Remove redundant sepolicy

We don't use MLS in Microdroid, so we don't need MLS rules, nor
mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy
checkpolicy.)

A lot of attributes are unused in Microdroid, so we can remove their
declarations and any references to them. (That may not make the
compiled policy smaller, since hopefully they get optimised out
anyway, but it means there is less policy for humans to deal with.)

Remove labels that relate only to apps, which we don't have - MAC
permissions, run-as, seapp_contexts.

In passing, fix a comment snafu in both system & microdroid policy.

Bug: 223596375
Test: Run staged-apex-compile & compos_verify, no denials
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
This commit is contained in:
Alan Stokes 2022-03-09 16:41:06 +00:00
parent 45b7782c2b
commit 7bde36e94e
19 changed files with 67 additions and 380 deletions

View file

@ -1,5 +1,4 @@
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
init_daemon_domain(adbd)

View file

@ -1,12 +1 @@
hal_attribute(lazy_test);
# This is applied to apps on vendor images with SDK <=30 only,
# to exempt them from recent mls changes. It must not be applied
# to any domain on newer system or vendor image.
attribute mlsvendorcompat;
# Attributes for property types having both system_property_type
# and vendor_property_type. Such types are ill-formed because
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
#

View file

@ -182,7 +182,7 @@ allow domain fs_type:dir getattr;
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
# Restrict PTYs to only allowed ioctls.
@ -427,10 +427,6 @@ neverallow {
domain
-tombstoned
-crash_dump
# Processes that can't exec crash_dump
-hal_codec2_server
-hal_omx_server
} tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone to connect or write to
@ -500,7 +496,6 @@ neverallow {
domain
-adbd
-init
-runas
} shell:process { transition dyntransition };
# Minimize read access to shell-writable symlinks.

View file

@ -112,7 +112,6 @@
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
@ -132,11 +131,9 @@
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0

View file

@ -90,9 +90,7 @@ dontaudit kernel device:dir { open read relabelto };
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
mac_perms_file
property_contexts_file
seapp_contexts_file
sepolicy_test_file
service_contexts_file
}:file relabelto;

View file

@ -2,88 +2,11 @@
# MLS policy constraints
#
#
# Process constraints
#
# We aren't using MLS in Microdroid. But the policy grammar requires
# at least one MLS declaration, and checkpolicy enforces this. We
# don't want to disable MLS, since we share some file labels with the
# host (e.g. files in APEXes) which does have MLS. So we include this
# fairly harmless constraint.
# Process transition: Require equivalence unless the subject is trusted.
mlsconstrain process { transition dyntransition }
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
# Process read operations: No read up unless trusted.
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(l1 dom l2 or t1 == mlstrustedsubject);
# Process write operations: Require equivalence unless trusted.
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
(l1 eq l2 or t1 == mlstrustedsubject);
#
# Socket constraints
#
# Create/relabel operations: Subject must be equivalent to object unless
# the subject is trusted. Sockets inherit the range of their creator.
mlsconstrain socket_class_set { create relabelfrom relabelto }
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
# Datagram send: Sender must be equivalent to the receiver unless one of them
# is trusted.
mlsconstrain unix_dgram_socket { sendto }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
# Stream connect: Client must be equivalent to server unless one of them
# is trusted.
mlsconstrain unix_stream_socket { connectto }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
#
# Directory/file constraints
#
# Create/relabel operations: Subject must be equivalent to object unless
# the subject is trusted. Also, files should always be single-level.
# Do NOT exempt mlstrustedobject types from this constraint.
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
# Constraints for file types other than app data files.
#
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
or (t1 == mlsvendorcompat and t2 == system_data_file) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
# is a domain type, so that processes can communicate via unnamed pipes
# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr }
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
mlsconstrain fifo_file { write setattr append unlink link rename }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
#
# Binder IPC constraints
#
# Presently commented out, as apps are expected to call one another.
# This would only make sense if apps were assigned categories
# based on allowable communications rather than per-app categories.
#mlsconstrain binder call
# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
# Process transition: Require equivalence.
mlsconstrain process { transition dyntransition } (h1 eq h2 and l1 eq l2);

View file

@ -1,4 +1,4 @@
typeattribute shell coredomain, mlstrustedsubject;
typeattribute shell coredomain;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;

View file

@ -37,11 +37,6 @@ expandattribute data_file_type false;
attribute core_data_file_type;
expandattribute core_data_file_type false;
# All types used for app private data files in seapp_contexts.
# Such types should not be applied to any other files.
attribute app_data_file_type;
expandattribute app_data_file_type false;
# All types in /system
attribute system_file_type;
@ -85,18 +80,6 @@ attribute port_type;
# definition in tools/checkfc.c.
attribute property_type;
# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;
# All properties used to configure log filtering.
attribute log_property_type;
# All properties that are not specific to device but are added from
# outside of AOSP. (e.g. OEM-specific properties)
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;
# Properties used for representing ownership. All properties should have one
# of: system_property_type, product_property_type, or vendor_property_type.
@ -116,9 +99,6 @@ expandattribute system_restricted_property_type false;
attribute system_public_property_type;
expandattribute system_public_property_type false;
# All keystore2_key labels.
attribute keystore2_key_type;
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
@ -143,21 +123,6 @@ expandattribute vendor_restricted_property_type false;
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
# All service_manager types created by system_server
attribute system_server_service;
# services which should be available to all but isolated apps
attribute app_api_service;
# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;
# services which export only system_api
attribute system_api_service;
# services which are explicitly disallowed for untrusted apps to access
attribute protected_service;
# services which served by vendor and also using the copy of libbinder on
# system (for instance via libbinder_ndk). services using a different copy
# of libbinder currently need their own context manager (e.g.
@ -169,32 +134,6 @@ attribute vendor_service;
# definition in tools/checkfc.c.
attribute service_manager_type;
# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;
# All HwBinder services guaranteed to be passthrough. These services always run
# in the process of their clients, and thus operate with the same access as
# their clients.
attribute same_process_hwservice;
# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;
# All HwBinder services that untrusted apps can't directly access
attribute protected_hwservice;
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
# All domains used for apps with network access.
attribute netdomain;
@ -204,171 +143,26 @@ attribute bluetoothdomain;
# All domains used for binder service domains.
attribute binderservicedomain;
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
# All vendor hwservice.
attribute vendor_hwservice_type;
# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
expandattribute socket_between_core_and_vendor_violators false;
# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
expandattribute vendor_executes_system_violators false;
# All domains which violate the requirement of not sharing files by path
# between between vendor and core domains.
# TODO(b/34980020)
attribute data_between_core_and_vendor_violators;
expandattribute data_between_core_and_vendor_violators false;
# All system domains which violate the requirement of not executing vendor
# binaries/libraries.
# TODO(b/62041836)
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
# All system domains which violate the requirement of not writing vendor
# properties.
# TODO(b/78598545): Remove this once there are no violations
attribute system_writes_vendor_properties_violators;
expandattribute system_writes_vendor_properties_violators false;
# All system domains which violate the requirement of not writing to
# /mnt/vendor/*. Must not be used on devices launched with P or later.
attribute system_writes_mnt_vendor_violators;
expandattribute system_writes_mnt_vendor_violators false;
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
expandattribute pdx_endpoint_socket_type false;
attribute pdx_channel_socket_type;
expandattribute pdx_channel_socket_type false;
pdx_service_attributes(display_client)
pdx_service_attributes(display_manager)
pdx_service_attributes(display_screenshot)
pdx_service_attributes(display_vsync)
pdx_service_attributes(performance_client)
pdx_service_attributes(bufferhub_client)
# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
expandattribute halclientdomain true;
# Exempt for halserverdomain to access sockets. Only builds for automotive
# device types are allowed to use this attribute (enforced by CTS).
# Unlike phone, in a car many modules are external from Android perspective and
# HALs should be able to communicate with those devices through sockets.
attribute hal_automotive_socket_exemption;
# HALs
hal_attribute(allocator);
hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(can_bus);
hal_attribute(can_controller);
hal_attribute(cas);
hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(dice);
hal_attribute(drm);
hal_attribute(evs);
hal_attribute(face);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
hal_attribute(graphics_allocator);
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
hal_attribute(identity);
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
hal_attribute(power_stats);
hal_attribute(rebootescrow);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
hal_attribute(tv_cec);
hal_attribute(tv_input);
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
hal_attribute(wifi);
hal_attribute(wifi_hostapd);
hal_attribute(wifi_supplicant);
# HwBinder services offered across the core-vendor boundary
#
# We annotate server domains with x_server to loosen the coupling between
# system and vendor images. For example, it should be possible to move a service
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
attribute system_suspend_internal_server;
attribute system_suspend_server;
attribute wifi_keystore_service_server;
# All types used for super partition block devices.
attribute super_block_device_type;
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
attribute fusefs_type;
# All types run from microdroid_manager as a payload

View file

@ -1,41 +1,41 @@
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type binder_device, dev_type, mlstrustedobject;
type ashmem_device, dev_type;
type ashmem_libcutils_device, dev_type;
type binder_device, dev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
type fuse_device, dev_type, mlstrustedobject;
type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
type fuse_device, dev_type;
type hw_random_device, dev_type;
type hwbinder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type;
type kmsg_debug_device, dev_type;
type kmsg_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type;
type kvm_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type null_device, dev_type;
type open_dice_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type owntty_device, dev_type;
type ppp_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type ptmx_device, dev_type;
type ram_device, dev_type;
type random_device, dev_type, mlstrustedobject;
type random_device, dev_type;
type rtc_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
type tty_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type uhid_device, dev_type, mlstrustedobject;
type tun_device, dev_type;
type uhid_device, dev_type;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
type vd_device, dev_type;
type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type zero_device, dev_type;

View file

@ -2,7 +2,6 @@ type system_linker_exec, file_type, system_file_type;
# file types
type adbd_socket, file_type, coredomain_socket;
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
type authfs_data_file, file_type, data_file_type, core_data_file_type;
@ -12,20 +11,18 @@ type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
type linkerconfig_file, file_type;
type logd_socket, file_type, mlstrustedobject, coredomain_socket;
type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
type mac_perms_file, file_type, system_file_type;
type logd_socket, file_type, coredomain_socket;
type logdr_socket, file_type, coredomain_socket;
type logdw_socket, file_type, coredomain_socket;
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
type property_contexts_file, file_type, system_file_type;
type property_socket, file_type, mlstrustedobject, coredomain_socket;
type property_socket, file_type, coredomain_socket;
type runtime_event_log_tags_file, file_type;
type seapp_contexts_file, file_type, system_file_type;
type sepolicy_file, file_type, system_file_type;
type service_contexts_file, file_type, system_file_type;
type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
type shell_data_file, file_type, data_file_type, core_data_file_type;
type shell_test_data_file, file_type, data_file_type, core_data_file_type;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type statsdw_socket, file_type, coredomain_socket;
type system_bootstrap_lib_file, file_type, system_file_type;
type system_data_file, file_type, data_file_type, core_data_file_type;
type system_data_root_file, file_type, data_file_type, core_data_file_type;
@ -39,11 +36,11 @@ type system_seccomp_policy_file, file_type, system_file_type;
type system_security_cacerts_file, file_type, system_file_type;
type task_profiles_api_file, file_type, system_file_type;
type task_profiles_file, file_type, system_file_type;
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
type tombstone_data_file, file_type, data_file_type, core_data_file_type;
type tombstoned_crash_socket, file_type, coredomain_socket;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tombstoned_java_trace_socket, file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type;
type unlabeled, file_type;
type vendor_configs_file, file_type, vendor_file_type;
type vendor_data_file, file_type, data_file_type;
@ -55,7 +52,7 @@ type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
type binfmt_miscfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup, fs_type;
type cgroup_v2, fs_type;
type config_gz, fs_type, proc_type;
type configfs, fs_type;
@ -65,22 +62,22 @@ type debugfs_kcov, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type;
type debugfs_tracing, fs_type, debugfs_type, tracefs_type;
type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type;
type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
type devpts, fs_type, mlstrustedobject;
type devpts, fs_type;
type devtmpfs;
type exfat, fs_type, sdcard_type, mlstrustedobject;
type exfat, fs_type, sdcard_type;
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type functionfs, fs_type, mlstrustedobject;
type fuse, fs_type, fusefs_type, mlstrustedobject;
type functionfs, fs_type;
type fuse, fs_type, fusefs_type;
type fusectlfs, fs_type;
type inotify, fs_type, mlstrustedobject;
type inotify, fs_type;
type labeledfs, fs_type;
type mqueue, fs_type;
type pipefs, fs_type;
@ -126,8 +123,8 @@ type proc_pipe_conf, fs_type, proc_type;
type proc_pressure_cpu, fs_type, proc_type;
type proc_pressure_io, fs_type, proc_type;
type proc_pressure_mem, fs_type, proc_type;
type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
type proc_qtaguid_ctrl, fs_type, proc_type;
type proc_qtaguid_stat, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
type proc_security, fs_type, proc_type;
@ -152,14 +149,14 @@ type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type pstorefs, fs_type;
type rootfs, fs_type;
type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
type sdcardfs, fs_type, sdcard_type;
type securityfs, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type selinuxfs, fs_type;
type shm, fs_type;
type sockfs, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs, fs_type, sysfs_type;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_bluetooth_writable, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_devices_cs_etm, fs_type, sysfs_type;
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@ -177,12 +174,12 @@ type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_kernel_notes, fs_type, sysfs_type;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_loop, fs_type, sysfs_type;
type sysfs_lowmemorykiller, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_nfc_power_writable, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
@ -200,4 +197,4 @@ type sysfs_zram_uevent, fs_type, sysfs_type;
type tmpfs, fs_type;
type usbfs, fs_type;
type usermodehelper, fs_type, proc_type;
type vfat, fs_type, sdcard_type, mlstrustedobject;
type vfat, fs_type, sdcard_type;

View file

@ -1,5 +1,5 @@
# init is its own domain.
type init, domain, mlstrustedsubject;
type init, domain;
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;

View file

@ -1,2 +1,2 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
type kernel, domain;

View file

@ -1,2 +0,0 @@
type runas, domain, mlstrustedsubject, coredomain;
type runas_exec, file_type, exec_type, system_file_type;

View file

@ -1,5 +1,5 @@
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
# Create and use network sockets.
@ -77,6 +77,5 @@ allow shell proc:lnk_file getattr;
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell seapp_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;

View file

@ -1,4 +1,4 @@
type statsd, domain, mlstrustedsubject;
type statsd, domain;
type statsd_exec, system_file_type, exec_type, file_type;
binder_use(statsd)

View file

@ -1,3 +1,6 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
@ -6,11 +9,6 @@ type su, domain;
type su_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
typeattribute su mlstrustedsubject;
# Add su to various domains
net_domain(su)

View file

@ -1,11 +1,11 @@
# Miscellaneous types
type adb_service, system_server_service, system_api_service, service_manager_type;
type adb_service, service_manager_type;
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
type hal_dice_service, protected_service, vendor_service, service_manager_type;
type hal_dice_service, vendor_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;

View file

@ -1,5 +1,5 @@
# vendor_init is its own domain.
type vendor_init, domain, mlstrustedsubject;
type vendor_init, domain;
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };

View file

@ -1,3 +1,6 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
@ -6,9 +9,6 @@ type su, domain;
type su_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
typeattribute su mlstrustedsubject;
# Add su to various domains