public/logd.te index 91ef54573..a26aa25d3 100644 --- a/public/logd.te +++ b/public/logd.te @@ -1,6 +1,6 @@ # android user-space log manager type logd, domain, mlstrustedsubject; -type logd_exec, exec_type, file_type; +type logd_exec, system_file_type, exec_type, file_type; # Read access to pseudo filesystems. r_dir_file(logd, cgroup) diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te index 059be7be9..a52295e2c 100644 --- a/public/mediadrmserver.te +++ b/public/mediadrmserver.te @@ -1,6 +1,6 @@ # mediadrmserver - mediadrm daemon type mediadrmserver, domain; -type mediadrmserver_exec, exec_type, file_type; +type mediadrmserver_exec, system_file_type, exec_type, file_type; typeattribute mediadrmserver mlstrustedsubject; diff --git a/public/mediaextractor.te b/public/mediaextractor.te index ec9c6345a..9e07efd39 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -1,6 +1,6 @@ # mediaextractor - multimedia daemon type mediaextractor, domain; -type mediaextractor_exec, exec_type, file_type; +type mediaextractor_exec, system_file_type, exec_type, file_type; typeattribute mediaextractor mlstrustedsubject; diff --git a/public/mediametrics.te b/public/mediametrics.te index 1c8f5b80b..622e16968 100644 --- a/public/mediametrics.te +++ b/public/mediametrics.te @@ -1,6 +1,6 @@ # mediametrics - daemon for collecting media.metrics data type mediametrics, domain; -type mediametrics_exec, exec_type, file_type; +type mediametrics_exec, system_file_type, exec_type, file_type; binder_use(mediametrics) diff --git a/public/mediaserver.te b/public/mediaserver.te index a197a4482..6a7b0c7a4 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -1,6 +1,6 @@ # mediaserver - multimedia daemon type mediaserver, domain; -type mediaserver_exec, exec_type, file_type; +type mediaserver_exec, system_file_type, exec_type, file_type; typeattribute mediaserver mlstrustedsubject; diff --git a/public/mtp.te b/public/mtp.te index 7256bcf55..c744343cf 100644 --- a/public/mtp.te +++ b/public/mtp.te @@ -1,6 +1,6 @@ # vpn tunneling protocol manager type mtp, domain; -type mtp_exec, exec_type, file_type; +type mtp_exec, system_file_type, exec_type, file_type; net_domain(mtp) diff --git a/public/netd.te b/public/netd.te index a4a65a98c..241380b21 100644 --- a/public/netd.te +++ b/public/netd.te @@ -1,6 +1,6 @@ # network manager type netd, domain, mlstrustedsubject; -type netd_exec, exec_type, file_type; +type netd_exec, system_file_type, exec_type, file_type; net_domain(netd) # in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te index c844762c8..27aa7496c 100644 --- a/public/netutils_wrapper.te +++ b/public/netutils_wrapper.te @@ -1,4 +1,4 @@ type netutils_wrapper, domain; -type netutils_wrapper_exec, exec_type, file_type; +type netutils_wrapper_exec, system_file_type, exec_type, file_type; neverallow domain netutils_wrapper_exec:file execute_no_trans; diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te index 894363ab1..902708b1b 100644 --- a/public/otapreopt_chroot.te +++ b/public/otapreopt_chroot.te @@ -1,6 +1,6 @@ # otapreopt_chroot executable type otapreopt_chroot, domain; -type otapreopt_chroot_exec, exec_type, file_type; +type otapreopt_chroot_exec, system_file_type, exec_type, file_type; # Chroot preparation and execution. # We need to create an unshared mount namespace, and then mount /data. diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te index 6551864c3..5726e2e01 100644 --- a/public/otapreopt_slot.te +++ b/public/otapreopt_slot.te @@ -4,7 +4,7 @@ # from /data/ota to /data/dalvik-cache. type otapreopt_slot, domain, mlstrustedsubject; -type otapreopt_slot_exec, exec_type, file_type; +type otapreopt_slot_exec, system_file_type, exec_type, file_type; # The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up diff --git a/public/performanced.te b/public/performanced.te index 248d345d1..7dcb5ea1e 100644 --- a/public/performanced.te +++ b/public/performanced.te @@ -1,6 +1,6 @@ # performanced type performanced, domain, mlstrustedsubject; -type performanced_exec, exec_type, file_type; +type performanced_exec, system_file_type, exec_type, file_type; # Needed to check for app permissions. binder_use(performanced) diff --git a/public/perfprofd.te b/public/perfprofd.te index f780a0db7..a0fcf3751 100644 --- a/public/perfprofd.te +++ b/public/perfprofd.te @@ -1,6 +1,6 @@ # perfprofd - perf profile collection daemon type perfprofd, domain; -type perfprofd_exec, exec_type, file_type; +type perfprofd_exec, system_file_type, exec_type, file_type; userdebug_or_eng(` diff --git a/public/ppp.te b/public/ppp.te index 8d79477c2..0fc3bee81 100644 --- a/public/ppp.te +++ b/public/ppp.te @@ -1,7 +1,7 @@ # Point to Point Protocol daemon type ppp, domain; type ppp_device, dev_type; -type ppp_exec, exec_type, file_type; +type ppp_exec, system_file_type, exec_type, file_type; net_domain(ppp) diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te index 514100fdc..de70c9fbf 100644 --- a/public/preopt2cachename.te +++ b/public/preopt2cachename.te @@ -3,7 +3,7 @@ # This executable translates names from the preopted versions the build system # creates to the names the runtime expects in the data directory. type preopt2cachename, domain; -type preopt2cachename_exec, exec_type, file_type; +type preopt2cachename_exec, system_file_type, exec_type, file_type; # Allow write to stdout. allow preopt2cachename cppreopts:fd use; diff --git a/public/profman.te b/public/profman.te index 364e9f73f..8ff62710e 100644 --- a/public/profman.te +++ b/public/profman.te @@ -1,6 +1,6 @@ # profman type profman, domain; -type profman_exec, exec_type, file_type; +type profman_exec, system_file_type, exec_type, file_type; allow profman user_profile_data_file:file { getattr read write lock map }; diff --git a/public/racoon.te b/public/racoon.te index c759217a0..7d1247a81 100644 --- a/public/racoon.te +++ b/public/racoon.te @@ -1,6 +1,6 @@ # IKE key management daemon type racoon, domain; -type racoon_exec, exec_type, file_type; +type racoon_exec, system_file_type, exec_type, file_type; typeattribute racoon mlstrustedsubject; diff --git a/public/recovery_persist.te b/public/recovery_persist.te index d3dc14cb4..d4b456201 100644 --- a/public/recovery_persist.te +++ b/public/recovery_persist.te @@ -1,6 +1,6 @@ # android recovery persistent log manager type recovery_persist, domain; -type recovery_persist_exec, exec_type, file_type; +type recovery_persist_exec, system_file_type, exec_type, file_type; allow recovery_persist pstorefs:dir search; allow recovery_persist pstorefs:file r_file_perms; diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te index 0c76afdc0..d6870dcb2 100644 --- a/public/recovery_refresh.te +++ b/public/recovery_refresh.te @@ -1,6 +1,6 @@ # android recovery refresh log manager type recovery_refresh, domain; -type recovery_refresh_exec, exec_type, file_type; +type recovery_refresh_exec, system_file_type, exec_type, file_type; allow recovery_refresh pstorefs:dir search; allow recovery_refresh pstorefs:file r_file_perms; diff --git a/public/runas.te b/public/runas.te index 6c5de7cf8..b1daa31b9 100644 --- a/public/runas.te +++ b/public/runas.te @@ -1,5 +1,5 @@ type runas, domain, mlstrustedsubject; -type runas_exec, exec_type, file_type; +type runas_exec, system_file_type, exec_type, file_type; allow runas adbd:fd use; allow runas adbd:process sigchld; diff --git a/public/sdcardd.te b/public/sdcardd.te index 6749d16e5..6d9edfab5 100644 --- a/public/sdcardd.te +++ b/public/sdcardd.te @@ -1,5 +1,5 @@ type sdcardd, domain; -type sdcardd_exec, exec_type, file_type; +type sdcardd_exec, system_file_type, exec_type, file_type; allow sdcardd cgroup:dir create_dir_perms; allow sdcardd fuse_device:chr_file rw_file_perms; diff --git a/public/servicemanager.te b/public/servicemanager.te index 87e3a2217..df209413f 100644 --- a/public/servicemanager.te +++ b/public/servicemanager.te @@ -1,6 +1,6 @@ # servicemanager - the Binder context manager type servicemanager, domain, mlstrustedsubject; -type servicemanager_exec, exec_type, file_type; +type servicemanager_exec, system_file_type, exec_type, file_type; # Note that we do not use the binder_* macros here. # servicemanager is unique in that it only provides diff --git a/public/sgdisk.te b/public/sgdisk.te index ca3096cef..7a7ba8226 100644 --- a/public/sgdisk.te +++ b/public/sgdisk.te @@ -1,6 +1,6 @@ # sgdisk called from vold type sgdisk, domain; -type sgdisk_exec, exec_type, file_type; +type sgdisk_exec, system_file_type, exec_type, file_type; # Allowed to read/write low-level partition tables allow sgdisk block_device:dir search; diff --git a/public/shell.te b/public/shell.te index 9569d9719..1b199a340 100644 --- a/public/shell.te +++ b/public/shell.te @@ -1,6 +1,6 @@ # Domain for shell processes spawned by ADB or console service. type shell, domain, mlstrustedsubject; -type shell_exec, exec_type, file_type; +type shell_exec, system_file_type, exec_type, file_type; # Create and use network sockets. net_domain(shell) diff --git a/public/statsd.te b/public/statsd.te index c108805cb..9c8e9d24c 100644 --- a/public/statsd.te +++ b/public/statsd.te @@ -1,6 +1,6 @@ type statsd, domain, mlstrustedsubject; -type statsd_exec, exec_type, file_type; +type statsd_exec, system_file_type, exec_type, file_type; binder_use(statsd) # Allow statsd to scan through /proc/pid for all processes. diff --git a/public/su.te b/public/su.te index f397d73dd..5952ab8ea 100644 --- a/public/su.te +++ b/public/su.te @@ -3,7 +3,7 @@ type su, domain; # File types must be defined for file_contexts. -type su_exec, exec_type, file_type; +type su_exec, system_file_type, exec_type, file_type; userdebug_or_eng(` # Domain used for su processes, as well as for adbd and adb shell diff --git a/public/thermalserviced.te b/public/thermalserviced.te index 90140b2b9..1353e4300 100644 --- a/public/thermalserviced.te +++ b/public/thermalserviced.te @@ -1,6 +1,6 @@ # thermalserviced -- thermal management services for system and vendor type thermalserviced, domain; -type thermalserviced_exec, exec_type, file_type; +type thermalserviced_exec, system_file_type, exec_type, file_type; binder_use(thermalserviced) binder_service(thermalserviced) diff --git a/public/tombstoned.te b/public/tombstoned.te index 9c75c976a..ea2abbb75 100644 --- a/public/tombstoned.te +++ b/public/tombstoned.te @@ -1,6 +1,6 @@ # debugger interface type tombstoned, domain, mlstrustedsubject; -type tombstoned_exec, exec_type, file_type; +type tombstoned_exec, system_file_type, exec_type, file_type; # Write to arbitrary pipes given to us. allow tombstoned domain:fd use; diff --git a/public/toolbox.te b/public/toolbox.te index 59c3a9c73..19cc3b6fe 100644 --- a/public/toolbox.te +++ b/public/toolbox.te @@ -2,7 +2,7 @@ # At present, the only known usage is for running mkswap via fs_mgr. # Do NOT use this domain for toolbox when run by any other domain. type toolbox, domain; -type toolbox_exec, exec_type, file_type; +type toolbox_exec, system_file_type, exec_type, file_type; # /dev/__null__ created by init prior to policy load, # open fd inherited by fsck. diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te index 6f60c8e2a..cf9b95de9 100644 --- a/public/tzdatacheck.te +++ b/public/tzdatacheck.te @@ -1,6 +1,6 @@ # The tzdatacheck command run by init. type tzdatacheck, domain; -type tzdatacheck_exec, exec_type, file_type; +type tzdatacheck_exec, system_file_type, exec_type, file_type; allow tzdatacheck zoneinfo_data_file:dir create_dir_perms; allow tzdatacheck zoneinfo_data_file:file unlink; diff --git a/public/uncrypt.te b/public/uncrypt.te index a0fb37228..28dc3f209 100644 --- a/public/uncrypt.te +++ b/public/uncrypt.te @@ -1,6 +1,6 @@ # uncrypt type uncrypt, domain, mlstrustedsubject; -type uncrypt_exec, exec_type, file_type; +type uncrypt_exec, system_file_type, exec_type, file_type; allow uncrypt self:global_capability_class_set { dac_override dac_read_search }; diff --git a/public/update_engine.te b/public/update_engine.te index 26b0581d1..d13be7d28 100644 --- a/public/update_engine.te +++ b/public/update_engine.te @@ -1,6 +1,6 @@ # Domain for update_engine daemon. type update_engine, domain, update_engine_common; -type update_engine_exec, exec_type, file_type; +type update_engine_exec, system_file_type, exec_type, file_type; net_domain(update_engine); diff --git a/public/update_verifier.te b/public/update_verifier.te index 5d20eca82..da2eaf839 100644 --- a/public/update_verifier.te +++ b/public/update_verifier.te @@ -1,6 +1,6 @@ # update_verifier type update_verifier, domain; -type update_verifier_exec, exec_type, file_type; +type update_verifier_exec, system_file_type, exec_type, file_type; # Allow update_verifier to reach block devices in /dev/block. allow update_verifier block_device:dir search; diff --git a/public/usbd.te b/public/usbd.te index 6dd133413..991e7be5f 100644 --- a/public/usbd.te +++ b/public/usbd.te @@ -1,5 +1,5 @@ type usbd, domain; -type usbd_exec, exec_type, file_type; +type usbd_exec, system_file_type, exec_type, file_type; # Start/stop adbd via ctl.start adbd set_prop(usbd, ctl_adbd_prop) diff --git a/public/vdc.te b/public/vdc.te index 424bdea02..b59dcf682 100644 --- a/public/vdc.te +++ b/public/vdc.te @@ -6,7 +6,7 @@ # collecting bug reports. type vdc, domain; -type vdc_exec, exec_type, file_type; +type vdc_exec, system_file_type, exec_type, file_type; # vdc can be invoked with logwrapper, so let it write to pty allow vdc devpts:chr_file rw_file_perms; diff --git a/public/vendor_init.te b/public/vendor_init.te index e28ce1cd5..dfd4d8fa8 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -41,7 +41,7 @@ allow vendor_init { file_type -core_data_file_type -exec_type - -system_file + -system_file_type -mnt_product_file -unlabeled -vendor_file_type @@ -53,7 +53,7 @@ allow vendor_init { -core_data_file_type -exec_type -runtime_event_log_tags_file - -system_file + -system_file_type -unlabeled -vendor_file_type -vold_metadata_file @@ -63,7 +63,7 @@ allow vendor_init { file_type -core_data_file_type -exec_type - -system_file + -system_file_type -unlabeled -vendor_file_type -vold_metadata_file @@ -73,7 +73,7 @@ allow vendor_init { file_type -core_data_file_type -exec_type - -system_file + -system_file_type -unlabeled -vendor_file_type -vold_metadata_file @@ -84,7 +84,7 @@ allow vendor_init { -core_data_file_type -exec_type -mnt_product_file - -system_file + -system_file_type -vendor_file_type -vold_metadata_file }:dir_file_class_set relabelto; @@ -175,6 +175,9 @@ not_compatible_property(` }) ') +# Get file context +allow vendor_init file_contexts_file:file r_file_perms; + set_prop(vendor_init, bluetooth_a2dp_offload_prop) set_prop(vendor_init, debug_prop) set_prop(vendor_init, exported_audio_prop) diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te index c2800e3ef..49c87044c 100644 --- a/public/virtual_touchpad.te +++ b/public/virtual_touchpad.te @@ -1,5 +1,5 @@ type virtual_touchpad, domain; -type virtual_touchpad_exec, exec_type, file_type; +type virtual_touchpad_exec, system_file_type, exec_type, file_type; binder_use(virtual_touchpad) binder_service(virtual_touchpad) diff --git a/public/vold.te b/public/vold.te index 73d3b6d6b..13c63379b 100644 --- a/public/vold.te +++ b/public/vold.te @@ -1,6 +1,6 @@ # volume manager type vold, domain; -type vold_exec, exec_type, file_type; +type vold_exec, exec_type, file_type, system_file_type; # Read already opened /cache files. allow vold cache_file:dir r_dir_perms; diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te index 6405d2dcb..3087fa861 100644 --- a/public/vold_prepare_subdirs.te +++ b/public/vold_prepare_subdirs.te @@ -1,6 +1,6 @@ # SELinux directory creation and labelling for vold-managed directories type vold_prepare_subdirs, domain; -type vold_prepare_subdirs_exec, exec_type, file_type; +type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type; typeattribute vold_prepare_subdirs coredomain; diff --git a/public/vr_hwc.te b/public/vr_hwc.te index 8e3cb5133..c14688703 100644 --- a/public/vr_hwc.te +++ b/public/vr_hwc.te @@ -1,5 +1,5 @@ type vr_hwc, domain; -type vr_hwc_exec, exec_type, file_type; +type vr_hwc_exec, system_file_type, exec_type, file_type; # Get buffer metadata. hal_client_domain(vr_hwc, hal_graphics_allocator) diff --git a/public/watchdogd.te b/public/watchdogd.te index d2718d833..72e368564 100644 --- a/public/watchdogd.te +++ b/public/watchdogd.te @@ -1,6 +1,6 @@ # watchdogd seclabel is specified in init..rc type watchdogd, domain; -type watchdogd_exec, exec_type, file_type; +type watchdogd_exec, system_file_type, exec_type, file_type; allow watchdogd watchdog_device:chr_file rw_file_perms; allow watchdogd kmsg_device:chr_file rw_file_perms; diff --git a/public/wificond.te b/public/wificond.te index c62a8d72c..656abad06 100644 --- a/public/wificond.te +++ b/public/wificond.te @@ -1,6 +1,6 @@ # wificond type wificond, domain; -type wificond_exec, exec_type, file_type; +type wificond_exec, system_file_type, exec_type, file_type; binder_use(wificond) binder_call(wificond, system_server) diff --git a/public/wpantund.te b/public/wpantund.te index b31723651..8ddd6935d 100644 --- a/public/wpantund.te +++ b/public/wpantund.te @@ -1,5 +1,5 @@ type wpantund, domain; -type wpantund_exec, exec_type, file_type; +type wpantund_exec, system_file_type, exec_type, file_type; hal_client_domain(wpantund, hal_lowpan) net_domain(wpantund) diff --git a/public/zygote.te b/public/zygote.te index 83c42efb0..85c358004 100644 --- a/public/zygote.te +++ b/public/zygote.te @@ -1,3 +1,3 @@ # zygote type zygote, domain; -type zygote_exec, exec_type, file_type; +type zygote_exec, system_file_type, exec_type, file_type; diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py index 6f6914759..70b036fab 100644 --- a/tests/sepolicy_tests.py +++ b/tests/sepolicy_tests.py @@ -11,6 +11,9 @@ import sys def TestDataTypeViolations(pol): return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type") +# def TestSystemTypeViolations(pol): +# return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type") + def TestProcTypeViolations(pol): return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type") @@ -55,6 +58,7 @@ Tests = [ "TestDataTypeViolators", "TestProcTypeViolations", "TestSysfsTypeViolations", + # "TestSystemTypeViolators", "TestDebugfsTypeViolations", "TestVendorTypeViolations", "TestCoreDataTypeViolations", @@ -103,6 +107,8 @@ if __name__ == '__main__': results += TestProcTypeViolations(pol) if options.test is None or "TestSysfsTypeViolations" in options.test: results += TestSysfsTypeViolations(pol) + # if options.test is None or "TestSystemTypeViolations" in options.test: + # results += TestSystemTypeViolations(pol) if options.test is None or "TestDebugfsTypeViolations" in options.test: results += TestDebugfsTypeViolations(pol) if options.test is None or "TestVendorTypeViolations" in options.test: