Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot.
Bug: 311377497 Test: manual - Call getDexoptChrootSetupServiceRegisterer().waitForService() Test: manual - Set up a chroot environment and call getArtdPreRebootServiceRegisterer().waitForService() Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
This commit is contained in:
parent
41e786ae48
commit
817c49f74c
9 changed files with 38 additions and 1 deletions
|
@ -6,6 +6,7 @@
|
|||
/bin/art_exec u:object_r:art_exec_exec:s0
|
||||
/bin/artd u:object_r:artd_exec:s0
|
||||
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
|
||||
/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
|
||||
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
|
||||
/bin/odrefresh u:object_r:odrefresh_exec:s0
|
||||
/bin/profman u:object_r:profman_exec:s0
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
/bin/art_exec u:object_r:art_exec_exec:s0
|
||||
/bin/artd u:object_r:artd_exec:s0
|
||||
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
|
||||
/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0
|
||||
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
|
||||
/bin/odrefresh u:object_r:odrefresh_exec:s0
|
||||
/bin/profman(d)? u:object_r:profman_exec:s0
|
||||
|
|
|
@ -199,7 +199,8 @@ var (
|
|||
"gsiservice": EXCEPTION_NO_FUZZER,
|
||||
"appops": EXCEPTION_NO_FUZZER,
|
||||
"appwidget": EXCEPTION_NO_FUZZER,
|
||||
"artd": EXCEPTION_NO_FUZZER,
|
||||
"artd": []string{"artd_fuzzer"},
|
||||
"artd_pre_reboot": []string{"artd_fuzzer"},
|
||||
"assetatlas": EXCEPTION_NO_FUZZER,
|
||||
"attention": EXCEPTION_NO_FUZZER,
|
||||
"audio": EXCEPTION_NO_FUZZER,
|
||||
|
@ -251,6 +252,7 @@ var (
|
|||
"device_lock": EXCEPTION_NO_FUZZER,
|
||||
"device_state": EXCEPTION_NO_FUZZER,
|
||||
"devicestoragemonitor": EXCEPTION_NO_FUZZER,
|
||||
"dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
|
||||
"diskstats": EXCEPTION_NO_FUZZER,
|
||||
"display": EXCEPTION_NO_FUZZER,
|
||||
"dnsresolver": []string{"resolv_service_fuzzer"},
|
||||
|
|
|
@ -7,6 +7,7 @@ type artd_tmpfs, file_type;
|
|||
# Allow artd to publish a binder service and make binder calls.
|
||||
binder_use(artd)
|
||||
add_service(artd, artd_service)
|
||||
add_service(artd, artd_pre_reboot_service)
|
||||
allow artd dumpstate:fifo_file { getattr write };
|
||||
allow artd dumpstate:fd use;
|
||||
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
(typeattributeset new_objects
|
||||
( new_objects
|
||||
archive_service
|
||||
artd_pre_reboot_service
|
||||
contextual_search_service
|
||||
dexopt_chroot_setup_service
|
||||
dtbo_block_device
|
||||
ota_build_prop
|
||||
snapuserd_log_data_file
|
||||
|
|
23
private/dexopt_chroot_setup.te
Normal file
23
private/dexopt_chroot_setup.te
Normal file
|
@ -0,0 +1,23 @@
|
|||
type dexopt_chroot_setup, domain, coredomain;
|
||||
type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
|
||||
type dexopt_chroot_setup_tmpfs, file_type;
|
||||
|
||||
# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
|
||||
binder_use(dexopt_chroot_setup)
|
||||
add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
|
||||
allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
|
||||
allow dexopt_chroot_setup dumpstate:fd use;
|
||||
|
||||
init_daemon_domain(dexopt_chroot_setup)
|
||||
|
||||
# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
|
||||
# own label, which differs from other labels created by other processes.
|
||||
# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
|
||||
# processes.
|
||||
tmpfs_domain(dexopt_chroot_setup)
|
||||
|
||||
# libart (mark_compact.cc) has some intialization code that touches the cache
|
||||
# info file and userfaultfd.
|
||||
allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
|
||||
r_dir_file(dexopt_chroot_setup, apex_art_data_file)
|
||||
userfaultfd_use(dexopt_chroot_setup)
|
|
@ -179,6 +179,7 @@ gsiservice u:object_r:gsi_service:s0
|
|||
appops u:object_r:appops_service:s0
|
||||
appwidget u:object_r:appwidget_service:s0
|
||||
artd u:object_r:artd_service:s0
|
||||
artd_pre_reboot u:object_r:artd_pre_reboot_service:s0
|
||||
assetatlas u:object_r:assetatlas_service:s0
|
||||
attention u:object_r:attention_service:s0
|
||||
audio u:object_r:audio_service:s0
|
||||
|
@ -230,6 +231,7 @@ deviceidle u:object_r:deviceidle_service:s0
|
|||
device_lock u:object_r:devicelock_service:s0
|
||||
device_state u:object_r:device_state_service:s0
|
||||
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
|
||||
dexopt_chroot_setup u:object_r:dexopt_chroot_setup_service:s0
|
||||
diskstats u:object_r:diskstats_service:s0
|
||||
display u:object_r:display_service:s0
|
||||
dnsresolver u:object_r:dnsresolver_service:s0
|
||||
|
|
|
@ -283,6 +283,7 @@ binder_call(system_server, appdomain)
|
|||
binder_call(system_server, artd)
|
||||
binder_call(system_server, binderservicedomain)
|
||||
binder_call(system_server, composd)
|
||||
binder_call(system_server, dexopt_chroot_setup)
|
||||
binder_call(system_server, dumpstate)
|
||||
binder_call(system_server, fingerprintd)
|
||||
binder_call(system_server, gatekeeperd)
|
||||
|
@ -940,12 +941,14 @@ allow system_server kernel:security read_policy;
|
|||
|
||||
add_service(system_server, system_server_service);
|
||||
allow system_server artd_service:service_manager find;
|
||||
allow system_server artd_pre_reboot_service:service_manager find;
|
||||
allow system_server audioserver_service:service_manager find;
|
||||
allow system_server authorization_service:service_manager find;
|
||||
allow system_server batteryproperties_service:service_manager find;
|
||||
allow system_server cameraserver_service:service_manager find;
|
||||
allow system_server compos_service:service_manager find;
|
||||
allow system_server dataloader_manager_service:service_manager find;
|
||||
allow system_server dexopt_chroot_setup_service:service_manager find;
|
||||
allow system_server dnsresolver_service:service_manager find;
|
||||
allow system_server drmserver_service:service_manager find;
|
||||
allow system_server dumpstate_service:service_manager find;
|
||||
|
|
|
@ -2,6 +2,7 @@ type aidl_lazy_test_service, service_manager_type;
|
|||
type apc_service, service_manager_type;
|
||||
type apex_service, service_manager_type;
|
||||
type artd_service, service_manager_type;
|
||||
type artd_pre_reboot_service, service_manager_type;
|
||||
type audioserver_service, service_manager_type, isolated_compute_allowed_service;
|
||||
type authorization_service, service_manager_type;
|
||||
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
|
||||
|
@ -10,6 +11,7 @@ type cameraserver_service, service_manager_type, isolated_compute_allowed_s
|
|||
type fwk_camera_service, service_manager_type;
|
||||
type default_android_service, service_manager_type;
|
||||
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
|
||||
type dexopt_chroot_setup_service, service_manager_type;
|
||||
type dnsresolver_service, service_manager_type;
|
||||
type drmserver_service, service_manager_type;
|
||||
type dumpstate_service, service_manager_type;
|
||||
|
|
Loading…
Reference in a new issue