Fix CTS regressions
am: 6a28b68d54
Change-Id: I774787b48c0b5f6f20313ee6f9c8062db4072e84
This commit is contained in:
commit
7dc46564d0
7 changed files with 13 additions and 14 deletions
|
@ -467,8 +467,8 @@ neverallow {
|
|||
domain
|
||||
-adbd
|
||||
-dumpstate
|
||||
-hal_drm
|
||||
-hal_cas
|
||||
-hal_drm_server
|
||||
-hal_cas_server
|
||||
-init
|
||||
-mediadrmserver
|
||||
-recovery
|
||||
|
@ -508,7 +508,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
|
|||
neverallow {
|
||||
domain
|
||||
userdebug_or_eng(`-domain') # exclude debuggable builds
|
||||
-hal_bootctl
|
||||
-hal_bootctl_server
|
||||
-init
|
||||
-uncrypt
|
||||
-update_engine
|
||||
|
|
|
@ -23,11 +23,11 @@ allow hal_audio dumpstate:fifo_file write;
|
|||
###
|
||||
|
||||
# Should never execute any executable without a domain transition
|
||||
neverallow hal_audio { file_type fs_type }:file execute_no_trans;
|
||||
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# Should never need network access.
|
||||
# Disallow network sockets.
|
||||
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
||||
# Only audio HAL may directly access the audio hardware
|
||||
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
|
||||
|
|
|
@ -23,10 +23,10 @@ allow hal_camera hal_allocator_server:fd use;
|
|||
|
||||
# hal_camera should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow hal_camera { file_type fs_type }:file execute_no_trans;
|
||||
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# hal_camera should never need network access. Disallow network sockets.
|
||||
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
||||
# Only camera HAL may directly access the camera hardware
|
||||
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
|
||||
|
|
|
@ -7,7 +7,7 @@ allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
|
|||
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
|
||||
|
||||
# Permit reading device's serial number from system properties
|
||||
get_prop(hal_cas, serialno_prop)
|
||||
get_prop(hal_cas_server, serialno_prop)
|
||||
|
||||
# Read files already opened under /data
|
||||
allow hal_cas system_data_file:file { getattr read };
|
||||
|
@ -29,7 +29,7 @@ allow hal_cas tee_device:chr_file rw_file_perms;
|
|||
|
||||
# hal_cas should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow hal_cas { file_type fs_type }:file execute_no_trans;
|
||||
neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# do not allow privileged socket ioctl commands
|
||||
neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
||||
neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
||||
|
|
|
@ -47,7 +47,7 @@ allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
|
|||
|
||||
# hal_drm should never execute any executable without a
|
||||
# domain transition
|
||||
neverallow hal_drm { file_type fs_type }:file execute_no_trans;
|
||||
neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# do not allow privileged socket ioctl commands
|
||||
neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
||||
neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
||||
|
|
|
@ -213,7 +213,6 @@ expandattribute hal_$1_client true;
|
|||
attribute hal_$1_server;
|
||||
expandattribute hal_$1_server false;
|
||||
|
||||
neverallow { hal_$1_client -halclientdomain } domain:process fork;
|
||||
neverallow { hal_$1_server -halserverdomain } domain:process fork;
|
||||
')
|
||||
|
||||
|
|
|
@ -210,7 +210,7 @@ neverallow { domain -vold -init } restorecon_prop:property_service set;
|
|||
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
|
||||
neverallow vold {
|
||||
domain
|
||||
-hal_keymaster
|
||||
-hal_keymaster_server
|
||||
-healthd
|
||||
-hwservicemanager
|
||||
-servicemanager
|
||||
|
|
Loading…
Reference in a new issue