tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "[incfs] Allow everyone read the IncFS sysfs features"

Browse source
This commit is contained in:
Treehugger Robot 2021-04-26 22:19:37 +00:00 committed by Gerrit Code Review
commit 98914119ae
5 changed files with 4 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/domain.te
View file

@ -49,6 +49,9 @@ userdebug_or_eng(`can_profile_perf({
-zygote
})')
# Everyone can access the IncFS list of features.
r_dir_file(domain, sysfs_fs_incfs_features);
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;

1
private/isolated_app.te
View file

@ -128,6 +128,7 @@ neverallow isolated_app {
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
-sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.

3
private/priv_app.te
View file

@ -161,9 +161,6 @@ dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# Access the IncFS list of features
r_dir_file(priv_app, sysfs_fs_incfs_features)
# allow apps like Phonesky to check the file signature of an apk installed on
# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {

3
private/system_server.te
View file

@ -26,9 +26,6 @@ allow system_server appdomain_tmpfs:file { getattr map read write };
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
# Access the IncFS list of features
r_dir_file(system_server, sysfs_fs_incfs_features);
# To create files, get permission to fill blocks, and configure Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
allowxperm system_server incremental_control_file:file ioctl {

2
public/vold.te
View file

@ -127,8 +127,6 @@ allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
# Access the IncFS list of features
r_dir_file(vold, sysfs_fs_incfs_features);
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental