tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "More neverallows for default_android_service."

Browse source
This commit is contained in:
Steven Moreland 2020-01-21 21:31:57 +00:00 committed by Gerrit Code Review
commit 64c8ddb123
6 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/atrace.te
View file

@ -37,6 +37,7 @@ allow atrace {
-installd_service -installd_service
-vold_service -vold_service
-lpdump_service -lpdump_service
-default_android_service
}:service_manager { find }; }:service_manager { find };
allow atrace servicemanager:service_manager list; allow atrace servicemanager:service_manager list;

1
private/system_app.te
View file

@ -93,6 +93,7 @@ allow system_app {
-virtual_touchpad_service -virtual_touchpad_service
-vold_service -vold_service
-vr_hwc_service -vr_hwc_service
-default_android_service
}:service_manager find; }:service_manager find;
# suppress denials for services system_app should not be accessing. # suppress denials for services system_app should not be accessing.
dontaudit system_app { dontaudit system_app {

6
public/domain.te
View file

@ -500,9 +500,9 @@ neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmou
# system_app_service rather than the generic type. # system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings # New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts. # from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager add; neverallow * default_android_service:service_manager *;
neverallow * default_android_vndservice:service_manager { add find }; neverallow * default_android_vndservice:service_manager *;
neverallow * default_android_hwservice:hwservice_manager { add find }; neverallow * default_android_hwservice:hwservice_manager *;
# Looking up the base class/interface of all HwBinder services is a bad idea. # Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security # hwservicemanager currently offer such lookups only to make it so that security

1
public/dumpstate.te
View file

@ -230,6 +230,7 @@ allow dumpstate {
-virtual_touchpad_service -virtual_touchpad_service
-vold_service -vold_service
-vr_hwc_service -vr_hwc_service
-default_android_service
}:service_manager find; }:service_manager find;
# suppress denials for services dumpstate should not be accessing. # suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate { dontaudit dumpstate {

1
public/shell.te
View file

@ -127,6 +127,7 @@ allow shell {
-virtual_touchpad_service -virtual_touchpad_service
-vold_service -vold_service
-vr_hwc_service -vr_hwc_service
-default_android_service
}:service_manager find; }:service_manager find;
allow shell dumpstate:binder call; allow shell dumpstate:binder call;

1
public/traceur_app.te
View file

@ -21,6 +21,7 @@ allow traceur_app {
-virtual_touchpad_service -virtual_touchpad_service
-vold_service -vold_service
-vr_hwc_service -vr_hwc_service
-default_android_service
}:service_manager find; }:service_manager find;
# Allow traceur_app to use atrace HAL # Allow traceur_app to use atrace HAL