never allow untrusted apps accessing debugfs_tracing am: 2543715187

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1513758

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I28a14b4f551938725684dcd1153c48fc67d3da53
This commit is contained in:
Adam Shih 2020-12-08 02:26:32 +00:00 committed by Automerger Merge Worker
commit 9c9386d68d
3 changed files with 12 additions and 0 deletions

View file

@ -93,6 +93,9 @@ get_prop(platform_app, keyguard_config_prop)
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
###
### Neverallow rules
###

View file

@ -116,6 +116,9 @@ dontaudit system_app {
vr_hwc_service
}:service_manager find;
# suppress denials caused by debugfs_tracing
dontaudit system_app debugfs_tracing:file rw_file_perms;
allow system_app keystore:keystore_key {
get_state
get

View file

@ -64,6 +64,9 @@ allow untrusted_app_all trace_data_file:file { getattr read };
neverallow untrusted_app_all trace_data_file:dir *;
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
# neverallow untrusted apps accessing debugfs_tracing
neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
@ -146,6 +149,9 @@ allow untrusted_app_all system_server:udp_socket {
# Allow the renderscript compiler to be run.
domain_auto_trans(untrusted_app_all, rs_exec, rs)
# suppress denials caused by debugfs_tracing
dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;