Fix CTS regressions am: ed876a5e96 am: c76a25c106

am: 32663d46d1

Change-Id: I17de5133481362dc5d8d102745c31fc8b0e797cd
This commit is contained in:
Jeff Vander Stoep 2017-11-21 19:10:03 +00:00 committed by android-build-merger
commit 989f6b0e04
7 changed files with 13 additions and 14 deletions

View file

@ -462,8 +462,8 @@ neverallow {
domain
-adbd
-dumpstate
-hal_drm
-hal_cas
-hal_drm_server
-hal_cas_server
-init
-mediadrmserver
-recovery
@ -503,7 +503,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
-hal_bootctl
-hal_bootctl_server
-init
-uncrypt
-update_engine

View file

@ -23,11 +23,11 @@ allow hal_audio dumpstate:fifo_file write;
###
# Should never execute any executable without a domain transition
neverallow hal_audio { file_type fs_type }:file execute_no_trans;
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
# Should never need network access.
# Disallow network sockets.
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;

View file

@ -23,10 +23,10 @@ allow hal_camera hal_allocator_server:fd use;
# hal_camera should never execute any executable without a
# domain transition
neverallow hal_camera { file_type fs_type }:file execute_no_trans;
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;

View file

@ -7,7 +7,7 @@ allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
get_prop(hal_cas, serialno_prop)
get_prop(hal_cas_server, serialno_prop)
# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };
@ -29,7 +29,7 @@ allow hal_cas tee_device:chr_file rw_file_perms;
# hal_cas should never execute any executable without a
# domain transition
neverallow hal_cas { file_type fs_type }:file execute_no_trans;
neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

View file

@ -52,7 +52,7 @@ allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
# hal_drm should never execute any executable without a
# domain transition
neverallow hal_drm { file_type fs_type }:file execute_no_trans;
neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

View file

@ -213,7 +213,6 @@ expandattribute hal_$1_client true;
attribute hal_$1_server;
expandattribute hal_$1_server false;
neverallow { hal_$1_client -halclientdomain } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
')

View file

@ -210,7 +210,7 @@ neverallow { domain -vold -init } restorecon_prop:property_service set;
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
-hal_keymaster
-hal_keymaster_server
-healthd
-hwservicemanager
-servicemanager