Merge "Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy""
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
96acdc0b22
35 changed files with 4 additions and 55 deletions
|
|
@ -228,7 +228,6 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
|
|||
|
||||
# Untrusted apps are not allowed to use cgroups.
|
||||
neverallow all_untrusted_apps cgroup:file *;
|
||||
neverallow all_untrusted_apps cgroup_v2:file *;
|
||||
|
||||
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
|
||||
# must not use it.
|
||||
|
|
|
|||
|
|
@ -54,10 +54,6 @@ allow domain cgroup:dir search;
|
|||
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
||||
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
||||
|
||||
allow domain cgroup_v2:dir search;
|
||||
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
|
||||
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
|
||||
|
||||
allow domain cgroup_rc_file:dir search;
|
||||
allow domain cgroup_rc_file:file r_file_perms;
|
||||
allow domain task_profiles_file:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ typeattribute logpersist coredomain;
|
|||
userdebug_or_eng(`
|
||||
|
||||
r_dir_file(logpersist, cgroup)
|
||||
r_dir_file(logpersist, cgroup_v2)
|
||||
|
||||
allow logpersist misc_logd_file:file create_file_perms;
|
||||
allow logpersist misc_logd_file:dir rw_dir_perms;
|
||||
|
|
|
|||
|
|
@ -232,7 +232,6 @@ neverallow priv_app trace_data_file:file { no_w_file_perms open };
|
|||
|
||||
# Do not allow priv_app access to cgroups.
|
||||
neverallow priv_app cgroup:file *;
|
||||
neverallow priv_app cgroup_v2:file *;
|
||||
|
||||
# Do not allow loading executable code from non-privileged
|
||||
# application home directories. Code loading across a security boundary
|
||||
|
|
|
|||
|
|
@ -100,7 +100,6 @@ allow surfaceflinger inputflinger_service:service_manager find;
|
|||
allow surfaceflinger self:global_capability_class_set sys_nice;
|
||||
allow surfaceflinger proc_meminfo:file r_file_perms;
|
||||
r_dir_file(surfaceflinger, cgroup)
|
||||
r_dir_file(surfaceflinger, cgroup_v2)
|
||||
r_dir_file(surfaceflinger, system_file)
|
||||
allow surfaceflinger tmpfs:dir r_dir_perms;
|
||||
allow surfaceflinger system_server:fd use;
|
||||
|
|
|
|||
|
|
@ -149,7 +149,6 @@ allow system_app {
|
|||
|
||||
# Settings app writes to /dev/stune/foreground/tasks.
|
||||
allow system_app cgroup:file w_file_perms;
|
||||
allow system_app cgroup_v2:file w_file_perms;
|
||||
|
||||
control_logd(system_app)
|
||||
read_runtime_log_tags(system_app)
|
||||
|
|
|
|||
|
|
@ -872,7 +872,6 @@ allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISC
|
|||
|
||||
# Clean up old cgroups
|
||||
allow system_server cgroup:dir { remove_name rmdir };
|
||||
allow system_server cgroup_v2:dir { remove_name rmdir };
|
||||
|
||||
# /oem access
|
||||
r_dir_file(system_server, oemfs)
|
||||
|
|
@ -951,8 +950,9 @@ allow system_server preloads_media_file:file { r_file_perms unlink };
|
|||
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
||||
|
||||
r_dir_file(system_server, cgroup)
|
||||
r_dir_file(system_server, cgroup_v2)
|
||||
allow system_server ion_device:chr_file r_file_perms;
|
||||
allow system_server cgroup_v2:dir rw_dir_perms;
|
||||
allow system_server cgroup_v2:file rw_file_perms;
|
||||
|
||||
# Access to /dev/dma_heap/system
|
||||
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -108,8 +108,6 @@ r_dir_file(zygote, vendor_overlay_file)
|
|||
# Control cgroups.
|
||||
allow zygote cgroup:dir create_dir_perms;
|
||||
allow zygote cgroup:{ file lnk_file } r_file_perms;
|
||||
allow zygote cgroup_v2:dir create_dir_perms;
|
||||
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
|
||||
allow zygote self:global_capability_class_set sys_admin;
|
||||
|
||||
# Allow zygote to stat the files that it opens. The zygote must
|
||||
|
|
@ -192,10 +190,7 @@ get_prop(zygote, device_config_runtime_native_boot_prop)
|
|||
get_prop(zygote, device_config_window_manager_native_boot_prop)
|
||||
|
||||
# ingore spurious denials
|
||||
# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
|
||||
# done to determine if the file should inherit setgid. In this case, setgid on the file is
|
||||
# undesirable, so suppress the denial.
|
||||
dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
|
||||
dontaudit zygote self:global_capability_class_set sys_resource;
|
||||
|
||||
# Ignore spurious denials calling access() on fuse
|
||||
# TODO(b/151316657): avoid the denials
|
||||
|
|
|
|||
|
|
@ -7,7 +7,6 @@ allow charger kmsg_device:chr_file rw_file_perms;
|
|||
# Read access to pseudo filesystems.
|
||||
r_dir_file(charger, rootfs)
|
||||
r_dir_file(charger, cgroup)
|
||||
r_dir_file(charger, cgroup_v2)
|
||||
|
||||
# Allow to read /sys/class/power_supply directory
|
||||
allow charger sysfs_type:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -14,4 +14,3 @@ allow credstore sec_key_att_app_id_provider_service:service_manager find;
|
|||
allow credstore dropbox_service:service_manager find;
|
||||
|
||||
r_dir_file(credstore, cgroup)
|
||||
r_dir_file(credstore, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ type dhcp_exec, system_file_type, exec_type, file_type;
|
|||
net_domain(dhcp)
|
||||
|
||||
allow dhcp cgroup:dir { create write add_name };
|
||||
allow dhcp cgroup_v2:dir { create write add_name };
|
||||
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
|
||||
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow dhcp self:netlink_route_socket nlmsg_write;
|
||||
|
|
|
|||
|
|
@ -1320,12 +1320,10 @@ neverallow domain {
|
|||
|
||||
# cgroupfs directories can be created, but not files within them.
|
||||
neverallow domain cgroup:file create;
|
||||
neverallow domain cgroup_v2:file create;
|
||||
|
||||
dontaudit domain proc_type:dir write;
|
||||
dontaudit domain sysfs_type:dir write;
|
||||
dontaudit domain cgroup:file create;
|
||||
dontaudit domain cgroup_v2:file create;
|
||||
|
||||
# These are only needed in permissive mode - in enforcing mode the
|
||||
# directory write check fails and so these are never attempted.
|
||||
|
|
|
|||
|
|
@ -61,5 +61,4 @@ allow drmserver mediametrics_service:service_manager find;
|
|||
selinux_check_access(drmserver)
|
||||
|
||||
r_dir_file(drmserver, cgroup)
|
||||
r_dir_file(drmserver, cgroup_v2)
|
||||
r_dir_file(drmserver, system_file)
|
||||
|
|
|
|||
|
|
@ -134,7 +134,6 @@ allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
|
|||
|
||||
# Read /dev/cpuctl and /dev/cpuset
|
||||
r_dir_file(dumpstate, cgroup)
|
||||
r_dir_file(dumpstate, cgroup_v2)
|
||||
|
||||
# Allow dumpstate to make binder calls to any binder service
|
||||
binder_call(dumpstate, binderservicedomain)
|
||||
|
|
|
|||
|
|
@ -39,4 +39,3 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms;
|
|||
allow gatekeeperd hardware_properties_service:service_manager find;
|
||||
|
||||
r_dir_file(gatekeeperd, cgroup)
|
||||
r_dir_file(gatekeeperd, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -16,10 +16,6 @@ r_dir_file(hal_cas, cgroup)
|
|||
allow hal_cas cgroup:dir { search write };
|
||||
allow hal_cas cgroup:file w_file_perms;
|
||||
|
||||
r_dir_file(hal_cas, cgroup_v2)
|
||||
allow hal_cas cgroup_v2:dir { search write };
|
||||
allow hal_cas cgroup_v2:file w_file_perms;
|
||||
|
||||
# Allow access to ion memory allocation device
|
||||
allow hal_cas ion_device:chr_file rw_file_perms;
|
||||
allow hal_cas hal_graphics_allocator:fd use;
|
||||
|
|
|
|||
|
|
@ -20,10 +20,6 @@ r_dir_file(hal_drm, cgroup)
|
|||
allow hal_drm cgroup:dir { search write };
|
||||
allow hal_drm cgroup:file w_file_perms;
|
||||
|
||||
r_dir_file(hal_drm, cgroup_v2)
|
||||
allow hal_drm cgroup_v2:dir { search write };
|
||||
allow hal_drm cgroup_v2:file w_file_perms;
|
||||
|
||||
# Allow access to ion memory allocation device
|
||||
allow hal_drm ion_device:chr_file rw_file_perms;
|
||||
allow hal_drm hal_graphics_allocator:fd use;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
|
|||
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
|
||||
|
||||
r_dir_file(hal_fingerprint, cgroup)
|
||||
r_dir_file(hal_fingerprint, cgroup_v2)
|
||||
r_dir_file(hal_fingerprint, sysfs)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@ allow hal_telephony_server kernel:system module_request;
|
|||
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
|
||||
allow hal_telephony_server cgroup:dir create_dir_perms;
|
||||
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
|
||||
allow hal_telephony_server cgroup_v2:dir create_dir_perms;
|
||||
allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
|
||||
allow hal_telephony_server radio_device:chr_file rw_file_perms;
|
||||
allow hal_telephony_server radio_device:blk_file r_file_perms;
|
||||
allow hal_telephony_server efs_file:dir create_dir_perms;
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ r_dir_file(hal_wifi_supplicant, proc_net_type)
|
|||
allow hal_wifi_supplicant kernel:system module_request;
|
||||
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
|
||||
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
|
||||
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
|
||||
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
|
||||
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ allow healthd sysfs_type:dir search;
|
|||
allow healthd sysfs:dir r_dir_perms;
|
||||
r_dir_file(healthd, rootfs)
|
||||
r_dir_file(healthd, cgroup)
|
||||
r_dir_file(healthd, cgroup_v2)
|
||||
|
||||
allow healthd self:global_capability_class_set { sys_tty_config };
|
||||
allow healthd self:global_capability_class_set sys_boot;
|
||||
|
|
|
|||
|
|
@ -103,6 +103,7 @@ allow init {
|
|||
postinstall_mnt_dir
|
||||
mirror_data_file
|
||||
}:dir mounton;
|
||||
allow init cgroup_v2:dir { mounton create_dir_perms };
|
||||
|
||||
# Mount bpf fs on sys/fs/bpf
|
||||
allow init fs_bpf:dir mounton;
|
||||
|
|
@ -131,8 +132,6 @@ allow init cgroup_rc_file:file rw_file_perms;
|
|||
allow init cgroup_desc_file:file r_file_perms;
|
||||
allow init cgroup_desc_api_file:file r_file_perms;
|
||||
allow init vendor_cgroup_desc_file:file r_file_perms;
|
||||
allow init cgroup_v2:dir { mounton create_dir_perms};
|
||||
allow init cgroup_v2:file rw_file_perms;
|
||||
|
||||
# /config
|
||||
allow init configfs:dir mounton;
|
||||
|
|
|
|||
|
|
@ -13,4 +13,3 @@ allow inputflinger input_device:dir r_dir_perms;
|
|||
allow inputflinger input_device:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(inputflinger, cgroup)
|
||||
r_dir_file(inputflinger, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
|
|||
allow installd oemfs:dir r_dir_perms;
|
||||
allow installd oemfs:file r_file_perms;
|
||||
allow installd cgroup:dir create_dir_perms;
|
||||
allow installd cgroup_v2:dir create_dir_perms;
|
||||
allow installd mnt_expand_file:dir { search getattr };
|
||||
# Check validity of SELinux context before use.
|
||||
selinux_check_context(installd)
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ add_service(keystore, authorization_service)
|
|||
selinux_check_access(keystore)
|
||||
|
||||
r_dir_file(keystore, cgroup)
|
||||
r_dir_file(keystore, cgroup_v2)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
|
|||
|
|
@ -26,11 +26,9 @@ allow lmkd kernel:process { setsched };
|
|||
|
||||
# Clean up old cgroups
|
||||
allow lmkd cgroup:dir { remove_name rmdir };
|
||||
allow lmkd cgroup_v2:dir { remove_name rmdir };
|
||||
|
||||
# Allow to read memcg stats
|
||||
allow lmkd cgroup:file r_file_perms;
|
||||
allow lmkd cgroup_v2:file r_file_perms;
|
||||
|
||||
# Set self to SCHED_FIFO
|
||||
allow lmkd self:global_capability_class_set sys_nice;
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ type logd_exec, system_file_type, exec_type, file_type;
|
|||
|
||||
# Read access to pseudo filesystems.
|
||||
r_dir_file(logd, cgroup)
|
||||
r_dir_file(logd, cgroup_v2)
|
||||
r_dir_file(logd, proc_kmsg)
|
||||
r_dir_file(logd, proc_meminfo)
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ hal_client_domain(mediaextractor, hal_cas)
|
|||
hal_client_domain(mediaextractor, hal_allocator)
|
||||
|
||||
r_dir_file(mediaextractor, cgroup)
|
||||
r_dir_file(mediaextractor, cgroup_v2)
|
||||
allow mediaextractor proc_meminfo:file r_file_perms;
|
||||
|
||||
crash_dump_fallback(mediaextractor)
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ add_service(mediametrics, mediametrics_service)
|
|||
allow mediametrics system_server:fd use;
|
||||
|
||||
r_dir_file(mediametrics, cgroup)
|
||||
r_dir_file(mediametrics, cgroup_v2)
|
||||
allow mediametrics proc_meminfo:file r_file_perms;
|
||||
|
||||
# allows interactions with dumpsys to GMScore
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@ net_domain(mediaserver)
|
|||
|
||||
r_dir_file(mediaserver, sdcard_type)
|
||||
r_dir_file(mediaserver, cgroup)
|
||||
r_dir_file(mediaserver, cgroup_v2)
|
||||
|
||||
# stat /proc/self
|
||||
allow mediaserver proc:lnk_file getattr;
|
||||
|
|
|
|||
|
|
@ -28,4 +28,3 @@ userdebug_or_eng(`
|
|||
|
||||
# Access /dev/cpuset/cpuset.cpus
|
||||
r_dir_file(performanced, cgroup)
|
||||
r_dir_file(performanced, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ binder_use(racoon)
|
|||
allow racoon tun_device:chr_file r_file_perms;
|
||||
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
|
||||
allow racoon cgroup:dir { add_name create };
|
||||
allow racoon cgroup_v2:dir { add_name create };
|
||||
allow racoon kernel:system module_request;
|
||||
|
||||
allow racoon self:key_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@ type sdcardd, domain;
|
|||
type sdcardd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
allow sdcardd cgroup:dir create_dir_perms;
|
||||
allow sdcardd cgroup_v2:dir create_dir_perms;
|
||||
allow sdcardd fuse_device:chr_file rw_file_perms;
|
||||
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
|
||||
allow sdcardd sdcardfs:filesystem remount;
|
||||
|
|
|
|||
|
|
@ -125,7 +125,6 @@ r_dir_file(shell, cgroup)
|
|||
allow shell cgroup_desc_file:file r_file_perms;
|
||||
allow shell cgroup_desc_api_file:file r_file_perms;
|
||||
allow shell vendor_cgroup_desc_file:file r_file_perms;
|
||||
r_dir_file(shell, cgroup_v2)
|
||||
allow shell domain:dir { search open read getattr };
|
||||
allow shell domain:{ file lnk_file } { open read getattr };
|
||||
|
||||
|
|
|
|||
|
|
@ -16,8 +16,6 @@ allow vendor_init rootfs:lnk_file { create unlink };
|
|||
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
||||
allow vendor_init cgroup:dir create_dir_perms;
|
||||
allow vendor_init cgroup:file w_file_perms;
|
||||
allow vendor_init cgroup_v2:dir create_dir_perms;
|
||||
allow vendor_init cgroup_v2:file w_file_perms;
|
||||
|
||||
# /config
|
||||
allow vendor_init configfs:dir mounton;
|
||||
|
|
|
|||
Loading…
Reference in a new issue