sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
This commit is contained in:
parent
df8d4b87ef
commit
9b2e0cbeea
61 changed files with 128 additions and 127 deletions
|
@ -17,10 +17,10 @@ userdebug_or_eng(`
|
|||
allow adbd shell:process { noatsecure signal };
|
||||
|
||||
# Set UID and GID to shell. Set supplementary groups.
|
||||
allow adbd self:capability { setuid setgid };
|
||||
allow adbd self:global_capability_class_set { setuid setgid };
|
||||
|
||||
# Drop capabilities from bounding set on user builds.
|
||||
allow adbd self:capability setpcap;
|
||||
allow adbd self:global_capability_class_set setpcap;
|
||||
|
||||
# Create and use network sockets.
|
||||
net_domain(adbd)
|
||||
|
|
|
@ -350,8 +350,7 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
|
|||
|
||||
# Superuser capabilities.
|
||||
# bluetooth requires net_admin and wake_alarm.
|
||||
neverallow { appdomain -bluetooth } self:capability *;
|
||||
neverallow { appdomain -bluetooth } self:capability2 *;
|
||||
neverallow { appdomain -bluetooth } self:capability_class_set *;
|
||||
|
||||
# Block device access.
|
||||
neverallow appdomain dev_type:blk_file { read write };
|
||||
|
|
|
@ -22,12 +22,12 @@ allow bluetooth bluetooth_logs_data_file:file create_file_perms;
|
|||
# Socket creation under /data/misc/bluedroid.
|
||||
allow bluetooth bluetooth_socket:sock_file create_file_perms;
|
||||
|
||||
allow bluetooth self:capability net_admin;
|
||||
allow bluetooth self:capability2 wake_alarm;
|
||||
allow bluetooth self:global_capability_class_set net_admin;
|
||||
allow bluetooth self:global_capability2_class_set wake_alarm;
|
||||
|
||||
# tethering
|
||||
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow bluetooth self:capability { net_admin net_raw net_bind_service };
|
||||
allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
|
||||
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
|
||||
allow bluetooth tun_device:chr_file rw_file_perms;
|
||||
allow bluetooth efs_file:dir search;
|
||||
|
@ -56,7 +56,7 @@ allow bluetooth system_api_service:service_manager find;
|
|||
allow bluetooth shell_data_file:file read;
|
||||
|
||||
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
|
||||
allow bluetooth self:capability sys_nice;
|
||||
allow bluetooth self:global_capability_class_set sys_nice;
|
||||
|
||||
hal_client_domain(bluetooth, hal_bluetooth)
|
||||
hal_client_domain(bluetooth, hal_telephony)
|
||||
|
@ -71,5 +71,5 @@ read_runtime_log_tags(bluetooth)
|
|||
|
||||
# Superuser capabilities.
|
||||
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
|
||||
neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
|
||||
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
|
||||
neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
|
||||
neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
|
||||
|
|
|
@ -12,7 +12,7 @@ neverallow {
|
|||
-storaged
|
||||
-system_server
|
||||
userdebug_or_eng(`-perfprofd')
|
||||
} self:capability sys_ptrace;
|
||||
} self:global_capability_class_set sys_ptrace;
|
||||
|
||||
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
||||
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
||||
|
|
|
@ -7,12 +7,12 @@ wakelock_use(incidentd)
|
|||
|
||||
# Allow setting process priority, protect from OOM killer, and dropping
|
||||
# privileges by switching UID / GID
|
||||
# TODO allow incidentd self:capability { setuid setgid sys_resource };
|
||||
# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
|
||||
|
||||
# Allow incidentd to scan through /proc/pid for all processes
|
||||
r_dir_file(incidentd, domain)
|
||||
|
||||
allow incidentd self:capability {
|
||||
allow incidentd self:global_capability_class_set {
|
||||
# Send signals to processes
|
||||
kill
|
||||
};
|
||||
|
@ -56,7 +56,7 @@ binder_call(incidentd, binderservicedomain)
|
|||
binder_call(incidentd, appdomain)
|
||||
|
||||
# Reading /proc/PID/maps of other processes
|
||||
# TODO allow incidentd self:capability sys_ptrace;
|
||||
# TODO allow incidentd self:global_capability_class_set sys_ptrace;
|
||||
|
||||
# Run a shell.
|
||||
allow incidentd shell_exec:file rx_file_perms;
|
||||
|
|
|
@ -8,7 +8,7 @@ userdebug_or_eng(`
|
|||
allow logpersist misc_logd_file:file create_file_perms;
|
||||
allow logpersist misc_logd_file:dir rw_dir_perms;
|
||||
|
||||
allow logpersist self:capability sys_nice;
|
||||
allow logpersist self:global_capability_class_set sys_nice;
|
||||
allow logpersist pstorefs:dir search;
|
||||
allow logpersist pstorefs:file r_file_perms;
|
||||
|
||||
|
|
|
@ -3,13 +3,13 @@ typeattribute netutils_wrapper coredomain;
|
|||
r_dir_file(netutils_wrapper, system_file);
|
||||
|
||||
# For netutils (ip, iptables, tc)
|
||||
allow netutils_wrapper self:capability net_raw;
|
||||
allow netutils_wrapper self:global_capability_class_set net_raw;
|
||||
|
||||
allow netutils_wrapper system_file:file { execute execute_no_trans };
|
||||
allow netutils_wrapper proc_net:file { open read getattr };
|
||||
allow netutils_wrapper self:rawip_socket create_socket_perms;
|
||||
allow netutils_wrapper self:udp_socket create_socket_perms;
|
||||
allow netutils_wrapper self:capability net_admin;
|
||||
allow netutils_wrapper self:global_capability_class_set net_admin;
|
||||
# ip utils need everything but ioctl
|
||||
allow netutils_wrapper self:netlink_route_socket ~ioctl;
|
||||
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
|
||||
|
|
|
@ -52,7 +52,7 @@ allow storaged package_native_service:service_manager find;
|
|||
|
||||
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
|
||||
# running as root. See b/35323867 #3.
|
||||
dontaudit storaged self:capability dac_override;
|
||||
dontaudit storaged self:global_capability_class_set dac_override;
|
||||
|
||||
###
|
||||
### neverallow
|
||||
|
|
|
@ -87,7 +87,7 @@ allow surfaceflinger window_service:service_manager find;
|
|||
|
||||
|
||||
# allow self to set SCHED_FIFO
|
||||
allow surfaceflinger self:capability sys_nice;
|
||||
allow surfaceflinger self:global_capability_class_set sys_nice;
|
||||
allow surfaceflinger proc_meminfo:file r_file_perms;
|
||||
r_dir_file(surfaceflinger, cgroup)
|
||||
r_dir_file(surfaceflinger, system_file)
|
||||
|
|
|
@ -52,7 +52,7 @@ bluetooth_domain(system_server)
|
|||
|
||||
# These are the capabilities assigned by the zygote to the
|
||||
# system server.
|
||||
allow system_server self:capability {
|
||||
allow system_server self:global_capability_class_set {
|
||||
ipc_lock
|
||||
kill
|
||||
net_admin
|
||||
|
@ -72,7 +72,7 @@ wakelock_use(system_server)
|
|||
allow system_server kernel:system module_request;
|
||||
|
||||
# Allow alarmtimers to be set
|
||||
allow system_server self:capability2 wake_alarm;
|
||||
allow system_server self:global_capability2_class_set wake_alarm;
|
||||
|
||||
# Create and share netlink_netfilter_sockets for tetheroffload.
|
||||
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
|
|||
allow vold_prepare_subdirs vold:fd use;
|
||||
allow vold_prepare_subdirs vold:fifo_file { read write };
|
||||
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
||||
allow vold_prepare_subdirs self:capability dac_override;
|
||||
allow vold_prepare_subdirs self:global_capability_class_set dac_override;
|
||||
allow vold_prepare_subdirs self:process setfscreate;
|
||||
allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
|
||||
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
|
||||
|
|
|
@ -20,9 +20,9 @@ allow webview_zygote shared_relro_file:dir search;
|
|||
allow webview_zygote shared_relro_file:file r_file_perms;
|
||||
|
||||
# Set the UID/GID of the process.
|
||||
allow webview_zygote self:capability { setgid setuid };
|
||||
allow webview_zygote self:global_capability_class_set { setgid setuid };
|
||||
# Drop capabilities from bounding set.
|
||||
allow webview_zygote self:capability setpcap;
|
||||
allow webview_zygote self:global_capability_class_set setpcap;
|
||||
# Switch SELinux context to app domains.
|
||||
allow webview_zygote self:process setcurrent;
|
||||
allow webview_zygote isolated_app:process dyntransition;
|
||||
|
|
|
@ -7,10 +7,10 @@ init_daemon_domain(zygote)
|
|||
read_runtime_log_tags(zygote)
|
||||
|
||||
# Override DAC on files and switch uid/gid.
|
||||
allow zygote self:capability { dac_override setgid setuid fowner chown };
|
||||
allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
|
||||
|
||||
# Drop capabilities from bounding set.
|
||||
allow zygote self:capability setpcap;
|
||||
allow zygote self:global_capability_class_set setpcap;
|
||||
|
||||
# Switch SELinux context to app domains.
|
||||
allow zygote self:process setcurrent;
|
||||
|
@ -56,7 +56,7 @@ r_dir_file(zygote, vendor_overlay_file)
|
|||
# Control cgroups.
|
||||
allow zygote cgroup:dir create_dir_perms;
|
||||
allow zygote cgroup:{ file lnk_file } r_file_perms;
|
||||
allow zygote self:capability sys_admin;
|
||||
allow zygote self:global_capability_class_set sys_admin;
|
||||
|
||||
# Allow zygote to stat the files that it opens. The zygote must
|
||||
# be able to inspect them so that it can reopen them on fork
|
||||
|
|
|
@ -10,8 +10,8 @@ r_dir_file(charger, sysfs_type)
|
|||
r_dir_file(charger, rootfs)
|
||||
r_dir_file(charger, cgroup)
|
||||
|
||||
allow charger self:capability { sys_tty_config };
|
||||
allow charger self:capability sys_boot;
|
||||
allow charger self:global_capability_class_set { sys_tty_config };
|
||||
allow charger self:global_capability_class_set sys_boot;
|
||||
|
||||
wakelock_use(charger)
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ allow clatd netd:udp_socket { read write };
|
|||
allow clatd netd:unix_stream_socket { read write };
|
||||
allow clatd netd:unix_dgram_socket { read write };
|
||||
|
||||
allow clatd self:capability { net_admin net_raw setuid setgid };
|
||||
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
|
||||
|
||||
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
|
||||
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
|
||||
|
@ -26,7 +26,7 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
|
|||
# so we permit any requests we see from clatd asking for this capability.
|
||||
# See https://android-review.googlesource.com/127940 and
|
||||
# https://b.corp.google.com/issues/21736319
|
||||
allow clatd self:capability ipc_lock;
|
||||
allow clatd self:global_capability_class_set ipc_lock;
|
||||
|
||||
allow clatd self:netlink_route_socket nlmsg_write;
|
||||
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
|
||||
|
|
|
@ -11,7 +11,7 @@ allow crash_dump {
|
|||
|
||||
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
|
||||
# which will result in an audit log even when it's allowed to trace.
|
||||
dontaudit crash_dump self:capability { sys_ptrace };
|
||||
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
|
||||
|
|
|
@ -4,7 +4,7 @@ type dhcp_exec, exec_type, file_type;
|
|||
net_domain(dhcp)
|
||||
|
||||
allow dhcp cgroup:dir { create write add_name };
|
||||
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
|
||||
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
|
||||
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow dhcp self:netlink_route_socket nlmsg_write;
|
||||
allow dhcp shell_exec:file rx_file_perms;
|
||||
|
|
|
@ -6,9 +6,9 @@ net_domain(dnsmasq)
|
|||
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
|
||||
|
||||
# TODO: Run with dhcp group to avoid need for dac_override.
|
||||
allow dnsmasq self:capability dac_override;
|
||||
allow dnsmasq self:global_capability_class_set dac_override;
|
||||
|
||||
allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
|
||||
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
|
||||
|
||||
allow dnsmasq dhcp_data_file:dir w_dir_perms;
|
||||
allow dnsmasq dhcp_data_file:file create_file_perms;
|
||||
|
|
|
@ -248,7 +248,7 @@ neverallow {
|
|||
-init
|
||||
-ueventd
|
||||
-vold
|
||||
} self:capability mknod;
|
||||
} self:global_capability_class_set mknod;
|
||||
|
||||
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
|
||||
neverallow {
|
||||
|
@ -261,16 +261,16 @@ neverallow {
|
|||
-healthd
|
||||
-uncrypt
|
||||
-tee
|
||||
} self:capability sys_rawio;
|
||||
} self:global_capability_class_set sys_rawio;
|
||||
|
||||
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
|
||||
neverallow * self:memprotect mmap_zero;
|
||||
|
||||
# No domain needs mac_override as it is unused by SELinux.
|
||||
neverallow * self:capability2 mac_override;
|
||||
neverallow * self:global_capability2_class_set mac_override;
|
||||
|
||||
# Only recovery needs mac_admin to set contexts not defined in current policy.
|
||||
neverallow { domain -recovery } self:capability2 mac_admin;
|
||||
neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
|
||||
|
||||
# Once the policy has been loaded there shall be none to modify the policy.
|
||||
# It is sealed.
|
||||
|
@ -1096,7 +1096,7 @@ neverallow * ~{ system_file vendor_file rootfs }:system module_load;
|
|||
neverallow {
|
||||
domain
|
||||
-recovery
|
||||
} self:capability setfcap;
|
||||
} self:global_capability_class_set setfcap;
|
||||
|
||||
# Enforce AT_SECURE for executing crash_dump.
|
||||
neverallow domain crash_dump:process noatsecure;
|
||||
|
|
|
@ -8,12 +8,12 @@ wakelock_use(dumpstate)
|
|||
|
||||
# Allow setting process priority, protect from OOM killer, and dropping
|
||||
# privileges by switching UID / GID
|
||||
allow dumpstate self:capability { setuid setgid sys_resource };
|
||||
allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
|
||||
|
||||
# Allow dumpstate to scan through /proc/pid for all processes
|
||||
r_dir_file(dumpstate, domain)
|
||||
|
||||
allow dumpstate self:capability {
|
||||
allow dumpstate self:global_capability_class_set {
|
||||
# Send signals to processes
|
||||
kill
|
||||
# Run iptables
|
||||
|
@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
|
|||
allow dumpstate system_file:dir r_dir_perms;
|
||||
|
||||
# Create and write into /data/anr/
|
||||
allow dumpstate self:capability { dac_override chown fowner fsetid };
|
||||
allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
|
||||
allow dumpstate anr_data_file:dir rw_dir_perms;
|
||||
allow dumpstate anr_data_file:file create_file_perms;
|
||||
|
||||
|
@ -42,7 +42,7 @@ allow dumpstate anr_data_file:file create_file_perms;
|
|||
allow dumpstate system_data_file:file r_file_perms;
|
||||
|
||||
# Read dmesg
|
||||
allow dumpstate self:capability2 syslog;
|
||||
allow dumpstate self:global_capability2_class_set syslog;
|
||||
allow dumpstate kernel:system syslog_read;
|
||||
|
||||
# Read /sys/fs/pstore/console-ramoops
|
||||
|
@ -116,7 +116,7 @@ hal_client_domain(dumpstate, hal_vibrator)
|
|||
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
|
||||
|
||||
# Reading /proc/PID/maps of other processes
|
||||
allow dumpstate self:capability sys_ptrace;
|
||||
allow dumpstate self:global_capability_class_set sys_ptrace;
|
||||
|
||||
# Allow the bugreport service to create a file in
|
||||
# /data/data/com.android.shell/files/bugreports/bugreport
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
#####################################
|
||||
# Common groupings of object classes.
|
||||
#
|
||||
define(`capability_class_set', `{ capability capability2 }')
|
||||
define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
|
||||
define(`global_capability_class_set', `{ capability cap_userns }')
|
||||
define(`global_capability2_class_set', `{ capability2 cap2_userns }')
|
||||
|
||||
define(`devfile_class_set', `{ chr_file blk_file }')
|
||||
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
|
||||
|
|
|
@ -8,7 +8,7 @@ allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
|
|||
wakelock_use(hal_bluetooth);
|
||||
|
||||
# The HAL toggles rfkill to power the chip off/on.
|
||||
allow hal_bluetooth self:capability net_admin;
|
||||
allow hal_bluetooth self:global_capability_class_set net_admin;
|
||||
|
||||
# bluetooth factory file accesses.
|
||||
r_dir_file(hal_bluetooth, bluetooth_efs_file)
|
||||
|
@ -18,7 +18,7 @@ allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
|
|||
# sysfs access.
|
||||
r_dir_file(hal_bluetooth, sysfs_type)
|
||||
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
|
||||
allow hal_bluetooth self:capability2 wake_alarm;
|
||||
allow hal_bluetooth self:global_capability2_class_set wake_alarm;
|
||||
|
||||
# Allow write access to bluetooth-specific properties
|
||||
set_prop(hal_bluetooth, bluetooth_prop)
|
||||
|
@ -27,4 +27,4 @@ set_prop(hal_bluetooth, bluetooth_prop)
|
|||
allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
|
||||
|
||||
# allow to run with real-time scheduling policy
|
||||
allow hal_bluetooth self:capability sys_nice;
|
||||
allow hal_bluetooth self:global_capability_class_set sys_nice;
|
||||
|
|
|
@ -10,4 +10,4 @@ allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
|
|||
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
|
||||
|
||||
# allow to run with real-time scheduling policy
|
||||
allow hal_graphics_allocator self:capability sys_nice;
|
||||
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
|
||||
|
|
|
@ -23,4 +23,4 @@ allow hal_graphics_composer bootanim:fd use;
|
|||
allow hal_graphics_composer appdomain:fd use;
|
||||
|
||||
# allow self to set SCHED_FIFO
|
||||
allow hal_graphics_composer self:capability sys_nice;
|
||||
allow hal_graphics_composer self:global_capability_class_set sys_nice;
|
||||
|
|
|
@ -6,7 +6,7 @@ neverallow {
|
|||
-hal_wifi_server
|
||||
-hal_wifi_supplicant_server
|
||||
-rild
|
||||
} self:capability { net_admin net_raw };
|
||||
} self:global_capability_class_set { net_admin net_raw };
|
||||
|
||||
# Unless a HAL's job is to communicate over the network, or control network
|
||||
# hardware, it should not be using network sockets.
|
||||
|
|
|
@ -12,4 +12,4 @@ allow hal_sensors { appdomain -isolated_app }:fd use;
|
|||
allow hal_sensors hal_allocator:fd use;
|
||||
|
||||
# allow to run with real-time scheduling policy
|
||||
allow hal_sensors self:capability sys_nice;
|
||||
allow hal_sensors self:global_capability_class_set sys_nice;
|
||||
|
|
|
@ -14,7 +14,7 @@ set_prop(hal_wifi, wifi_prop)
|
|||
allow hal_wifi self:udp_socket create_socket_perms;
|
||||
allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
|
||||
|
||||
allow hal_wifi self:capability { net_admin net_raw };
|
||||
allow hal_wifi self:global_capability_class_set { net_admin net_raw };
|
||||
# allow hal_wifi to speak to nl80211 in the kernel
|
||||
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
|
||||
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
|
||||
|
@ -22,4 +22,4 @@ allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|||
# hal_wifi writes firmware paths to this file.
|
||||
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
|
||||
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
|
||||
allow hal_wifi proc_modules:file { getattr open read };
|
||||
allow hal_wifi proc_modules:file { getattr open read };
|
||||
|
|
|
@ -12,7 +12,7 @@ r_dir_file(hal_wifi_supplicant, sysfs_type)
|
|||
r_dir_file(hal_wifi_supplicant, proc_net)
|
||||
|
||||
allow hal_wifi_supplicant kernel:system module_request;
|
||||
allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
|
||||
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
|
||||
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
|
||||
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
|
||||
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
@ -14,8 +14,8 @@ r_dir_file(healthd, cgroup)
|
|||
# /{system,vendor,odm}/lib[64]/hw/
|
||||
r_dir_file(healthd, system_file)
|
||||
|
||||
allow healthd self:capability { sys_tty_config };
|
||||
allow healthd self:capability sys_boot;
|
||||
allow healthd self:global_capability_class_set { sys_tty_config };
|
||||
allow healthd self:global_capability_class_set sys_boot;
|
||||
|
||||
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ allow init system_block_device:{ blk_file lnk_file } relabelto;
|
|||
allow init misc_block_device:{ blk_file lnk_file } relabelto;
|
||||
|
||||
# setrlimit
|
||||
allow init self:capability sys_resource;
|
||||
allow init self:global_capability_class_set sys_resource;
|
||||
|
||||
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
|
||||
allow init tmpfs:file unlink;
|
||||
|
@ -61,7 +61,7 @@ allow init console_device:chr_file rw_file_perms;
|
|||
allow init tty_device:chr_file rw_file_perms;
|
||||
|
||||
# Call mount(2).
|
||||
allow init self:capability sys_admin;
|
||||
allow init self:global_capability_class_set sys_admin;
|
||||
|
||||
# Create and mount on directories in /.
|
||||
allow init rootfs:dir create_dir_perms;
|
||||
|
@ -92,12 +92,12 @@ allow init configfs:{ file lnk_file } create_file_perms;
|
|||
allow init tmpfs:dir relabelfrom;
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
allow init self:capability dac_override;
|
||||
allow init self:global_capability_class_set dac_override;
|
||||
|
||||
# Set system clock.
|
||||
allow init self:capability sys_time;
|
||||
allow init self:global_capability_class_set sys_time;
|
||||
|
||||
allow init self:capability { sys_rawio mknod };
|
||||
allow init self:global_capability_class_set { sys_rawio mknod };
|
||||
|
||||
# Mounting filesystems from block devices.
|
||||
allow init dev_type:blk_file r_file_perms;
|
||||
|
@ -124,7 +124,7 @@ allow init rootfs:{ dir file } relabelfrom;
|
|||
# system/core/init.rc requires at least cache_file and data_file_type.
|
||||
# init.<board>.rc files often include device-specific types, so
|
||||
# we just allow all file types except /system files here.
|
||||
allow init self:capability { chown fowner fsetid };
|
||||
allow init self:global_capability_class_set { chown fowner fsetid };
|
||||
|
||||
allow init {
|
||||
file_type
|
||||
|
@ -256,7 +256,7 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
|||
# Any operation that can modify the kernel ring buffer, e.g. clear
|
||||
# or a read that consumes the messages that were read.
|
||||
allow init kernel:system syslog_mod;
|
||||
allow init self:capability2 syslog;
|
||||
allow init self:global_capability2_class_set syslog;
|
||||
|
||||
# init access to /proc.
|
||||
r_dir_file(init, proc_net)
|
||||
|
@ -295,10 +295,10 @@ allow init {
|
|||
# Set usermodehelpers.
|
||||
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
|
||||
|
||||
allow init self:capability net_admin;
|
||||
allow init self:global_capability_class_set net_admin;
|
||||
|
||||
# Reboot.
|
||||
allow init self:capability sys_boot;
|
||||
allow init self:global_capability_class_set sys_boot;
|
||||
|
||||
# Write to sysfs nodes.
|
||||
allow init sysfs_type:dir r_dir_perms;
|
||||
|
@ -311,7 +311,7 @@ allow init misc_logd_file:dir { add_name open create read getattr setattr search
|
|||
allow init misc_logd_file:file { open create getattr setattr write };
|
||||
|
||||
# Support "adb shell stop"
|
||||
allow init self:capability kill;
|
||||
allow init self:global_capability_class_set kill;
|
||||
allow init domain:process { getpgid sigkill signal };
|
||||
|
||||
# Init creates keystore's directory on boot, and walks through
|
||||
|
@ -329,7 +329,7 @@ allow init shell_data_file:dir { open create read getattr setattr search };
|
|||
allow init shell_data_file:file { getattr };
|
||||
|
||||
# Set UID, GID, and adjust capability bounding set for services.
|
||||
allow init self:capability { setuid setgid setpcap };
|
||||
allow init self:global_capability_class_set { setuid setgid setpcap };
|
||||
|
||||
# For bootchart to read the /proc/$pid/cmdline file of each process,
|
||||
# we need to have following line to allow init to have access
|
||||
|
@ -369,13 +369,13 @@ allow init property_type:property_service set;
|
|||
# so it can be picked up and processed by logd. These denials are
|
||||
# generated when an attempt to set a property is denied by policy.
|
||||
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
|
||||
allow init self:capability audit_write;
|
||||
allow init self:global_capability_class_set audit_write;
|
||||
|
||||
# Run "ifup lo" to bring up the localhost interface
|
||||
allow init self:udp_socket { create ioctl };
|
||||
# in addition to unpriv ioctls granted to all domains, init also needs:
|
||||
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
|
||||
allow init self:capability net_raw;
|
||||
allow init self:global_capability_class_set net_raw;
|
||||
|
||||
# This line seems suspect, as it should not really need to
|
||||
# set scheduling parameters for a kernel domain task.
|
||||
|
@ -396,7 +396,7 @@ allow init hw_random_device:chr_file r_file_perms;
|
|||
allow init device:file create_file_perms;
|
||||
|
||||
# keychord configuration
|
||||
allow init self:capability sys_tty_config;
|
||||
allow init self:global_capability_class_set sys_tty_config;
|
||||
allow init keychord_device:chr_file rw_file_perms;
|
||||
|
||||
# Access device mapper for setting up dm-verity
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
type install_recovery, domain;
|
||||
type install_recovery_exec, exec_type, file_type;
|
||||
|
||||
allow install_recovery self:capability dac_override;
|
||||
allow install_recovery self:global_capability_class_set dac_override;
|
||||
|
||||
# /system/bin/install-recovery.sh is a shell script.
|
||||
# Needs to execute /system/bin/sh
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
type installd, domain;
|
||||
type installd_exec, exec_type, file_type;
|
||||
typeattribute installd mlstrustedsubject;
|
||||
allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
|
||||
allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
|
||||
|
||||
# Allow labeling of files under /data/app/com.example/oat/
|
||||
allow installd dalvikcache_data_file:dir relabelto;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Life begins with the kernel.
|
||||
type kernel, domain, mlstrustedsubject;
|
||||
|
||||
allow kernel self:capability sys_nice;
|
||||
allow kernel self:global_capability_class_set sys_nice;
|
||||
|
||||
# Root fs.
|
||||
r_dir_file(kernel, rootfs)
|
||||
|
@ -33,14 +33,14 @@ allow kernel usbfs:dir search;
|
|||
dontaudit kernel self:security setenforce;
|
||||
|
||||
# Write to /proc/1/oom_adj prior to switching to init domain.
|
||||
allow kernel self:capability sys_resource;
|
||||
allow kernel self:global_capability_class_set sys_resource;
|
||||
|
||||
# Init reboot before switching selinux domains under certain error
|
||||
# conditions. Allow it.
|
||||
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
|
||||
# remount filesystems read-only. /data is not mounted at this point,
|
||||
# so we could ignore this. For now, we allow it.
|
||||
allow kernel self:capability sys_boot;
|
||||
allow kernel self:global_capability_class_set sys_boot;
|
||||
allow kernel proc_sysrq:file w_file_perms;
|
||||
|
||||
# Allow writing to /dev/kmsg which was created prior to loading policy.
|
||||
|
@ -101,4 +101,4 @@ neverallow kernel *:file { entrypoint execute_no_trans };
|
|||
# the kernel should not be accessing files owned by other users.
|
||||
# Instead of adding dac_{read_search,override}, fix the unix permissions
|
||||
# on files being accessed.
|
||||
neverallow kernel self:capability { dac_override dac_read_search };
|
||||
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
type lmkd, domain, mlstrustedsubject;
|
||||
type lmkd_exec, exec_type, file_type;
|
||||
|
||||
allow lmkd self:capability { dac_override sys_resource kill };
|
||||
allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
|
||||
|
||||
# lmkd locks itself in memory, to prevent it from being
|
||||
# swapped out and unable to kill other memory hogs.
|
||||
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
|
||||
# b/16236289
|
||||
allow lmkd self:capability ipc_lock;
|
||||
allow lmkd self:global_capability_class_set ipc_lock;
|
||||
|
||||
## Open and write to /proc/PID/oom_score_adj
|
||||
## TODO: maybe scope this down?
|
||||
|
@ -31,7 +31,7 @@ allow lmkd cgroup:dir { remove_name rmdir };
|
|||
allow lmkd cgroup:file r_file_perms;
|
||||
|
||||
# Set self to SCHED_FIFO
|
||||
allow lmkd self:capability sys_nice;
|
||||
allow lmkd self:global_capability_class_set sys_nice;
|
||||
|
||||
allow lmkd proc_zoneinfo:file r_file_perms;
|
||||
|
||||
|
|
|
@ -8,8 +8,8 @@ r_dir_file(logd, proc_kmsg)
|
|||
r_dir_file(logd, proc_meminfo)
|
||||
r_dir_file(logd, proc_net)
|
||||
|
||||
allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
|
||||
allow logd self:capability2 syslog;
|
||||
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
|
||||
allow logd self:global_capability2_class_set syslog;
|
||||
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
|
||||
allow logd kernel:system syslog_read;
|
||||
allow logd kmsg_device:chr_file w_file_perms;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
type modprobe, domain;
|
||||
|
||||
allow modprobe proc_modules:file r_file_perms;
|
||||
allow modprobe self:capability sys_module;
|
||||
allow modprobe self:global_capability_class_set sys_module;
|
||||
allow modprobe kernel:key search;
|
||||
recovery_only(`
|
||||
allow modprobe rootfs:system module_load;
|
||||
|
|
|
@ -6,6 +6,6 @@ net_domain(mtp)
|
|||
|
||||
# pptp policy
|
||||
allow mtp self:socket create_socket_perms_no_ioctl;
|
||||
allow mtp self:capability net_raw;
|
||||
allow mtp self:global_capability_class_set net_raw;
|
||||
allow mtp ppp:process signal;
|
||||
allow mtp vpn_data_file:dir search;
|
||||
|
|
|
@ -9,14 +9,14 @@ allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
|
|||
r_dir_file(netd, cgroup)
|
||||
allow netd system_server:fd use;
|
||||
|
||||
allow netd self:capability { net_admin net_raw kill };
|
||||
allow netd self:global_capability_class_set { net_admin net_raw kill };
|
||||
# Note: fsetid is deliberately not included above. fsetid checks are
|
||||
# triggered by chmod on a directory or file owned by a group other
|
||||
# than one of the groups assigned to the current process to see if
|
||||
# the setgid bit should be cleared, regardless of whether the setgid
|
||||
# bit was even set. We do not appear to truly need this capability
|
||||
# for netd to operate.
|
||||
dontaudit netd self:capability fsetid;
|
||||
dontaudit netd self:global_capability_class_set fsetid;
|
||||
|
||||
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
allow netd self:netlink_route_socket nlmsg_write;
|
||||
|
@ -60,12 +60,12 @@ allow netd sysfs_usb:file write;
|
|||
# TODO: netd previously thought it needed these permissions to do WiFi related
|
||||
# work. However, after all the WiFi stuff is gone, we still need them.
|
||||
# Why?
|
||||
allow netd self:capability { dac_override chown };
|
||||
allow netd self:global_capability_class_set { dac_override chown };
|
||||
|
||||
# Needed to update /data/misc/net/rt_tables
|
||||
allow netd net_data_file:file create_file_perms;
|
||||
allow netd net_data_file:dir rw_dir_perms;
|
||||
allow netd self:capability fowner;
|
||||
allow netd self:global_capability_class_set fowner;
|
||||
|
||||
# Needed to lock the iptables lock.
|
||||
allow netd system_file:file lock;
|
||||
|
|
|
@ -5,7 +5,7 @@ type otapreopt_chroot_exec, exec_type, file_type;
|
|||
# Chroot preparation and execution.
|
||||
# We need to create an unshared mount namespace, and then mount /data.
|
||||
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
||||
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
|
||||
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
|
||||
|
||||
# This is required to mount /vendor.
|
||||
allow otapreopt_chroot block_device:dir search;
|
||||
|
|
|
@ -10,7 +10,7 @@ allow performanced permission_service:service_manager find;
|
|||
pdx_server(performanced, performance_client)
|
||||
|
||||
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
|
||||
allow performanced self:capability { setuid setgid sys_nice };
|
||||
allow performanced self:global_capability_class_set { setuid setgid sys_nice };
|
||||
|
||||
# Access /proc to validate we're only affecting threads in the same thread group.
|
||||
# Performanced also shields unbound kernel threads. It scans every task in the
|
||||
|
|
|
@ -20,7 +20,7 @@ userdebug_or_eng(`
|
|||
# perfprofd reads a config file from /data/data/com.google.android.gms/files
|
||||
allow perfprofd app_data_file:file r_file_perms;
|
||||
allow perfprofd app_data_file:dir search;
|
||||
allow perfprofd self:capability { dac_override };
|
||||
allow perfprofd self:global_capability_class_set { dac_override };
|
||||
|
||||
# perfprofd opens a file for writing in /data/misc/perfprofd
|
||||
allow perfprofd perfprofd_data_file:file create_file_perms;
|
||||
|
@ -34,13 +34,13 @@ userdebug_or_eng(`
|
|||
wakelock_use(perfprofd);
|
||||
|
||||
# simpleperf uses ioctl() to turn on kernel perf events measurements
|
||||
allow perfprofd self:capability sys_admin;
|
||||
allow perfprofd self:global_capability_class_set sys_admin;
|
||||
|
||||
# simpleperf needs to examine /proc to collect task/thread info
|
||||
r_dir_file(perfprofd, domain)
|
||||
|
||||
# simpleperf needs to access /proc/<pid>/exec
|
||||
allow perfprofd self:capability { sys_resource sys_ptrace };
|
||||
allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
|
||||
neverallow perfprofd domain:process ptrace;
|
||||
|
||||
# simpleperf needs open/read any file that turns up in a profile
|
||||
|
@ -54,6 +54,6 @@ userdebug_or_eng(`
|
|||
allow perfprofd toolbox_exec:file rx_file_perms;
|
||||
|
||||
# needed for simpleperf on some kernels
|
||||
allow perfprofd self:capability ipc_lock;
|
||||
allow perfprofd self:global_capability_class_set ipc_lock;
|
||||
|
||||
')
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
type postinstall_dexopt, domain;
|
||||
|
||||
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
|
||||
allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
|
||||
|
||||
allow postinstall_dexopt postinstall_file:filesystem getattr;
|
||||
allow postinstall_dexopt postinstall_file:dir { getattr search };
|
||||
|
|
|
@ -15,7 +15,7 @@ allowxperm ppp mtp:socket ioctl ppp_ioctls;
|
|||
|
||||
allow ppp mtp:unix_dgram_socket rw_socket_perms;
|
||||
allow ppp ppp_device:chr_file rw_file_perms;
|
||||
allow ppp self:capability net_admin;
|
||||
allow ppp self:global_capability_class_set net_admin;
|
||||
allow ppp system_file:file rx_file_perms;
|
||||
not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
|
||||
allow ppp vpn_data_file:dir w_dir_perms;
|
||||
|
|
|
@ -15,7 +15,7 @@ allow racoon kernel:system module_request;
|
|||
|
||||
allow racoon self:key_socket create_socket_perms_no_ioctl;
|
||||
allow racoon self:tun_socket create_socket_perms_no_ioctl;
|
||||
allow racoon self:capability { net_admin net_bind_service net_raw };
|
||||
allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
|
||||
|
||||
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
|
||||
allow racoon system_file:file rx_file_perms;
|
||||
|
|
|
@ -12,10 +12,10 @@ recovery_only(`
|
|||
# Recovery can only use HALs in passthrough mode
|
||||
passthrough_hal_client_domain(recovery, hal_bootctl)
|
||||
|
||||
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
||||
allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
||||
|
||||
# Set security contexts on files that are not known to the loaded policy.
|
||||
allow recovery self:capability2 mac_admin;
|
||||
allow recovery self:global_capability2_class_set mac_admin;
|
||||
|
||||
# Run helpers from / or /system without changing domain.
|
||||
r_dir_file(recovery, rootfs)
|
||||
|
|
|
@ -7,7 +7,7 @@ allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
|
|||
|
||||
allow rild self:netlink_route_socket nlmsg_write;
|
||||
allow rild kernel:system module_request;
|
||||
allow rild self:capability { setpcap setgid setuid net_admin net_raw };
|
||||
allow rild self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
|
||||
allow rild alarm_device:chr_file rw_file_perms;
|
||||
allow rild cgroup:dir create_dir_perms;
|
||||
allow rild cgroup:{ file lnk_file } r_file_perms;
|
||||
|
|
|
@ -18,11 +18,11 @@ allow runas system_data_file:lnk_file getattr;
|
|||
allow runas system_data_file:lnk_file read;
|
||||
|
||||
# run-as checks and changes to the app data dir.
|
||||
dontaudit runas self:capability dac_override;
|
||||
dontaudit runas self:global_capability_class_set dac_override;
|
||||
allow runas app_data_file:dir { getattr search };
|
||||
|
||||
# run-as switches to the app UID/GID.
|
||||
allow runas self:capability { setuid setgid };
|
||||
allow runas self:global_capability_class_set { setuid setgid };
|
||||
|
||||
# run-as switches to the app security context.
|
||||
selinux_check_context(runas) # validate context
|
||||
|
@ -38,5 +38,5 @@ allow runas seapp_contexts_file:file r_file_perms;
|
|||
###
|
||||
|
||||
# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
|
||||
neverallow runas self:capability ~{ setuid setgid };
|
||||
neverallow runas self:capability2 *;
|
||||
neverallow runas self:global_capability_class_set ~{ setuid setgid };
|
||||
neverallow runas self:global_capability2_class_set *;
|
||||
|
|
|
@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
|
|||
allow sdcardd storage_file:dir search;
|
||||
allow sdcardd storage_stub_file:dir { search mounton };
|
||||
allow sdcardd sdcard_type:filesystem { mount unmount };
|
||||
allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
|
||||
allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
|
||||
|
||||
allow sdcardd sdcard_type:dir create_dir_perms;
|
||||
allow sdcardd sdcard_type:file create_file_perms;
|
||||
|
|
|
@ -14,7 +14,7 @@ allow sgdisk vold:fd use;
|
|||
allow sgdisk vold:fifo_file { read write getattr };
|
||||
|
||||
# Used to probe kernel to reload partition tables
|
||||
allow sgdisk self:capability sys_admin;
|
||||
allow sgdisk self:global_capability_class_set sys_admin;
|
||||
|
||||
# Only allow entry from vold
|
||||
neverallow { domain -vold } sgdisk:process transition;
|
||||
|
|
|
@ -5,7 +5,7 @@ type slideshow, domain;
|
|||
allow slideshow kmsg_device:chr_file rw_file_perms;
|
||||
wakelock_use(slideshow)
|
||||
allow slideshow device:dir r_dir_perms;
|
||||
allow slideshow self:capability sys_tty_config;
|
||||
allow slideshow self:global_capability_class_set sys_tty_config;
|
||||
allow slideshow graphics_device:dir r_dir_perms;
|
||||
allow slideshow graphics_device:chr_file rw_file_perms;
|
||||
allow slideshow input_device:dir r_dir_perms;
|
||||
|
|
|
@ -402,7 +402,7 @@ define(`wakelock_use', `
|
|||
# Access /sys/power/wake_lock and /sys/power/wake_unlock
|
||||
allow $1 sysfs_wake_lock:file rw_file_perms;
|
||||
# Accessing these files requires CAP_BLOCK_SUSPEND
|
||||
allow $1 self:capability2 block_suspend;
|
||||
allow $1 self:global_capability2_class_set block_suspend;
|
||||
')
|
||||
|
||||
#####################################
|
||||
|
|
|
@ -5,7 +5,7 @@ type ueventd, domain;
|
|||
# Write to /dev/kmsg.
|
||||
allow ueventd kmsg_device:chr_file rw_file_perms;
|
||||
|
||||
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
||||
allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
||||
allow ueventd device:file create_file_perms;
|
||||
|
||||
r_dir_file(ueventd, rootfs)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
type uncrypt, domain, mlstrustedsubject;
|
||||
type uncrypt_exec, exec_type, file_type;
|
||||
|
||||
allow uncrypt self:capability dac_override;
|
||||
allow uncrypt self:global_capability_class_set dac_override;
|
||||
|
||||
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
|
||||
r_dir_file(uncrypt, app_data_file)
|
||||
|
@ -29,7 +29,7 @@ unix_socket_connect(uncrypt, uncrypt, uncrypt)
|
|||
set_prop(uncrypt, powerctl_prop)
|
||||
|
||||
# Raw writes to block device
|
||||
allow uncrypt self:capability sys_rawio;
|
||||
allow uncrypt self:global_capability_class_set sys_rawio;
|
||||
allow uncrypt misc_block_device:blk_file w_file_perms;
|
||||
allow uncrypt block_device:dir r_dir_perms;
|
||||
|
||||
|
|
|
@ -11,12 +11,12 @@ allow update_engine qtaguid_device:chr_file r_file_perms;
|
|||
|
||||
# Following permissions are needed for update_engine.
|
||||
allow update_engine self:process { setsched };
|
||||
allow update_engine self:capability { fowner sys_admin };
|
||||
allow update_engine self:global_capability_class_set { fowner sys_admin };
|
||||
# Note: fsetid checks are triggered when creating a file in a directory with
|
||||
# the setgid bit set to determine if the file should inherit setgid. In this
|
||||
# case, setgid on the file is undesirable so we should just suppress the
|
||||
# denial.
|
||||
dontaudit update_engine self:capability fsetid;
|
||||
dontaudit update_engine self:global_capability_class_set fsetid;
|
||||
|
||||
allow update_engine kmsg_device:chr_file w_file_perms;
|
||||
allow update_engine update_engine_exec:file rx_file_perms;
|
||||
|
|
|
@ -22,14 +22,14 @@ allow vendor_init configfs:dir create_dir_perms;
|
|||
allow vendor_init configfs:{ file lnk_file } create_file_perms;
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
allow vendor_init self:capability dac_override;
|
||||
allow vendor_init self:global_capability_class_set dac_override;
|
||||
|
||||
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
|
||||
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
|
||||
# system/core/init.rc requires at least cache_file and data_file_type.
|
||||
# init.<board>.rc files often include device-specific types, so
|
||||
# we just allow all file types except /system files here.
|
||||
allow vendor_init self:capability { chown fowner fsetid };
|
||||
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
|
||||
|
||||
allow vendor_init {
|
||||
file_type
|
||||
|
@ -188,7 +188,7 @@ allow vendor_init dev_type:blk_file getattr;
|
|||
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
|
||||
r_dir_file(vendor_init, proc_net)
|
||||
allow vendor_init proc_net:file w_file_perms;
|
||||
allow vendor_init self:capability net_admin;
|
||||
allow vendor_init self:global_capability_class_set net_admin;
|
||||
|
||||
# Write to /proc/sys/vm/page-cluster
|
||||
allow vendor_init proc_page_cluster:file w_file_perms;
|
||||
|
@ -207,4 +207,4 @@ r_dir_file(vendor_init, vendor_file_type)
|
|||
allow vendor_init serialno_prop:file { getattr open read };
|
||||
|
||||
# Vendor init can perform operations on trusted and security Extended Attributes
|
||||
allow vendor_init self:capability sys_admin;
|
||||
allow vendor_init self:global_capability_class_set sys_admin;
|
||||
|
|
|
@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
|
|||
allow vold tmpfs:filesystem { mount unmount };
|
||||
allow vold tmpfs:dir create_dir_perms;
|
||||
allow vold tmpfs:dir mounton;
|
||||
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
||||
allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
||||
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
allow vold app_data_file:dir search;
|
||||
allow vold app_data_file:file rw_file_perms;
|
||||
|
@ -88,7 +88,7 @@ allow vold dm_device:blk_file rw_file_perms;
|
|||
allow vold domain:dir r_dir_perms;
|
||||
allow vold domain:{ file lnk_file } r_file_perms;
|
||||
allow vold domain:process { signal sigkill };
|
||||
allow vold self:capability { sys_ptrace kill };
|
||||
allow vold self:global_capability_class_set { sys_ptrace kill };
|
||||
|
||||
# XXX Label sysfs files with a specific type?
|
||||
allow vold sysfs:file rw_file_perms;
|
||||
|
@ -179,10 +179,10 @@ allow vold init:key { write search setattr };
|
|||
allow vold vold:key { write search setattr };
|
||||
|
||||
# vold temporarily changes its priority when running benchmarks
|
||||
allow vold self:capability sys_nice;
|
||||
allow vold self:global_capability_class_set sys_nice;
|
||||
|
||||
# vold needs to chroot into app namespaces to remount when runtime permissions change
|
||||
allow vold self:capability sys_chroot;
|
||||
allow vold self:global_capability_class_set sys_chroot;
|
||||
allow vold storage_file:dir mounton;
|
||||
|
||||
# For AppFuse.
|
||||
|
|
|
@ -14,7 +14,7 @@ set_prop(wificond, ctl_default_prop)
|
|||
allow wificond self:udp_socket create_socket_perms;
|
||||
# setting interface state up/down is a privileged ioctl
|
||||
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
|
||||
allow wificond self:capability { net_admin net_raw };
|
||||
allow wificond self:global_capability_class_set { net_admin net_raw };
|
||||
# allow wificond to speak to nl80211 in the kernel
|
||||
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
|
||||
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
|
||||
|
|
|
@ -25,5 +25,5 @@ allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
|
|||
|
||||
# Allow us to bring up a TUN network interface.
|
||||
allow wpantund tun_device:chr_file rw_file_perms;
|
||||
allow wpantund self:capability { net_admin net_raw };
|
||||
allow wpantund self:global_capability_class_set { net_admin net_raw };
|
||||
allow wpantund self:tun_socket create;
|
||||
|
|
2
vendor/hostapd.te
vendored
2
vendor/hostapd.te
vendored
|
@ -5,7 +5,7 @@ type hostapd_exec, exec_type, vendor_file_type, file_type;
|
|||
init_daemon_domain(hostapd)
|
||||
|
||||
net_domain(hostapd)
|
||||
allow hostapd self:capability { net_admin net_raw };
|
||||
allow hostapd self:global_capability_class_set { net_admin net_raw };
|
||||
|
||||
# hostapd learns about its network interface via sysfs.
|
||||
allow hostapd sysfs:file r_file_perms;
|
||||
|
|
2
vendor/tee.te
vendored
2
vendor/tee.te
vendored
|
@ -4,7 +4,7 @@
|
|||
type tee_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(tee)
|
||||
|
||||
allow tee self:capability { dac_override };
|
||||
allow tee self:global_capability_class_set { dac_override };
|
||||
allow tee tee_device:chr_file rw_file_perms;
|
||||
allow tee tee_data_file:dir rw_dir_perms;
|
||||
allow tee tee_data_file:file create_file_perms;
|
||||
|
|
2
vendor/vendor_modprobe.te
vendored
2
vendor/vendor_modprobe.te
vendored
|
@ -4,7 +4,7 @@ type vendor_modprobe, domain;
|
|||
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
|
||||
|
||||
allow vendor_modprobe proc_modules:file r_file_perms;
|
||||
allow vendor_modprobe self:capability sys_module;
|
||||
allow vendor_modprobe self:global_capability_class_set sys_module;
|
||||
allow vendor_modprobe kernel:key search;
|
||||
|
||||
allow vendor_modprobe { vendor_file }:system module_load;
|
||||
|
|
Loading…
Reference in a new issue