never allow untrusted apps accessing debugfs_tracing am: 2543715187
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1513758 MUST ONLY BE SUBMITTED BY AUTOMERGER Change-Id: I28a14b4f551938725684dcd1153c48fc67d3da53
This commit is contained in:
commit
9c9386d68d
3 changed files with 12 additions and 0 deletions
|
@ -93,6 +93,9 @@ get_prop(platform_app, keyguard_config_prop)
|
|||
# allow platform apps to create symbolic link
|
||||
allow platform_app app_data_file:lnk_file create_file_perms;
|
||||
|
||||
# suppress denials caused by debugfs_tracing
|
||||
dontaudit platform_app debugfs_tracing:file rw_file_perms;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
|
@ -116,6 +116,9 @@ dontaudit system_app {
|
|||
vr_hwc_service
|
||||
}:service_manager find;
|
||||
|
||||
# suppress denials caused by debugfs_tracing
|
||||
dontaudit system_app debugfs_tracing:file rw_file_perms;
|
||||
|
||||
allow system_app keystore:keystore_key {
|
||||
get_state
|
||||
get
|
||||
|
|
|
@ -64,6 +64,9 @@ allow untrusted_app_all trace_data_file:file { getattr read };
|
|||
neverallow untrusted_app_all trace_data_file:dir *;
|
||||
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
|
||||
|
||||
# neverallow untrusted apps accessing debugfs_tracing
|
||||
neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
|
||||
|
||||
# Allow to read staged apks.
|
||||
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
|
||||
|
||||
|
@ -146,6 +149,9 @@ allow untrusted_app_all system_server:udp_socket {
|
|||
# Allow the renderscript compiler to be run.
|
||||
domain_auto_trans(untrusted_app_all, rs_exec, rs)
|
||||
|
||||
# suppress denials caused by debugfs_tracing
|
||||
dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
|
||||
|
||||
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
|
||||
dontaudit untrusted_app_all net_dns_prop:file read;
|
||||
|
||||
|
|
Loading…
Reference in a new issue