tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Add SePolicy for system_server accessing sysfs uhid." am: bab989d315 am: cad97b3673

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1507623

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: Icd52f14db0ec0995193337a768f738392995952c
This commit is contained in:
Linzhao Ye 2021-01-23 18:02:27 +00:00 committed by Automerger Merge Worker
commit 88ef94ca04
4 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/compat/30.0/30.0.ignore.cil
View file

@ -76,6 +76,7 @@
snapuserd_socket snapuserd_socket
speech_recognition_service speech_recognition_service
sysfs_devices_cs_etm sysfs_devices_cs_etm
sysfs_uhid
system_server_dumper_service system_server_dumper_service
system_suspend_control_internal_service system_suspend_control_internal_service
task_profiles_api_file task_profiles_api_file

1
private/genfs_contexts
View file

@ -159,6 +159,7 @@ genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0 genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0 genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0 genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0

11
private/system_server.te
View file

@ -374,6 +374,8 @@ allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms; allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search; allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms; allow system_server sysfs_thermal:file r_file_perms;
allow system_server sysfs_uhid:dir r_dir_perms;
allow system_server sysfs_uhid:file rw_file_perms;
# TODO: Remove when HALs are forced into separate processes # TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append }; allow system_server sysfs_vibrator:file { write append };
@ -1269,6 +1271,15 @@ neverallow {
-system_server -system_server
} wifi_config_prop:file no_rw_file_perms; } wifi_config_prop:file no_rw_file_perms;
# Only allow system server to write uhid sysfs files
neverallow {
domain
-init
-system_server
-ueventd
-vendor_init
} sysfs_uhid:file no_w_file_perms;
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
# can be accessed by system_server only (b/143717177) # can be accessed by system_server only (b/143717177)
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder

2
public/file.te
View file

@ -121,7 +121,7 @@ type sysfs_lowmemorykiller, fs_type, sysfs_type;
# /sys/module/wlan/parameters/fwpath # /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type; type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type; type sysfs_vibrator, fs_type, sysfs_type;
type sysfs_uhid, fs_type, sysfs_type;
type sysfs_thermal, sysfs_type, fs_type; type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type; type sysfs_zram, fs_type, sysfs_type;