Merge "SEPolicy Prebuilts for P" into pi-dev
This commit is contained in:
Ian Pedowitz
Android (Google) Code Review
commit
94c1113cc8
37 changed files with 297 additions and 54 deletions
|
|
@ -93,9 +93,7 @@ neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_fil
|
|||
# application un-installation.
|
||||
neverallow { all_untrusted_apps -mediaprovider } {
|
||||
fs_type
|
||||
-fuse # sdcard
|
||||
-sdcardfs # sdcard
|
||||
-vfat
|
||||
-sdcard_type
|
||||
file_type
|
||||
-app_data_file # The apps sandbox itself
|
||||
-media_rw_data_file # Internal storage. Known that apps can
|
||||
|
|
|
|||
|
|
@ -1,7 +1,45 @@
|
|||
dexoptanalyzer apk_data_file file 77853712
|
||||
dexoptanalyzer app_data_file file 77853712
|
||||
dexoptanalyzer app_data_file lnk_file 77853712
|
||||
dexoptanalyzer system_data_file lnk_file 77853712
|
||||
dnsmasq netd fifo_file 77868789
|
||||
dnsmasq netd unix_stream_socket 77868789
|
||||
init app_data_file file 77873135
|
||||
init cache_file blk_file 77873135
|
||||
init logpersist file 77873135
|
||||
init nativetest_data_file dir 77873135
|
||||
init pstorefs dir 77873135
|
||||
init shell_data_file dir 77873135
|
||||
init shell_data_file file 77873135
|
||||
init shell_data_file lnk_file 77873135
|
||||
init shell_data_file sock_file 77873135
|
||||
init system_data_file chr_file 77873135
|
||||
mediaextractor app_data_file file 77923736
|
||||
mediaextractor radio_data_file file 77923736
|
||||
mediaprovider cache_file blk_file 77925342
|
||||
mediaprovider mnt_media_rw_file dir 77925342
|
||||
mediaprovider shell_data_file dir 77925342
|
||||
netd priv_app unix_stream_socket 77870037
|
||||
netd untrusted_app unix_stream_socket 77870037
|
||||
netd untrusted_app_25 unix_stream_socket 77870037
|
||||
netd untrusted_app_27 unix_stream_socket 77870037
|
||||
otapreopt_chroot postinstall_file lnk_file 75287236
|
||||
platform_app nfc_data_file dir 74331887
|
||||
postinstall postinstall capability 77958490
|
||||
postinstall_dexopt postinstall_dexopt capability 77958490
|
||||
postinstall_dexopt user_profile_data_file file 77958490
|
||||
priv_app system_data_file dir 72811052
|
||||
profman apk_data_file dir 77922323
|
||||
radio statsdw_socket sock_file 78456764
|
||||
statsd hal_health_default binder 77919007
|
||||
storaged storaged capability 77634061
|
||||
surfaceflinger mediacodec binder 77924251
|
||||
system_server crash_dump process 73128755
|
||||
system_server logd_socket sock_file 64734187
|
||||
system_server sdcardfs file 77856826
|
||||
system_server zygote process 77856826
|
||||
untrusted_app_25 system_data_file dir 72550646
|
||||
untrusted_app_27 system_data_file dir 72550646
|
||||
usbd usbd capability 72472544
|
||||
system_server sysfs file 77816522
|
||||
zygote untrusted_app_25 process 77925912
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@
|
|||
crossprofileapps_service
|
||||
e2fs
|
||||
e2fs_exec
|
||||
exfat
|
||||
exported_bluetooth_prop
|
||||
exported_config_prop
|
||||
exported_dalvik_prop
|
||||
|
|
@ -43,17 +44,20 @@
|
|||
exported3_system_prop
|
||||
fingerprint_vendor_data_file
|
||||
fs_bpf
|
||||
hal_audiocontrol_hwservice
|
||||
hal_authsecret_hwservice
|
||||
hal_broadcastradio_hwservice
|
||||
hal_cas_hwservice
|
||||
hal_codec2_hwservice
|
||||
hal_confirmationui_hwservice
|
||||
hal_evs_hwservice
|
||||
hal_lowpan_hwservice
|
||||
hal_neuralnetworks_hwservice
|
||||
hal_secure_element_hwservice
|
||||
hal_tetheroffload_hwservice
|
||||
hal_wifi_hostapd_hwservice
|
||||
hal_usb_gadget_hwservice
|
||||
hal_vehicle_hwservice
|
||||
hal_wifi_offload_hwservice
|
||||
incident_helper
|
||||
incident_helper_exec
|
||||
|
|
@ -64,6 +68,8 @@
|
|||
lowpan_service
|
||||
mediaextractor_update_service
|
||||
mediaprovider_tmpfs
|
||||
metadata_file
|
||||
mnt_vendor_file
|
||||
netd_stable_secret_prop
|
||||
network_watchlist_data_file
|
||||
network_watchlist_service
|
||||
|
|
@ -86,6 +92,8 @@
|
|||
statsd
|
||||
statsd_exec
|
||||
statsd_tmpfs
|
||||
statsdw
|
||||
statsdw_socket
|
||||
statscompanion_service
|
||||
storaged_data_file
|
||||
sysfs_fs_ext4_features
|
||||
|
|
@ -105,6 +113,7 @@
|
|||
traceur_app_tmpfs
|
||||
traced
|
||||
traced_consumer_socket
|
||||
traced_enabled_prop
|
||||
traced_exec
|
||||
traced_probes
|
||||
traced_probes_exec
|
||||
|
|
@ -114,6 +123,7 @@
|
|||
untrusted_app_all_devpts
|
||||
update_engine_log_data_file
|
||||
vendor_default_prop
|
||||
vendor_security_patch_level_prop
|
||||
usbd
|
||||
usbd_exec
|
||||
usbd_tmpfs
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@
|
|||
bpfloader_exec
|
||||
cgroup_bpf
|
||||
crossprofileapps_service
|
||||
exfat
|
||||
exported2_config_prop
|
||||
exported2_default_prop
|
||||
exported2_radio_prop
|
||||
|
|
@ -39,12 +40,15 @@
|
|||
exported_wifi_prop
|
||||
fingerprint_vendor_data_file
|
||||
fs_bpf
|
||||
hal_audiocontrol_hwservice
|
||||
hal_authsecret_hwservice
|
||||
hal_codec2_hwservice
|
||||
hal_confirmationui_hwservice
|
||||
hal_evs_hwservice
|
||||
hal_lowpan_hwservice
|
||||
hal_secure_element_hwservice
|
||||
hal_usb_gadget_hwservice
|
||||
hal_vehicle_hwservice
|
||||
hal_wifi_hostapd_hwservice
|
||||
incident_helper
|
||||
incident_helper_exec
|
||||
|
|
@ -53,6 +57,8 @@
|
|||
lowpan_prop
|
||||
lowpan_service
|
||||
mediaextractor_update_service
|
||||
metadata_file
|
||||
mnt_vendor_file
|
||||
network_watchlist_data_file
|
||||
network_watchlist_service
|
||||
perfetto
|
||||
|
|
@ -74,6 +80,8 @@
|
|||
statsd
|
||||
statsd_exec
|
||||
statsd_tmpfs
|
||||
statsdw
|
||||
statsdw_socket
|
||||
storaged_data_file
|
||||
system_boot_reason_prop
|
||||
system_update_service
|
||||
|
|
@ -81,6 +89,7 @@
|
|||
trace_data_file
|
||||
traced
|
||||
traced_consumer_socket
|
||||
traced_enabled_prop
|
||||
traced_exec
|
||||
traced_probes
|
||||
traced_probes_exec
|
||||
|
|
@ -96,6 +105,7 @@
|
|||
usbd_tmpfs
|
||||
vendor_default_prop
|
||||
vendor_init
|
||||
vendor_security_patch_level_prop
|
||||
vendor_shell
|
||||
vold_metadata_file
|
||||
vold_prepare_subdirs
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ type config_gz, fs_type, proc_type;
|
|||
# /data/misc/stats-data, /data/misc/stats-service
|
||||
type stats_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
|
||||
# /data/misc/storaged
|
||||
type storaged_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -132,6 +132,7 @@
|
|||
/dev/socket/logd u:object_r:logd_socket:s0
|
||||
/dev/socket/logdr u:object_r:logdr_socket:s0
|
||||
/dev/socket/logdw u:object_r:logdw_socket:s0
|
||||
/dev/socket/statsdw u:object_r:statsdw_socket:s0
|
||||
/dev/socket/mdns u:object_r:mdns_socket:s0
|
||||
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
|
||||
/dev/socket/mtpd u:object_r:mtpd_socket:s0
|
||||
|
|
@ -526,3 +527,7 @@
|
|||
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
|
||||
/mnt/runtime(/.*)? u:object_r:storage_file:s0
|
||||
/storage(/.*)? u:object_r:storage_file:s0
|
||||
|
||||
#############################
|
||||
# mount point for read-write vendor partitions
|
||||
/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
|
||||
|
|
|
|||
|
|
@ -229,6 +229,7 @@ genfscon debugfs /tracing/events/lowmemorykiller/
|
|||
|
||||
genfscon inotifyfs / u:object_r:inotify:s0
|
||||
genfscon vfat / u:object_r:vfat:s0
|
||||
genfscon exfat / u:object_r:exfat:s0
|
||||
genfscon debugfs / u:object_r:debugfs:s0
|
||||
genfscon fuse / u:object_r:fuse:s0
|
||||
genfscon configfs / u:object_r:configfs:s0
|
||||
|
|
|
|||
|
|
@ -4,6 +4,9 @@ android.frameworks.sensorservice::ISensorManager u:object_r:fwk_s
|
|||
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
|
||||
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
|
||||
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
|
||||
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
|
||||
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
|
||||
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
|
||||
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
|
||||
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
|
||||
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
|
||||
|
|
|
|||
|
|
@ -6,3 +6,4 @@ add_hwservice(hwservicemanager, hidl_manager_hwservice)
|
|||
add_hwservice(hwservicemanager, hidl_token_hwservice)
|
||||
|
||||
set_prop(hwservicemanager, ctl_default_prop)
|
||||
set_prop(hwservicemanager, ctl_dumpstate_prop)
|
||||
|
|
|
|||
|
|
@ -34,8 +34,8 @@ allow platform_app cache_file:file create_file_perms;
|
|||
# Direct access to vold-mounted storage under /mnt/media_rw
|
||||
# This is a performance optimization that allows platform apps to bypass the FUSE layer
|
||||
allow platform_app mnt_media_rw_file:dir r_dir_perms;
|
||||
allow platform_app vfat:dir create_dir_perms;
|
||||
allow platform_app vfat:file create_file_perms;
|
||||
allow platform_app sdcard_type:dir create_dir_perms;
|
||||
allow platform_app sdcard_type:file create_file_perms;
|
||||
|
||||
# com.android.systemui
|
||||
allow platform_app rootfs:dir getattr;
|
||||
|
|
|
|||
|
|
@ -140,6 +140,7 @@ unix_socket_connect(priv_app, traced_producer, traced)
|
|||
# suppress denials for non-API accesses.
|
||||
dontaudit priv_app exec_type:file getattr;
|
||||
dontaudit priv_app device:dir read;
|
||||
dontaudit priv_app fs_bpf:dir search;
|
||||
dontaudit priv_app net_dns_prop:file read;
|
||||
dontaudit priv_app proc:file read;
|
||||
dontaudit priv_app proc_interrupts:file read;
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ persist.sys.audit_safemode u:object_r:safemode_prop:s0
|
|||
persist.service. u:object_r:system_prop:s0
|
||||
persist.service.bdroid. u:object_r:bluetooth_prop:s0
|
||||
persist.security. u:object_r:system_prop:s0
|
||||
persist.traced.enable u:object_r:traced_enabled_prop:s0
|
||||
persist.vendor.overlay. u:object_r:overlay_prop:s0
|
||||
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
|
||||
ro.boottime. u:object_r:boottime_prop:s0
|
||||
|
|
@ -93,6 +94,7 @@ ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
|
|||
|
||||
# ctl properties
|
||||
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
|
||||
ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
|
||||
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
|
||||
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
|
||||
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
type statsd, domain;
|
||||
type statsd, domain, mlstrustedsubject;
|
||||
typeattribute statsd coredomain;
|
||||
|
||||
init_daemon_domain(statsd)
|
||||
|
|
@ -73,6 +73,7 @@ binder_call(statsd, stats)
|
|||
|
||||
# Allow access to with hardware layer and process stats.
|
||||
allow statsd proc_uid_cputime_showstat:file { getattr open read };
|
||||
hal_client_domain(statsd, hal_health)
|
||||
hal_client_domain(statsd, hal_power)
|
||||
hal_client_domain(statsd, hal_thermal)
|
||||
|
||||
|
|
@ -81,6 +82,13 @@ allow statsd adbd:fd use;
|
|||
allow statsd adbd:unix_stream_socket { getattr read write };
|
||||
allow statsd shell:fifo_file { getattr read };
|
||||
|
||||
unix_socket_send(bluetooth, statsdw, statsd)
|
||||
unix_socket_send(bootstat, statsdw, statsd)
|
||||
unix_socket_send(platform_app, statsdw, statsd)
|
||||
unix_socket_send(radio, statsdw, statsd)
|
||||
unix_socket_send(statsd, statsdw, statsd)
|
||||
unix_socket_send(system_server, statsdw, statsd)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -105,6 +105,7 @@ allow system_server appdomain:process { getsched setsched };
|
|||
allow system_server audioserver:process { getsched setsched };
|
||||
allow system_server hal_audio:process { getsched setsched };
|
||||
allow system_server hal_bluetooth:process { getsched setsched };
|
||||
allow system_server mediacodec:process { getsched setsched };
|
||||
allow system_server cameraserver:process { getsched setsched };
|
||||
allow system_server hal_camera:process { getsched setsched };
|
||||
allow system_server mediaserver:process { getsched setsched };
|
||||
|
|
@ -113,6 +114,7 @@ allow system_server bootanim:process { getsched setsched };
|
|||
# Allow system_server to write to /proc/<pid>/timerslack_ns
|
||||
allow system_server appdomain:file w_file_perms;
|
||||
allow system_server audioserver:file w_file_perms;
|
||||
allow system_server mediacodec:file w_file_perms;
|
||||
allow system_server cameraserver:file w_file_perms;
|
||||
allow system_server hal_audio_server:file w_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -7,13 +7,20 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
|
|||
allow vold_prepare_subdirs vold:fd use;
|
||||
allow vold_prepare_subdirs vold:fifo_file { read write };
|
||||
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
||||
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
|
||||
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
|
||||
allow vold_prepare_subdirs self:process setfscreate;
|
||||
allow vold_prepare_subdirs {
|
||||
system_data_file
|
||||
vendor_data_file
|
||||
}:dir { open read write add_name remove_name };
|
||||
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
|
||||
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
|
||||
allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
|
||||
allow vold_prepare_subdirs fingerprint_vendor_data_file:dir create_dir_perms;
|
||||
}:dir { open read write add_name remove_name rmdir relabelfrom };
|
||||
allow vold_prepare_subdirs {
|
||||
fingerprint_vendor_data_file
|
||||
storaged_data_file
|
||||
vold_data_file
|
||||
}:dir { create_dir_perms relabelto };
|
||||
allow vold_prepare_subdirs {
|
||||
fingerprint_vendor_data_file
|
||||
storaged_data_file
|
||||
system_data_file
|
||||
vold_data_file
|
||||
}:file { getattr unlink };
|
||||
|
|
|
|||
|
|
@ -260,19 +260,12 @@ allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
|
|||
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
|
||||
|
||||
# Read/write visible storage
|
||||
allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
|
||||
# This should be removed if sdcardfs is modified to alter the secontext for its
|
||||
# accesses to the underlying FS.
|
||||
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
|
||||
|
||||
# Access OBBs (vfat images) mounted by vold (b/17633509)
|
||||
# File write access allowed for FDs returned through Storage Access Framework
|
||||
allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Allow apps to use the USB Accessory interface.
|
||||
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
|
||||
|
|
|
|||
|
|
@ -240,6 +240,7 @@ expandattribute hal_cas_server false;
|
|||
|
||||
# HALs
|
||||
hal_attribute(allocator);
|
||||
hal_attribute(audiocontrol);
|
||||
hal_attribute(authsecret);
|
||||
hal_attribute(bluetooth);
|
||||
hal_attribute(broadcastradio);
|
||||
|
|
@ -247,6 +248,7 @@ hal_attribute(configstore);
|
|||
hal_attribute(confirmationui);
|
||||
hal_attribute(contexthub);
|
||||
hal_attribute(dumpstate);
|
||||
hal_attribute(evs);
|
||||
hal_attribute(fingerprint);
|
||||
hal_attribute(gatekeeper);
|
||||
hal_attribute(gnss);
|
||||
|
|
@ -271,6 +273,7 @@ hal_attribute(tv_cec);
|
|||
hal_attribute(tv_input);
|
||||
hal_attribute(usb);
|
||||
hal_attribute(usb_gadget);
|
||||
hal_attribute(vehicle);
|
||||
hal_attribute(vibrator);
|
||||
hal_attribute(vr);
|
||||
hal_attribute(weaver);
|
||||
|
|
|
|||
|
|
@ -363,6 +363,14 @@ neverallow {
|
|||
-system_server
|
||||
-ueventd
|
||||
} hw_random_device:chr_file *;
|
||||
# b/78174219 b/64114943
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-shell # stat of /dev, getattr only
|
||||
-vendor_init
|
||||
-ueventd
|
||||
} keychord_device:chr_file *;
|
||||
|
||||
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
|
||||
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
|
||||
|
|
@ -560,7 +568,7 @@ neverallow {
|
|||
} serialno_prop:file r_file_perms;
|
||||
|
||||
# Do not allow reading the last boot timestamp from system properties
|
||||
neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
|
||||
neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
|
|
@ -600,6 +608,7 @@ neverallow {
|
|||
-init
|
||||
-uncrypt
|
||||
-update_engine
|
||||
-vendor_init
|
||||
-vold
|
||||
-recovery
|
||||
-ueventd
|
||||
|
|
@ -834,13 +843,25 @@ full_treble_only(`
|
|||
-appdomain # TODO(b/34980020) remove exemption for appdomain
|
||||
-coredomain
|
||||
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
|
||||
-vendor_init
|
||||
} {
|
||||
core_data_file_type
|
||||
# libc includes functions like mktime and localtime which attempt to access
|
||||
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
|
||||
# vndk-stable and thus must be allowed for all processes.
|
||||
-zoneinfo_data_file
|
||||
}:file_class_set ~{ append getattr ioctl read write };
|
||||
}:file_class_set ~{ append getattr ioctl read write };
|
||||
neverallow {
|
||||
vendor_init
|
||||
-data_between_core_and_vendor_violators
|
||||
} {
|
||||
core_data_file_type
|
||||
-unencrypted_data_file
|
||||
-zoneinfo_data_file
|
||||
}:file_class_set ~{ append getattr ioctl read write };
|
||||
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
|
||||
# The vendor init binary lives on the system partition so there is not a concern with stability.
|
||||
neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
|
||||
')
|
||||
full_treble_only(`
|
||||
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
|
||||
|
|
@ -849,12 +870,26 @@ full_treble_only(`
|
|||
-appdomain # TODO(b/34980020) remove exemption for appdomain
|
||||
-coredomain
|
||||
-data_between_core_and_vendor_violators
|
||||
} {
|
||||
core_data_file_type
|
||||
-system_data_file # default label for files on /data. Covered below...
|
||||
-vendor_data_file
|
||||
-zoneinfo_data_file
|
||||
}:dir *;
|
||||
-vendor_init
|
||||
} {
|
||||
core_data_file_type
|
||||
-system_data_file # default label for files on /data. Covered below...
|
||||
-vendor_data_file
|
||||
-zoneinfo_data_file
|
||||
}:dir *;
|
||||
neverallow {
|
||||
vendor_init
|
||||
-data_between_core_and_vendor_violators
|
||||
} {
|
||||
core_data_file_type
|
||||
-unencrypted_data_file
|
||||
-system_data_file
|
||||
-vendor_data_file
|
||||
-zoneinfo_data_file
|
||||
}:dir *;
|
||||
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
|
||||
# The vendor init binary lives on the system partition so there is not a concern with stability.
|
||||
neverallow vendor_init unencrypted_data_file:dir ~search;
|
||||
')
|
||||
full_treble_only(`
|
||||
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
|
||||
|
|
@ -1121,6 +1156,7 @@ neverallow {
|
|||
-system_app
|
||||
-init
|
||||
-installd # for relabelfrom and unlink, check for this in explicit neverallow
|
||||
-vold_prepare_subdirs # For unlink
|
||||
with_asan(`-asan_extract')
|
||||
} system_data_file:file no_w_file_perms;
|
||||
# do not grant anything greater than r_file_perms and relabelfrom unlink
|
||||
|
|
@ -1355,3 +1391,9 @@ userdebug_or_eng(`
|
|||
dontaudit domain proc_type:file create;
|
||||
dontaudit domain sysfs_type:file create;
|
||||
')
|
||||
|
||||
# Platform must not have access to /mnt/vendor.
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
} mnt_vendor_file:dir *;
|
||||
|
|
|
|||
|
|
@ -190,6 +190,10 @@ allow dumpstate cache_recovery_file:file r_file_perms;
|
|||
allow dumpstate recovery_data_file:dir r_dir_perms;
|
||||
allow dumpstate recovery_data_file:file r_file_perms;
|
||||
|
||||
#Access /data/misc/update_engine_log
|
||||
allow dumpstate update_engine_log_data_file:dir r_dir_perms;
|
||||
allow dumpstate update_engine_log_data_file:file r_file_perms;
|
||||
|
||||
# Access /data/misc/profiles/{cur,ref}/
|
||||
userdebug_or_eng(`
|
||||
allow dumpstate user_profile_data_file:dir r_dir_perms;
|
||||
|
|
@ -233,16 +237,8 @@ set_prop(dumpstate, exported_dumpstate_prop)
|
|||
# dumpstate_options_prop is used to pass extra command-line args.
|
||||
set_prop(dumpstate, dumpstate_options_prop)
|
||||
|
||||
# Read device's serial number from system properties
|
||||
get_prop(dumpstate, serialno_prop)
|
||||
|
||||
# Read state of logging-related properties
|
||||
get_prop(dumpstate, device_logging_prop)
|
||||
|
||||
# Read state of boot reason properties
|
||||
get_prop(dumpstate, bootloader_boot_reason_prop)
|
||||
get_prop(dumpstate, last_boot_reason_prop)
|
||||
get_prop(dumpstate, system_boot_reason_prop)
|
||||
# Read any system properties
|
||||
get_prop(dumpstate, property_type)
|
||||
|
||||
# Access to /data/media.
|
||||
# This should be removed if sdcardfs is modified to alter the secontext for its
|
||||
|
|
@ -271,6 +267,9 @@ allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
|
|||
# newer kernels (e.g. 4.4) have a new class for sockets
|
||||
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Allow dumpstate to kill vendor dumpstate service by init
|
||||
set_prop(dumpstate, ctl_dumpstate_prop)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -108,6 +108,7 @@ type mqueue, fs_type;
|
|||
type fuse, sdcard_type, fs_type, mlstrustedobject;
|
||||
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
|
||||
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
||||
type exfat, sdcard_type, fs_type, mlstrustedobject;
|
||||
type debugfs, fs_type, debugfs_type;
|
||||
type debugfs_mmc, fs_type, debugfs_type;
|
||||
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
||||
|
|
@ -149,7 +150,9 @@ type vendor_framework_file, vendor_file_type, file_type;
|
|||
# Default type for everything in /vendor/overlay
|
||||
type vendor_overlay_file, vendor_file_type, file_type;
|
||||
|
||||
# /metadata subdirectories
|
||||
# /metadata partition itself
|
||||
type metadata_file, file_type;
|
||||
# Vold files within /metadata
|
||||
type vold_metadata_file, file_type;
|
||||
|
||||
# Speedup access for trusted applications to the runtime event tags
|
||||
|
|
@ -224,6 +227,9 @@ type storage_file, file_type;
|
|||
type mnt_media_rw_stub_file, file_type;
|
||||
type storage_stub_file, file_type;
|
||||
|
||||
# Mount location for read-write vendor partitions.
|
||||
type mnt_vendor_file, file_type;
|
||||
|
||||
# /postinstall: Mount point used by update_engine to run postinstall.
|
||||
type postinstall_mnt_dir, file_type;
|
||||
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
|
||||
|
|
|
|||
5
prebuilts/api/28.0/public/hal_audiocontrol.te
Normal file
5
prebuilts/api/28.0/public/hal_audiocontrol.te
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# HwBinder IPC from client to server, and callbacks
|
||||
binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
|
||||
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
|
||||
|
||||
add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
|
||||
|
|
@ -49,7 +49,14 @@ neverallow hal_configstore_server {
|
|||
}:{ file fifo_file sock_file } *;
|
||||
|
||||
# Should never need sdcard access
|
||||
neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
|
||||
neverallow hal_configstore_server {
|
||||
sdcard_type
|
||||
fuse sdcardfs vfat exfat # manual expansion for completeness
|
||||
}:dir ~getattr;
|
||||
neverallow hal_configstore_server {
|
||||
sdcard_type
|
||||
fuse sdcardfs vfat exfat # manual expansion for completeness
|
||||
}:file *;
|
||||
|
||||
# Do not permit access to service_manager and vndservice_manager
|
||||
neverallow hal_configstore_server *:service_manager *;
|
||||
|
|
|
|||
5
prebuilts/api/28.0/public/hal_evs.te
Normal file
5
prebuilts/api/28.0/public/hal_evs.te
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
hwbinder_use(hal_evs_client)
|
||||
hwbinder_use(hal_evs_server)
|
||||
binder_call(hal_evs_client, hal_evs_server)
|
||||
binder_call(hal_evs_server, hal_evs_client)
|
||||
|
||||
|
|
@ -21,7 +21,6 @@ allow hal_telephony_server efs_file:file create_file_perms;
|
|||
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
|
||||
allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
|
||||
allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
|
||||
allow hal_telephony_server sdcard_type:dir r_dir_perms;
|
||||
|
||||
# property service
|
||||
set_prop(hal_telephony_server, radio_prop)
|
||||
|
|
|
|||
5
prebuilts/api/28.0/public/hal_vehicle.te
Normal file
5
prebuilts/api/28.0/public/hal_vehicle.te
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# HwBinder IPC from client to server, and callbacks
|
||||
binder_call(hal_vehicle_client, hal_vehicle_server)
|
||||
binder_call(hal_vehicle_server, hal_vehicle_client)
|
||||
|
||||
add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
|
||||
|
|
@ -2,6 +2,7 @@ type default_android_hwservice, hwservice_manager_type;
|
|||
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type hal_audiocontrol_hwservice, hwservice_manager_type;
|
||||
type hal_audio_hwservice, hwservice_manager_type;
|
||||
type hal_authsecret_hwservice, hwservice_manager_type;
|
||||
type hal_bluetooth_hwservice, hwservice_manager_type;
|
||||
|
|
@ -15,6 +16,7 @@ type hal_contexthub_hwservice, hwservice_manager_type;
|
|||
type hal_drm_hwservice, hwservice_manager_type;
|
||||
type hal_cas_hwservice, hwservice_manager_type;
|
||||
type hal_dumpstate_hwservice, hwservice_manager_type;
|
||||
type hal_evs_hwservice, hwservice_manager_type;
|
||||
type hal_fingerprint_hwservice, hwservice_manager_type;
|
||||
type hal_gatekeeper_hwservice, hwservice_manager_type;
|
||||
type hal_gnss_hwservice, hwservice_manager_type;
|
||||
|
|
@ -42,6 +44,7 @@ type hal_tv_cec_hwservice, hwservice_manager_type;
|
|||
type hal_tv_input_hwservice, hwservice_manager_type;
|
||||
type hal_usb_hwservice, hwservice_manager_type;
|
||||
type hal_usb_gadget_hwservice, hwservice_manager_type;
|
||||
type hal_vehicle_hwservice, hwservice_manager_type;
|
||||
type hal_vibrator_hwservice, hwservice_manager_type;
|
||||
type hal_vr_hwservice, hwservice_manager_type;
|
||||
type hal_weaver_hwservice, hwservice_manager_type;
|
||||
|
|
|
|||
|
|
@ -98,6 +98,9 @@ allow init configfs:dir mounton;
|
|||
allow init configfs:dir create_dir_perms;
|
||||
allow init configfs:{ file lnk_file } create_file_perms;
|
||||
|
||||
# /metadata
|
||||
allow init metadata_file:dir mounton;
|
||||
|
||||
# Use tmpfs as /data, used for booting when /data is encrypted
|
||||
allow init tmpfs:dir relabelfrom;
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ allow keystore keystore_exec:file { getattr };
|
|||
|
||||
add_service(keystore, keystore_service)
|
||||
allow keystore sec_key_att_app_id_provider_service:service_manager find;
|
||||
allow keystore dropbox_service:service_manager find;
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(keystore)
|
||||
|
|
|
|||
|
|
@ -43,6 +43,9 @@ allow lmkd domain:file { open read };
|
|||
# reboot because orderly shutdown may not be possible.
|
||||
allow lmkd proc_sysrq:file rw_file_perms;
|
||||
|
||||
# Read /proc/meminfo
|
||||
allow lmkd proc_meminfo:file r_file_perms;
|
||||
|
||||
### neverallow rules
|
||||
|
||||
# never honor LD_PRELOAD
|
||||
|
|
|
|||
|
|
@ -141,7 +141,7 @@ neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
|
|||
|
||||
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
|
||||
# leaked to other processes. Make sure it never leaks.
|
||||
neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
|
||||
neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
|
||||
|
||||
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
|
||||
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
|
||||
|
|
|
|||
|
|
@ -51,9 +51,11 @@ type shell_prop, property_type, core_property_type;
|
|||
type system_boot_reason_prop, property_type;
|
||||
type system_prop, property_type, core_property_type;
|
||||
type system_radio_prop, property_type, core_property_type;
|
||||
type traced_enabled_prop, property_type;
|
||||
type vold_prop, property_type, core_property_type;
|
||||
type wifi_log_prop, property_type, log_property_type;
|
||||
type wifi_prop, property_type;
|
||||
type vendor_security_patch_level_prop, property_type;
|
||||
|
||||
# Properties for whitelisting
|
||||
type exported_bluetooth_prop, property_type;
|
||||
|
|
@ -154,7 +156,6 @@ compatible_property_only(`
|
|||
-coredomain
|
||||
-appdomain
|
||||
-hal_nfc_server
|
||||
-vendor_init
|
||||
} {
|
||||
nfc_prop
|
||||
}:property_service set;
|
||||
|
|
@ -167,11 +168,57 @@ compatible_property_only(`
|
|||
-vendor_init
|
||||
} {
|
||||
exported_radio_prop
|
||||
exported2_radio_prop
|
||||
exported3_radio_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-appdomain
|
||||
-hal_telephony_server
|
||||
} {
|
||||
exported2_radio_prop
|
||||
radio_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-bluetooth
|
||||
-hal_bluetooth
|
||||
} {
|
||||
bluetooth_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-bluetooth
|
||||
-hal_bluetooth
|
||||
-vendor_init
|
||||
} {
|
||||
exported_bluetooth_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-hal_wifi
|
||||
-wificond
|
||||
} {
|
||||
wifi_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-hal_wifi
|
||||
-wificond
|
||||
-vendor_init
|
||||
} {
|
||||
exported_wifi_prop
|
||||
}:property_service set;
|
||||
|
||||
# Prevent properties from being read
|
||||
neverallow {
|
||||
domain
|
||||
|
|
@ -200,7 +247,6 @@ compatible_property_only(`
|
|||
-coredomain
|
||||
-appdomain
|
||||
-hal_nfc_server
|
||||
-vendor_init
|
||||
} {
|
||||
nfc_prop
|
||||
}:file no_rw_file_perms;
|
||||
|
|
@ -210,8 +256,25 @@ compatible_property_only(`
|
|||
-coredomain
|
||||
-appdomain
|
||||
-hal_telephony_server
|
||||
-vendor_init
|
||||
} {
|
||||
radio_prop
|
||||
}:file no_rw_file_perms;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-bluetooth
|
||||
-hal_bluetooth
|
||||
} {
|
||||
bluetooth_prop
|
||||
}:file no_rw_file_perms;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-hal_wifi
|
||||
-wificond
|
||||
} {
|
||||
wifi_prop
|
||||
}:file no_rw_file_perms;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@ drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
|
|||
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
|
||||
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
|
||||
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
|
||||
persist.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
|
||||
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
|
||||
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
|
||||
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
|
||||
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
|
||||
|
|
@ -71,14 +71,14 @@ persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
|
|||
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
|
||||
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
|
||||
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
|
||||
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool
|
||||
persist.vendor.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
|
||||
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
|
||||
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
|
||||
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
|
||||
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
|
||||
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
|
||||
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
|
||||
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
|
||||
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
|
||||
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
|
||||
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
|
||||
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
|
||||
|
|
@ -107,6 +107,7 @@ ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
|
|||
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
|
||||
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
|
||||
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
|
||||
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
|
||||
ro.zygote u:object_r:exported3_default_prop:s0 exact string
|
||||
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
|
||||
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
|
||||
|
|
|
|||
|
|
@ -66,6 +66,9 @@ set_prop(shell, debug_prop)
|
|||
set_prop(shell, powerctl_prop)
|
||||
set_prop(shell, log_tag_prop)
|
||||
set_prop(shell, wifi_log_prop)
|
||||
# Allow shell to start/stop traced via the persist.traced.enable
|
||||
# property (which also takes care of /data/misc initialization).
|
||||
set_prop(shell, traced_enabled_prop)
|
||||
# adjust is_loggable properties
|
||||
userdebug_or_eng(`set_prop(shell, log_prop)')
|
||||
# logpersist script
|
||||
|
|
@ -81,6 +84,9 @@ userdebug_or_eng(`
|
|||
# Read device's serial number from system properties
|
||||
get_prop(shell, serialno_prop)
|
||||
|
||||
# Allow shell to read the vendor security patch level for CTS
|
||||
get_prop(shell, vendor_security_patch_level_prop)
|
||||
|
||||
# Read state of logging-related properties
|
||||
get_prop(shell, device_logging_prop)
|
||||
|
||||
|
|
|
|||
|
|
@ -19,4 +19,4 @@ auditallow tombstoned anr_data_file:file { append write };
|
|||
# Changes for the new stack dumping mechanism. Each trace goes into a
|
||||
# separate file, and these files are managed by tombstoned.
|
||||
allow tombstoned anr_data_file:dir rw_dir_perms;
|
||||
allow tombstoned anr_data_file:file { getattr open create };
|
||||
allow tombstoned anr_data_file:file { create getattr open unlink };
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
type traced_probes, domain, coredomain;
|
||||
type traced_probes, domain, coredomain, mlstrustedsubject;
|
||||
|
|
|
|||
|
|
@ -34,6 +34,12 @@ allow vendor_init self:global_capability_class_set dac_override;
|
|||
# we just allow all file types except /system files here.
|
||||
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
|
||||
|
||||
# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
|
||||
allow vendor_init unencrypted_data_file:dir search;
|
||||
allow vendor_init unencrypted_data_file:file r_file_perms;
|
||||
|
||||
allow vendor_init system_data_file:dir getattr;
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
-core_data_file_type
|
||||
|
|
@ -146,6 +152,9 @@ allow vendor_init serialno_prop:file { getattr open read };
|
|||
# Vendor init can perform operations on trusted and security Extended Attributes
|
||||
allow vendor_init self:global_capability_class_set sys_admin;
|
||||
|
||||
# Raw writes to misc block device
|
||||
allow vendor_init misc_block_device:blk_file w_file_perms;
|
||||
|
||||
not_compatible_property(`
|
||||
set_prop(vendor_init, {
|
||||
property_type
|
||||
|
|
@ -181,6 +190,7 @@ set_prop(vendor_init, log_tag_prop)
|
|||
set_prop(vendor_init, log_prop)
|
||||
set_prop(vendor_init, serialno_prop)
|
||||
set_prop(vendor_init, vendor_default_prop)
|
||||
set_prop(vendor_init, vendor_security_patch_level_prop)
|
||||
set_prop(vendor_init, wifi_log_prop)
|
||||
|
||||
get_prop(vendor_init, exported2_radio_prop)
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ allow vold sysfs_usb:file w_file_perms;
|
|||
allow vold sysfs_zram_uevent:file w_file_perms;
|
||||
|
||||
r_dir_file(vold, rootfs)
|
||||
r_dir_file(vold, metadata_file)
|
||||
allow vold {
|
||||
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
|
||||
proc_cmdline
|
||||
|
|
|
|||
Loading…
Reference in a new issue