Merge "SEPolicy for boringssl_self_test." am: 02924043e3
am: 8b6e14f3c9
am: 444e8290c1
Change-Id: Ib3e951dd45bf75f0be6ed9fbbbacfed4e6f100da
This commit is contained in:
commit
96d9bacb4a
5 changed files with 31 additions and 2 deletions
|
@ -1,5 +1,6 @@
|
|||
#############################
|
||||
# System files
|
||||
#
|
||||
(/.*)? u:object_r:system_file:s0
|
||||
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
||||
(/.*)? u:object_r:system_file:s0
|
||||
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
||||
/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
|
||||
|
|
22
private/boringssl_self_test.te
Normal file
22
private/boringssl_self_test.te
Normal file
|
@ -0,0 +1,22 @@
|
|||
type boringssl_self_test, domain;
|
||||
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
|
||||
type boringssl_self_test_marker, file_type;
|
||||
|
||||
typeattribute boringssl_self_test coredomain;
|
||||
|
||||
# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
|
||||
init_daemon_domain(boringssl_self_test)
|
||||
|
||||
# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
|
||||
# files.
|
||||
allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
|
||||
allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
|
||||
|
||||
# No other process should be able to create these files because their existence causes the
|
||||
# boringssl self test to be skipped.
|
||||
neverallow {
|
||||
domain
|
||||
-boringssl_self_test
|
||||
-init
|
||||
-vendor_init
|
||||
} boringssl_self_test_marker:file no_rw_file_perms;
|
|
@ -5,6 +5,7 @@
|
|||
(typeattribute new_objects)
|
||||
(typeattributeset new_objects
|
||||
( new_objects
|
||||
boringssl_self_test
|
||||
charger_prop
|
||||
cold_boot_done_prop
|
||||
platform_compat_service
|
||||
|
|
|
@ -89,6 +89,9 @@ userdebug_or_eng(`
|
|||
allow domain linkerconfig_file:dir search;
|
||||
allow domain linkerconfig_file:file r_file_perms;
|
||||
|
||||
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
|
||||
allow domain boringssl_self_test_marker:dir search;
|
||||
|
||||
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
||||
# with other UIDs to these whitelisted domains.
|
||||
neverallow {
|
||||
|
|
|
@ -83,6 +83,7 @@
|
|||
/dev/block/vold/.+ u:object_r:vold_device:s0
|
||||
/dev/block/ram[0-9]* u:object_r:ram_device:s0
|
||||
/dev/block/zram[0-9]* u:object_r:ram_device:s0
|
||||
/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
|
||||
/dev/bus/usb(.*)? u:object_r:usb_device:s0
|
||||
/dev/console u:object_r:console_device:s0
|
||||
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
|
||||
|
@ -188,6 +189,7 @@
|
|||
/system/bin/auditctl u:object_r:auditctl_exec:s0
|
||||
/system/bin/bcc u:object_r:rs_exec:s0
|
||||
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
|
||||
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
|
||||
/system/bin/charger u:object_r:charger_exec:s0
|
||||
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
|
||||
/system/bin/mke2fs u:object_r:e2fs_exec:s0
|
||||
|
|
Loading…
Reference in a new issue