Merge "Minimize microdroid public policy" into main
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
7b6ce3bf13
21 changed files with 332 additions and 274 deletions
|
|
@ -440,3 +440,7 @@ allow init prng_seeder:unix_stream_socket { create bind listen };
|
|||
r_dir_file(init, vendor_kernel_modules)
|
||||
allow init self:capability sys_module;
|
||||
allow init vendor_kernel_modules:system module_load;
|
||||
|
||||
allow init tmpfs:chr_file relabelfrom;
|
||||
allow init kmsg_device:chr_file { getattr write relabelto };
|
||||
allow init kmsg_debug_device:chr_file { open write relabelto };
|
||||
|
|
|
|||
|
|
@ -18,6 +18,11 @@ dontaudit domain {
|
|||
ctl_fuse_prop
|
||||
}:property_service set;
|
||||
|
||||
allow property_type tmpfs:filesystem associate;
|
||||
|
||||
dontaudit { domain -init } default_prop:file no_rw_file_perms;
|
||||
dontaudit { domain -init } default_prop:property_service set;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
@ -67,3 +72,7 @@ neverallow {
|
|||
domain
|
||||
-init
|
||||
} non_existing_prop:property_service set;
|
||||
|
||||
# Properties should be explicitly labeled in property_contexts
|
||||
neverallow { domain -init } default_prop:file no_rw_file_perms;
|
||||
neverallow { domain -init } default_prop:property_service set;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,76 @@
|
|||
typeattribute shell coredomain;
|
||||
|
||||
# Root fs.
|
||||
allow shell rootfs:dir r_dir_perms;
|
||||
|
||||
# Access /data/local/tmp.
|
||||
allow shell shell_data_file:dir create_dir_perms;
|
||||
allow shell shell_data_file:file create_file_perms;
|
||||
allow shell shell_data_file:file rx_file_perms;
|
||||
allow shell shell_data_file:lnk_file create_file_perms;
|
||||
|
||||
allow shell devpts:chr_file rw_file_perms;
|
||||
allow shell tty_device:chr_file rw_file_perms;
|
||||
allow shell console_device:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(shell, system_file)
|
||||
allow shell system_file:file x_file_perms;
|
||||
allow shell toolbox_exec:file rx_file_perms;
|
||||
allow shell shell_exec:file rx_file_perms;
|
||||
|
||||
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
|
||||
r_dir_file(shell, proc_net_type)
|
||||
|
||||
allow shell {
|
||||
proc_asound
|
||||
proc_filesystems
|
||||
proc_interrupts
|
||||
proc_loadavg # b/124024827
|
||||
proc_meminfo
|
||||
proc_modules
|
||||
proc_pid_max
|
||||
proc_slabinfo
|
||||
proc_stat
|
||||
proc_timer
|
||||
proc_uptime
|
||||
proc_version
|
||||
proc_vmstat
|
||||
proc_zoneinfo
|
||||
}:file r_file_perms;
|
||||
|
||||
# allow listing network interfaces under /sys/class/net.
|
||||
allow shell sysfs_net:dir r_dir_perms;
|
||||
|
||||
r_dir_file(shell, cgroup)
|
||||
allow shell cgroup_desc_file:file r_file_perms;
|
||||
allow shell cgroup_desc_api_file:file r_file_perms;
|
||||
r_dir_file(shell, cgroup_v2)
|
||||
allow shell domain:dir { search open read getattr };
|
||||
allow shell domain:{ file lnk_file } { open read getattr };
|
||||
|
||||
# statvfs() of /proc and other labeled filesystems
|
||||
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
|
||||
allow shell { proc labeledfs }:filesystem getattr;
|
||||
|
||||
# stat() of /dev
|
||||
allow shell device:dir getattr;
|
||||
|
||||
# allow shell to read /proc/pid/attr/current for ps -Z
|
||||
allow shell domain:process getattr;
|
||||
|
||||
# Allow pulling the SELinux policy for CTS purposes
|
||||
allow shell selinuxfs:dir r_dir_perms;
|
||||
allow shell selinuxfs:file r_file_perms;
|
||||
|
||||
# /dev/fd is a symlink
|
||||
allow shell proc:lnk_file getattr;
|
||||
|
||||
# read selinux policy files
|
||||
allow shell file_contexts_file:file r_file_perms;
|
||||
allow shell property_contexts_file:file r_file_perms;
|
||||
allow shell service_contexts_file:file r_file_perms;
|
||||
allow shell sepolicy_file:file r_file_perms;
|
||||
|
||||
# Perform SELinux access checks, needed for CTS
|
||||
selinux_check_access(shell)
|
||||
selinux_check_context(shell)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,22 @@
|
|||
typeattribute statsd coredomain;
|
||||
|
||||
init_daemon_domain(statsd)
|
||||
|
||||
# Allow statsd to scan through /proc/pid for all processes.
|
||||
r_dir_file(statsd, domain)
|
||||
|
||||
# Allow executing files on system, such as running a shell or running:
|
||||
# /system/bin/toolbox
|
||||
# /system/bin/logcat
|
||||
# /system/bin/dumpsys
|
||||
allow statsd devpts:chr_file { getattr ioctl read write };
|
||||
allow statsd shell_exec:file rx_file_perms;
|
||||
allow statsd system_file:file execute_no_trans;
|
||||
allow statsd toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Allow 'adb shell cmd' to upload configs and download output.
|
||||
allow statsd adbd:fd use;
|
||||
allow statsd adbd:unix_stream_socket { getattr read write };
|
||||
allow statsd shell:fifo_file { getattr read write };
|
||||
|
||||
unix_socket_send(statsd, statsdw, statsd)
|
||||
|
|
|
|||
|
|
@ -2,3 +2,34 @@ typeattribute su coredomain;
|
|||
|
||||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
||||
# Add su to various domains
|
||||
dontaudit su self:capability_class_set *;
|
||||
dontaudit su self:capability2 *;
|
||||
dontaudit su kernel:security *;
|
||||
dontaudit su { kernel file_type }:system *;
|
||||
dontaudit su self:memprotect *;
|
||||
dontaudit su domain:{ process process2 } *;
|
||||
dontaudit su domain:fd *;
|
||||
dontaudit su domain:dir *;
|
||||
dontaudit su domain:lnk_file *;
|
||||
dontaudit su domain:{ fifo_file file } *;
|
||||
dontaudit su domain:socket_class_set *;
|
||||
dontaudit su domain:ipc_class_set *;
|
||||
dontaudit su domain:key *;
|
||||
dontaudit su fs_type:filesystem *;
|
||||
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
|
||||
dontaudit su node_type:node *;
|
||||
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
|
||||
dontaudit su netif_type:netif *;
|
||||
dontaudit su port_type:socket_class_set *;
|
||||
dontaudit su port_type:{ tcp_socket dccp_socket } *;
|
||||
dontaudit su domain:peer *;
|
||||
dontaudit su domain:binder *;
|
||||
dontaudit su property_type:property_service *;
|
||||
dontaudit su property_type:file *;
|
||||
dontaudit su domain:drmservice *;
|
||||
dontaudit su unlabeled:filesystem *;
|
||||
dontaudit su domain:bpf *;
|
||||
dontaudit su unlabeled:vsock_socket *;
|
||||
dontaudit su self:perf_event *;
|
||||
|
|
|
|||
144
microdroid/system/private/vendor_init.te
Normal file
144
microdroid/system/private/vendor_init.te
Normal file
|
|
@ -0,0 +1,144 @@
|
|||
# Communication to the main init process
|
||||
allow vendor_init init:unix_stream_socket { read write };
|
||||
|
||||
# Logging to kmsg
|
||||
allow vendor_init kmsg_device:chr_file { open getattr write };
|
||||
|
||||
# Mount on /dev/usb-ffs/adb.
|
||||
allow vendor_init device:dir mounton;
|
||||
|
||||
# Create and remove symlinks in /.
|
||||
allow vendor_init rootfs:lnk_file { create unlink };
|
||||
|
||||
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
||||
allow vendor_init cgroup:dir create_dir_perms;
|
||||
allow vendor_init cgroup:file w_file_perms;
|
||||
allow vendor_init cgroup_v2:dir create_dir_perms;
|
||||
allow vendor_init cgroup_v2:file w_file_perms;
|
||||
|
||||
# /config
|
||||
allow vendor_init configfs:dir mounton;
|
||||
allow vendor_init configfs:dir create_dir_perms;
|
||||
allow vendor_init configfs:{ file lnk_file } create_file_perms;
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
|
||||
|
||||
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
|
||||
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
|
||||
# system/core/init.rc requires at least cache_file and data_file_type.
|
||||
# init.<board>.rc files often include device-specific types, so
|
||||
# we just allow all file types except /system files here.
|
||||
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
|
||||
|
||||
allow vendor_init system_data_file:dir getattr;
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
|
||||
|
||||
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
-apex_info_file
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { create getattr open read write setattr relabelfrom unlink map };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-apex_mnt_dir
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
}:lnk_file { create getattr setattr relabelfrom unlink };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
}:dir_file_class_set relabelto;
|
||||
|
||||
allow vendor_init dev_type:dir create_dir_perms;
|
||||
allow vendor_init dev_type:lnk_file create;
|
||||
|
||||
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
|
||||
allow vendor_init debugfs_tracing:file w_file_perms;
|
||||
|
||||
# chown/chmod on pseudo files.
|
||||
allow vendor_init {
|
||||
fs_type
|
||||
-fusefs_type
|
||||
-rootfs
|
||||
-proc_uid_time_in_state
|
||||
-proc_uid_concurrent_active_time
|
||||
-proc_uid_concurrent_policy_time
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { open read setattr map };
|
||||
|
||||
allow vendor_init tracefs_type:file { open read setattr map };
|
||||
|
||||
allow vendor_init {
|
||||
fs_type
|
||||
-fusefs_type
|
||||
-rootfs
|
||||
-proc_uid_time_in_state
|
||||
-proc_uid_concurrent_active_time
|
||||
-proc_uid_concurrent_policy_time
|
||||
}:dir { open read setattr search };
|
||||
|
||||
allow vendor_init dev_type:blk_file getattr;
|
||||
|
||||
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
|
||||
r_dir_file(vendor_init, proc_net_type)
|
||||
allow vendor_init proc_net_type:file w_file_perms;
|
||||
allow vendor_init self:global_capability_class_set net_admin;
|
||||
|
||||
# Write to /proc/sys/vm/page-cluster
|
||||
allow vendor_init proc_page_cluster:file w_file_perms;
|
||||
|
||||
# Write to sysfs nodes.
|
||||
allow vendor_init sysfs_type:dir r_dir_perms;
|
||||
allow vendor_init sysfs_type:lnk_file read;
|
||||
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
|
||||
|
||||
# setfscreatecon() for labeling directories and socket files.
|
||||
allow vendor_init self:process { setfscreate };
|
||||
|
||||
r_dir_file(vendor_init, vendor_file_type)
|
||||
|
||||
# Vendor init can perform operations on trusted and security Extended Attributes
|
||||
allow vendor_init self:global_capability_class_set sys_admin;
|
||||
|
||||
# vendor_init is using bootstrap bionic
|
||||
use_bootstrap_libs(vendor_init)
|
||||
|
||||
# Get file context
|
||||
allow vendor_init file_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow vendor_init to (re)set nice
|
||||
allow vendor_init self:capability sys_nice;
|
||||
|
||||
# chown/chmod on devices, e.g. /dev/ttyHS0
|
||||
allow vendor_init {
|
||||
dev_type
|
||||
-hw_random_device
|
||||
}:chr_file setattr;
|
||||
|
|
@ -1,2 +1,6 @@
|
|||
type adbd, domain;
|
||||
type adbd_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
type apexd, domain, coredomain;
|
||||
type apexd_exec, file_type, exec_type, system_file_type;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
type crash_dump, domain;
|
||||
type crash_dump_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -27,3 +27,7 @@ type tty_device, dev_type;
|
|||
type vd_device, dev_type;
|
||||
type vsock_device, dev_type;
|
||||
type zero_device, dev_type;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -191,3 +191,7 @@ type tmpfs, fs_type;
|
|||
type usbfs, fs_type;
|
||||
type usermodehelper, fs_type, proc_type;
|
||||
type vfat, fs_type, sdcard_type;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -3,6 +3,6 @@ type init, domain;
|
|||
type init_exec, system_file_type, exec_type, file_type;
|
||||
type init_tmpfs, file_type;
|
||||
|
||||
allow init tmpfs:chr_file relabelfrom;
|
||||
allow init kmsg_device:chr_file { getattr write relabelto };
|
||||
allow init kmsg_debug_device:chr_file { open write relabelto };
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
# Life begins with the kernel.
|
||||
type kernel, domain;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -50,11 +50,6 @@ type usb_control_prop, property_type;
|
|||
type vendor_default_prop, property_type;
|
||||
type powerctl_prop, property_type;
|
||||
|
||||
allow property_type tmpfs:filesystem associate;
|
||||
|
||||
# Properties should be explicitly labeled in property_contexts
|
||||
neverallow { domain -init } default_prop:file no_rw_file_perms;
|
||||
neverallow { domain -init } default_prop:property_service set;
|
||||
|
||||
dontaudit { domain -init } default_prop:file no_rw_file_perms;
|
||||
dontaudit { domain -init } default_prop:property_service set;
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -2,73 +2,6 @@
|
|||
type shell, domain;
|
||||
type shell_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Root fs.
|
||||
allow shell rootfs:dir r_dir_perms;
|
||||
|
||||
# Access /data/local/tmp.
|
||||
allow shell shell_data_file:dir create_dir_perms;
|
||||
allow shell shell_data_file:file create_file_perms;
|
||||
allow shell shell_data_file:file rx_file_perms;
|
||||
allow shell shell_data_file:lnk_file create_file_perms;
|
||||
|
||||
allow shell devpts:chr_file rw_file_perms;
|
||||
allow shell tty_device:chr_file rw_file_perms;
|
||||
allow shell console_device:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(shell, system_file)
|
||||
allow shell system_file:file x_file_perms;
|
||||
allow shell toolbox_exec:file rx_file_perms;
|
||||
allow shell shell_exec:file rx_file_perms;
|
||||
|
||||
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
|
||||
r_dir_file(shell, proc_net_type)
|
||||
|
||||
allow shell {
|
||||
proc_asound
|
||||
proc_filesystems
|
||||
proc_interrupts
|
||||
proc_loadavg # b/124024827
|
||||
proc_meminfo
|
||||
proc_modules
|
||||
proc_pid_max
|
||||
proc_slabinfo
|
||||
proc_stat
|
||||
proc_timer
|
||||
proc_uptime
|
||||
proc_version
|
||||
proc_vmstat
|
||||
proc_zoneinfo
|
||||
}:file r_file_perms;
|
||||
|
||||
# allow listing network interfaces under /sys/class/net.
|
||||
allow shell sysfs_net:dir r_dir_perms;
|
||||
|
||||
r_dir_file(shell, cgroup)
|
||||
allow shell cgroup_desc_file:file r_file_perms;
|
||||
allow shell cgroup_desc_api_file:file r_file_perms;
|
||||
r_dir_file(shell, cgroup_v2)
|
||||
allow shell domain:dir { search open read getattr };
|
||||
allow shell domain:{ file lnk_file } { open read getattr };
|
||||
|
||||
# statvfs() of /proc and other labeled filesystems
|
||||
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
|
||||
allow shell { proc labeledfs }:filesystem getattr;
|
||||
|
||||
# stat() of /dev
|
||||
allow shell device:dir getattr;
|
||||
|
||||
# allow shell to read /proc/pid/attr/current for ps -Z
|
||||
allow shell domain:process getattr;
|
||||
|
||||
# Allow pulling the SELinux policy for CTS purposes
|
||||
allow shell selinuxfs:dir r_dir_perms;
|
||||
allow shell selinuxfs:file r_file_perms;
|
||||
|
||||
# /dev/fd is a symlink
|
||||
allow shell proc:lnk_file getattr;
|
||||
|
||||
# read selinux policy files
|
||||
allow shell file_contexts_file:file r_file_perms;
|
||||
allow shell property_contexts_file:file r_file_perms;
|
||||
allow shell service_contexts_file:file r_file_perms;
|
||||
allow shell sepolicy_file:file r_file_perms;
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -1,22 +1,6 @@
|
|||
type statsd, domain;
|
||||
|
||||
type statsd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Allow statsd to scan through /proc/pid for all processes.
|
||||
r_dir_file(statsd, domain)
|
||||
|
||||
# Allow executing files on system, such as running a shell or running:
|
||||
# /system/bin/toolbox
|
||||
# /system/bin/logcat
|
||||
# /system/bin/dumpsys
|
||||
allow statsd devpts:chr_file { getattr ioctl read write };
|
||||
allow statsd shell_exec:file rx_file_perms;
|
||||
allow statsd system_file:file execute_no_trans;
|
||||
allow statsd toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Allow 'adb shell cmd' to upload configs and download output.
|
||||
allow statsd adbd:fd use;
|
||||
allow statsd adbd:unix_stream_socket { getattr read write };
|
||||
allow statsd shell:fifo_file { getattr read write };
|
||||
|
||||
unix_socket_send(statsd, statsdw, statsd)
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -5,33 +5,6 @@
|
|||
# that adb root works on debuggable VMs even for user builds.
|
||||
type su, domain;
|
||||
|
||||
# Add su to various domains
|
||||
dontaudit su self:capability_class_set *;
|
||||
dontaudit su self:capability2 *;
|
||||
dontaudit su kernel:security *;
|
||||
dontaudit su { kernel file_type }:system *;
|
||||
dontaudit su self:memprotect *;
|
||||
dontaudit su domain:{ process process2 } *;
|
||||
dontaudit su domain:fd *;
|
||||
dontaudit su domain:dir *;
|
||||
dontaudit su domain:lnk_file *;
|
||||
dontaudit su domain:{ fifo_file file } *;
|
||||
dontaudit su domain:socket_class_set *;
|
||||
dontaudit su domain:ipc_class_set *;
|
||||
dontaudit su domain:key *;
|
||||
dontaudit su fs_type:filesystem *;
|
||||
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
|
||||
dontaudit su node_type:node *;
|
||||
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
|
||||
dontaudit su netif_type:netif *;
|
||||
dontaudit su port_type:socket_class_set *;
|
||||
dontaudit su port_type:{ tcp_socket dccp_socket } *;
|
||||
dontaudit su domain:peer *;
|
||||
dontaudit su domain:binder *;
|
||||
dontaudit su property_type:property_service *;
|
||||
dontaudit su property_type:file *;
|
||||
dontaudit su domain:drmservice *;
|
||||
dontaudit su unlabeled:filesystem *;
|
||||
dontaudit su domain:bpf *;
|
||||
dontaudit su unlabeled:vsock_socket *;
|
||||
dontaudit su self:perf_event *;
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
type toolbox, domain;
|
||||
type toolbox_exec, file_type, exec_type, system_file_type;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
# Miscellaneous types
|
||||
type system_linker;
|
||||
type vm_payload_key;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -2,3 +2,7 @@
|
|||
# it lives in the rootfs and has no unique file type.
|
||||
type ueventd, domain;
|
||||
type ueventd_tmpfs, file_type;
|
||||
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
|
|
@ -1,147 +1,6 @@
|
|||
# vendor_init is its own domain.
|
||||
type vendor_init, domain;
|
||||
|
||||
# Communication to the main init process
|
||||
allow vendor_init init:unix_stream_socket { read write };
|
||||
|
||||
# Logging to kmsg
|
||||
allow vendor_init kmsg_device:chr_file { open getattr write };
|
||||
|
||||
# Mount on /dev/usb-ffs/adb.
|
||||
allow vendor_init device:dir mounton;
|
||||
|
||||
# Create and remove symlinks in /.
|
||||
allow vendor_init rootfs:lnk_file { create unlink };
|
||||
|
||||
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
||||
allow vendor_init cgroup:dir create_dir_perms;
|
||||
allow vendor_init cgroup:file w_file_perms;
|
||||
allow vendor_init cgroup_v2:dir create_dir_perms;
|
||||
allow vendor_init cgroup_v2:file w_file_perms;
|
||||
|
||||
# /config
|
||||
allow vendor_init configfs:dir mounton;
|
||||
allow vendor_init configfs:dir create_dir_perms;
|
||||
allow vendor_init configfs:{ file lnk_file } create_file_perms;
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
|
||||
|
||||
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
|
||||
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
|
||||
# system/core/init.rc requires at least cache_file and data_file_type.
|
||||
# init.<board>.rc files often include device-specific types, so
|
||||
# we just allow all file types except /system files here.
|
||||
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
|
||||
|
||||
allow vendor_init system_data_file:dir getattr;
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
|
||||
|
||||
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
-apex_info_file
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { create getattr open read write setattr relabelfrom unlink map };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-apex_mnt_dir
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
}:lnk_file { create getattr setattr relabelfrom unlink };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-exec_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
}:dir_file_class_set relabelto;
|
||||
|
||||
allow vendor_init dev_type:dir create_dir_perms;
|
||||
allow vendor_init dev_type:lnk_file create;
|
||||
|
||||
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
|
||||
allow vendor_init debugfs_tracing:file w_file_perms;
|
||||
|
||||
# chown/chmod on pseudo files.
|
||||
allow vendor_init {
|
||||
fs_type
|
||||
-fusefs_type
|
||||
-rootfs
|
||||
-proc_uid_time_in_state
|
||||
-proc_uid_concurrent_active_time
|
||||
-proc_uid_concurrent_policy_time
|
||||
enforce_debugfs_restriction(`-debugfs_type')
|
||||
}:file { open read setattr map };
|
||||
|
||||
allow vendor_init tracefs_type:file { open read setattr map };
|
||||
|
||||
allow vendor_init {
|
||||
fs_type
|
||||
-fusefs_type
|
||||
-rootfs
|
||||
-proc_uid_time_in_state
|
||||
-proc_uid_concurrent_active_time
|
||||
-proc_uid_concurrent_policy_time
|
||||
}:dir { open read setattr search };
|
||||
|
||||
allow vendor_init dev_type:blk_file getattr;
|
||||
|
||||
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
|
||||
r_dir_file(vendor_init, proc_net_type)
|
||||
allow vendor_init proc_net_type:file w_file_perms;
|
||||
allow vendor_init self:global_capability_class_set net_admin;
|
||||
|
||||
# Write to /proc/sys/vm/page-cluster
|
||||
allow vendor_init proc_page_cluster:file w_file_perms;
|
||||
|
||||
# Write to sysfs nodes.
|
||||
allow vendor_init sysfs_type:dir r_dir_perms;
|
||||
allow vendor_init sysfs_type:lnk_file read;
|
||||
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
|
||||
|
||||
# setfscreatecon() for labeling directories and socket files.
|
||||
allow vendor_init self:process { setfscreate };
|
||||
|
||||
r_dir_file(vendor_init, vendor_file_type)
|
||||
|
||||
# Vendor init can perform operations on trusted and security Extended Attributes
|
||||
allow vendor_init self:global_capability_class_set sys_admin;
|
||||
|
||||
# vendor_init is using bootstrap bionic
|
||||
use_bootstrap_libs(vendor_init)
|
||||
|
||||
# Get file context
|
||||
allow vendor_init file_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow vendor_init to (re)set nice
|
||||
allow vendor_init self:capability sys_nice;
|
||||
|
||||
# chown/chmod on devices, e.g. /dev/ttyHS0
|
||||
allow vendor_init {
|
||||
dev_type
|
||||
-hw_random_device
|
||||
}:chr_file setattr;
|
||||
# public is for vendor-facing type and attribute definitions.
|
||||
# DO NOT ADD allow, neverallow, or dontaudit statements here.
|
||||
# Instead, add such policy rules to private/*.te.
|
||||
|
|
|
|||
Loading…
Reference in a new issue