Merge "Installd doesn't need to create cgroup files." into pi-dev
This commit is contained in:
Alan Stokes
Android (Google) Code Review
commit
956aba8fc4
5 changed files with 7 additions and 28 deletions
|
|
@ -20,13 +20,3 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe)
|
|||
userdebug_or_eng(`
|
||||
domain_auto_trans(init, logcat_exec, logpersist)
|
||||
')
|
||||
|
||||
# Creating files on sysfs is impossible so this isn't a threat
|
||||
# Sometimes we have to write to non-existent files to avoid conditional
|
||||
# init behavior. See b/35303861 for an example.
|
||||
dontaudit init sysfs:dir write;
|
||||
|
||||
# Suppress false positives when using O_CREAT
|
||||
# to open a file that already exists.
|
||||
# There's a neverallow rule for this in domain.te
|
||||
dontaudit init cgroup:file create;
|
||||
|
|
|
|||
|
|
@ -134,8 +134,3 @@ neverallow zygote {
|
|||
|
||||
# Do not allow access to Bluetooth-related system properties and files
|
||||
neverallow zygote bluetooth_prop:file create_file_perms;
|
||||
|
||||
# Suppress false positives when using O_CREAT
|
||||
# to open a file that already exists.
|
||||
# There's a neverallow rule for this in domain.te
|
||||
dontaudit zygote cgroup:file create;
|
||||
|
|
|
|||
|
|
@ -1329,23 +1329,23 @@ neverallow {
|
|||
} self:capability dac_override;
|
||||
neverallow { domain -traced_probes } self:capability dac_read_search;
|
||||
|
||||
# If an already existing file is opened with O_CREATE, the kernel might generate
|
||||
# If an already existing file is opened with O_CREAT, the kernel might generate
|
||||
# a false report of a create denial. Silence these denials and make sure that
|
||||
# inappropriate permissions are not granted.
|
||||
|
||||
# These filesystems don't allow files or directories to be created, so the permission
|
||||
# to do so should never be granted.
|
||||
neverallow domain {
|
||||
proc_type
|
||||
sysfs_type
|
||||
}:dir { add_name create link remove_name rename reparent rmdir write };
|
||||
|
||||
# cgroupfs directories can be created, but not files within them
|
||||
# TODO(b/74182216): Remove the installd allow when we're sure it's not used
|
||||
neverallow {
|
||||
domain
|
||||
-installd
|
||||
} cgroup:file create;
|
||||
# cgroupfs directories can be created, but not files within them.
|
||||
neverallow domain cgroup:file create;
|
||||
|
||||
dontaudit domain proc_type:dir write;
|
||||
dontaudit domain sysfs_type:dir write;
|
||||
dontaudit domain cgroup:file create;
|
||||
|
||||
# These are only needed in permissive mode - in enforcing mode the
|
||||
# directory write check fails and so these are never attempted.
|
||||
|
|
|
|||
|
|
@ -326,11 +326,6 @@ allow init {
|
|||
# Allow init to write to vibrator/trigger
|
||||
allow init sysfs_vibrator:file w_file_perms;
|
||||
|
||||
# Creating files on sysfs is impossible so this isn't a threat.
|
||||
# We may write to a non-existent file to avoid conditional
|
||||
# init behavior.
|
||||
dontaudit init sysfs_vibrator:dir write;
|
||||
|
||||
# init chmod/chown access to /sys files.
|
||||
allow init {
|
||||
sysfs_android_usb
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
|
|||
allow installd oemfs:dir r_dir_perms;
|
||||
allow installd oemfs:file r_file_perms;
|
||||
allow installd cgroup:dir create_dir_perms;
|
||||
allow installd cgroup:{ file lnk_file } create_file_perms;
|
||||
allow installd mnt_expand_file:dir { search getattr };
|
||||
# Check validity of SELinux context before use.
|
||||
selinux_check_context(installd)
|
||||
|
|
|
|||
Loading…
Reference in a new issue