Iorapd and friends have been removed
Remove references in sepolicy. Leave a few of the types defined since they're public and may be used in device-specific policy. Bug: 211461392 Test: build/boot cuttlefish Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
This commit is contained in:
Jeff Vander Stoep
parent
e14ad82c98
commit
b07c12c39d
26 changed files with 18 additions and 304 deletions
|
|
@ -31,7 +31,6 @@ allow atrace {
|
|||
-dumpstate_service
|
||||
-incident_service
|
||||
-installd_service
|
||||
-iorapd_service
|
||||
-lpdump_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
|
|
|
|||
|
|
@ -1,3 +1,16 @@
|
|||
;; types removed from current policy
|
||||
(type iorap_inode2filename)
|
||||
(type iorap_inode2filename_exec)
|
||||
(type iorap_inode2filename_tmpfs)
|
||||
(type iorap_prefetcherd)
|
||||
(type iorap_prefetcherd_exec)
|
||||
(type iorap_prefetcherd_tmpfs)
|
||||
(type iorapd)
|
||||
(type iorapd_data_file)
|
||||
(type iorapd_exec)
|
||||
(type iorapd_service)
|
||||
(type iorapd_tmpfs)
|
||||
|
||||
(expandtypeattribute (DockObserver_service_33_0) true)
|
||||
(expandtypeattribute (IProxyService_service_33_0) true)
|
||||
(expandtypeattribute (aac_drc_prop_33_0) true)
|
||||
|
|
|
|||
|
|
@ -91,8 +91,6 @@ full_treble_only(`
|
|||
-idmap
|
||||
-init
|
||||
-installd
|
||||
-iorap_inode2filename
|
||||
-iorap_prefetcherd
|
||||
-postinstall_dexopt
|
||||
-rs # spawned by appdomain, so carryover the exception above
|
||||
-system_server
|
||||
|
|
@ -111,8 +109,6 @@ full_treble_only(`
|
|||
-idmap
|
||||
-init
|
||||
-installd
|
||||
-iorap_inode2filename
|
||||
-iorap_prefetcherd
|
||||
-postinstall_dexopt
|
||||
-rs # spawned by appdomain, so carryover the exception above
|
||||
-system_server
|
||||
|
|
|
|||
|
|
@ -181,8 +181,6 @@ neverallow {
|
|||
-app_zygote
|
||||
-dexoptanalyzer
|
||||
-installd
|
||||
-iorap_inode2filename
|
||||
-iorap_prefetcherd
|
||||
-profman
|
||||
-rs # spawned by appdomain, so carryover the exception above
|
||||
-runas
|
||||
|
|
@ -205,7 +203,6 @@ neverallow {
|
|||
-appdomain
|
||||
-app_zygote
|
||||
-installd
|
||||
-iorap_prefetcherd
|
||||
-rs # spawned by appdomain, so carryover the exception above
|
||||
} { privapp_data_file app_data_file }:file_class_set open;
|
||||
|
||||
|
|
@ -230,7 +227,6 @@ neverallow {
|
|||
-system_server
|
||||
-apexd
|
||||
-installd
|
||||
-iorap_inode2filename
|
||||
-priv_app
|
||||
-virtualizationservice
|
||||
} staging_data_file:dir *;
|
||||
|
|
@ -243,7 +239,6 @@ neverallow {
|
|||
-adbd
|
||||
-kernel
|
||||
-installd
|
||||
-iorap_inode2filename
|
||||
-priv_app
|
||||
-shell
|
||||
-virtualizationservice
|
||||
|
|
@ -273,7 +268,6 @@ neverallow {
|
|||
domain
|
||||
-appdomain
|
||||
with_asan(`-asan_extract')
|
||||
-iorap_prefetcherd
|
||||
-shell
|
||||
userdebug_or_eng(`-su')
|
||||
-system_server_startup # for memfd backed executable regions
|
||||
|
|
@ -394,8 +388,6 @@ neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
|
|||
# this list should be a superset of the one above.
|
||||
neverallow ~{
|
||||
dac_override_allowed
|
||||
iorap_inode2filename
|
||||
iorap_prefetcherd
|
||||
traced_perf
|
||||
traced_probes
|
||||
heapprofd
|
||||
|
|
@ -475,8 +467,6 @@ full_treble_only(`
|
|||
-heapprofd
|
||||
userdebug_or_eng(`-profcollectd')
|
||||
-init
|
||||
-iorap_inode2filename
|
||||
-iorap_prefetcherd
|
||||
-kernel
|
||||
userdebug_or_eng(`-simpleperf_boot')
|
||||
-traced_perf
|
||||
|
|
@ -514,8 +504,6 @@ full_treble_only(`
|
|||
-crash_dump
|
||||
-crosvm # loads vendor-specific disk images
|
||||
-init # starts vendor executables
|
||||
-iorap_inode2filename
|
||||
-iorap_prefetcherd
|
||||
-kernel # loads /vendor/firmware
|
||||
-heapprofd
|
||||
userdebug_or_eng(`-profcollectd')
|
||||
|
|
@ -619,7 +607,6 @@ neverallow {
|
|||
-appdomain # finer-grained rules for appdomain are listed below
|
||||
-system_server #populate com.android.providers.settings/databases/settings.db.
|
||||
-installd # creation of app sandbox
|
||||
-iorap_inode2filename
|
||||
-traced_probes # resolve inodes for i/o tracing.
|
||||
# only needs open and read, the rest is neverallow in
|
||||
# traced_probes.te.
|
||||
|
|
|
|||
|
|
@ -323,9 +323,6 @@
|
|||
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
|
||||
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
|
||||
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
|
||||
/system/bin/iorapd u:object_r:iorapd_exec:s0
|
||||
/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
|
||||
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
|
||||
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
|
||||
/system/bin/blkid u:object_r:blkid_exec:s0
|
||||
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
|
||||
|
|
@ -658,7 +655,6 @@
|
|||
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
|
||||
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
|
||||
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
|
||||
/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
|
||||
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
|
||||
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
|
||||
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
|
||||
|
|
@ -779,9 +775,6 @@
|
|||
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
|
||||
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
|
||||
|
||||
# iorapd per-user data
|
||||
/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
|
||||
|
||||
# Backup service persistent per-user bookkeeping
|
||||
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
|
||||
# Backup service temporary per-user data for inter-change with apps
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
typeattribute iorap_inode2filename coredomain;
|
||||
|
||||
# Grant access to open most of the files under /
|
||||
allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
|
||||
allow iorap_inode2filename apex_data_file:file { getattr };
|
||||
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
|
||||
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
|
||||
allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
|
||||
allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename storaged_data_file:file { getattr };
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
typeattribute iorap_prefetcherd coredomain;
|
||||
|
||||
init_daemon_domain(iorap_prefetcherd)
|
||||
tmpfs_domain(iorap_prefetcherd)
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
typeattribute iorapd coredomain;
|
||||
|
||||
init_daemon_domain(iorapd)
|
||||
tmpfs_domain(iorapd)
|
||||
|
||||
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
|
||||
domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
|
||||
|
||||
# Allow iorapd to access the runtime native boot feature flag properties.
|
||||
get_prop(iorapd, device_config_runtime_native_boot_prop)
|
||||
|
|
@ -7,22 +7,16 @@
|
|||
neverallow {
|
||||
mlstrustedsubject
|
||||
-installd
|
||||
-iorap_prefetcherd
|
||||
-iorap_inode2filename
|
||||
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
|
||||
|
||||
neverallow {
|
||||
mlstrustedsubject
|
||||
-installd
|
||||
-iorap_prefetcherd
|
||||
-iorap_inode2filename
|
||||
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
|
||||
|
||||
neverallow {
|
||||
mlstrustedsubject
|
||||
-installd
|
||||
-iorap_prefetcherd
|
||||
-iorap_inode2filename
|
||||
-system_server
|
||||
-adbd
|
||||
-runas
|
||||
|
|
|
|||
|
|
@ -197,7 +197,6 @@ inputflinger u:object_r:inputflinger_service:s0
|
|||
input_method u:object_r:input_method_service:s0
|
||||
input u:object_r:input_service:s0
|
||||
installd u:object_r:installd_service:s0
|
||||
iorapd u:object_r:iorapd_service:s0
|
||||
iphonesubinfo_msim u:object_r:radio_service:s0
|
||||
iphonesubinfo2 u:object_r:radio_service:s0
|
||||
iphonesubinfo u:object_r:radio_service:s0
|
||||
|
|
|
|||
|
|
@ -87,7 +87,6 @@ allow system_app {
|
|||
-dnsresolver_service
|
||||
-dumpstate_service
|
||||
-installd_service
|
||||
-iorapd_service
|
||||
-lpdump_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
|
|
@ -103,7 +102,6 @@ dontaudit system_app {
|
|||
dnsresolver_service
|
||||
dumpstate_service
|
||||
installd_service
|
||||
iorapd_service
|
||||
mdns_service
|
||||
netd_service
|
||||
virtual_touchpad_service
|
||||
|
|
|
|||
|
|
@ -287,7 +287,6 @@ binder_call(system_server, gpuservice)
|
|||
binder_call(system_server, idmap)
|
||||
binder_call(system_server, installd)
|
||||
binder_call(system_server, incidentd)
|
||||
binder_call(system_server, iorapd)
|
||||
binder_call(system_server, netd)
|
||||
userdebug_or_eng(`binder_call(system_server, profcollectd)')
|
||||
binder_call(system_server, statsd)
|
||||
|
|
@ -903,7 +902,6 @@ allow system_server idmap_service:service_manager find;
|
|||
allow system_server incident_service:service_manager find;
|
||||
allow system_server incremental_service:service_manager find;
|
||||
allow system_server installd_service:service_manager find;
|
||||
allow system_server iorapd_service:service_manager find;
|
||||
allow system_server keystore_maintenance_service:service_manager find;
|
||||
allow system_server keystore_metrics_service:service_manager find;
|
||||
allow system_server keystore_service:service_manager find;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# Perfetto user-space tracing daemon (unprivileged)
|
||||
|
||||
# type traced is defined under /public (because iorapd rules
|
||||
# under public/ need to refer to it).
|
||||
type traced_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Allow init to exec the daemon.
|
||||
|
|
@ -41,11 +38,6 @@ allow traced tracingproxy_service:service_manager find;
|
|||
binder_use(traced);
|
||||
binder_call(traced, system_server);
|
||||
|
||||
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
|
||||
# write into the shmem buffer file without doing roundtrips over IPC.
|
||||
allow traced iorapd:fd use;
|
||||
allow traced iorapd_tmpfs:file { read write };
|
||||
|
||||
# Allow traced to use shared memory supplied by producers. Typically, traced
|
||||
# (i.e. the tracing service) creates the shared memory used for data transfer
|
||||
# from the producer. This rule allows an alternative scheme, where the producer
|
||||
|
|
|
|||
|
|
@ -950,8 +950,6 @@ full_treble_only(`
|
|||
-system_lib_file
|
||||
-system_linker_exec
|
||||
-crash_dump_exec
|
||||
-iorap_prefetcherd_exec
|
||||
-iorap_inode2filename_exec
|
||||
-netutils_wrapper_exec
|
||||
userdebug_or_eng(`-tcpdump_exec')
|
||||
}:file { entrypoint execute execute_no_trans };
|
||||
|
|
@ -1019,7 +1017,6 @@ full_treble_only(`
|
|||
system_file_type
|
||||
-crash_dump_exec
|
||||
-file_contexts_file
|
||||
-iorap_inode2filename_exec
|
||||
-netutils_wrapper_exec
|
||||
-property_contexts_file
|
||||
-system_event_log_tags_file
|
||||
|
|
@ -1192,7 +1189,6 @@ neverallow {
|
|||
-dumpstate
|
||||
-init
|
||||
-installd
|
||||
-iorap_inode2filename
|
||||
-simpleperf_app_runner
|
||||
-system_server # why?
|
||||
userdebug_or_eng(`-uncrypt')
|
||||
|
|
|
|||
|
|
@ -309,9 +309,6 @@ allow dumpstate proc_pid_max:file r_file_perms;
|
|||
# Allow dumpstate to talk to installd over binder
|
||||
binder_call(dumpstate, installd);
|
||||
|
||||
# Allow dumpstate to talk to iorapd over binder.
|
||||
binder_call(dumpstate, iorapd)
|
||||
|
||||
# Allow dumpstate to run ip xfrm policy
|
||||
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
|
||||
|
||||
|
|
|
|||
|
|
@ -452,7 +452,6 @@ type vpn_data_file, file_type, data_file_type, core_data_file_type;
|
|||
type wifi_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type vold_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type iorapd_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type tee_data_file, file_type, data_file_type;
|
||||
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
|
||||
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
|
|
|||
|
|
@ -214,7 +214,6 @@ allow init {
|
|||
-app_data_file
|
||||
-credstore_data_file
|
||||
-exec_type
|
||||
-iorapd_data_file
|
||||
-keystore_data_file
|
||||
-media_userdir_file
|
||||
-misc_logd_file
|
||||
|
|
@ -236,7 +235,6 @@ allow init {
|
|||
-app_data_file
|
||||
-exec_type
|
||||
-gsi_data_file
|
||||
-iorapd_data_file
|
||||
-credstore_data_file
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
|
|
@ -263,7 +261,6 @@ allow init {
|
|||
-app_data_file
|
||||
-exec_type
|
||||
-gsi_data_file
|
||||
-iorapd_data_file
|
||||
-credstore_data_file
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
|
|
@ -283,7 +280,6 @@ allow init {
|
|||
-app_data_file
|
||||
-exec_type
|
||||
-gsi_data_file
|
||||
-iorapd_data_file
|
||||
-credstore_data_file
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
|
|
|
|||
4
public/iorap.te
Normal file
4
public/iorap.te
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
# Define these types for now, as they may be used in device-specific policy.
|
||||
type iorapd;
|
||||
type iorap_inode2filename;
|
||||
type iorap_prefetcherd;
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
# iorap.inode2filename -> look up file paths from an inode
|
||||
type iorap_inode2filename, domain;
|
||||
type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
|
||||
type iorap_inode2filename_tmpfs, file_type;
|
||||
|
||||
r_dir_file(iorap_inode2filename, rootfs)
|
||||
|
||||
# Allow usage of pipes (child stdout -> parent pipe).
|
||||
allow iorap_inode2filename iorapd:fd use;
|
||||
allow iorap_inode2filename iorapd:fifo_file { read write getattr };
|
||||
|
||||
# Allow reading most files under / ignoring usual access controls.
|
||||
allow iorap_inode2filename self:capability dac_read_search;
|
||||
|
||||
typeattribute iorap_inode2filename mlstrustedsubject;
|
||||
|
||||
# Grant access to open most of the files under /
|
||||
allow iorap_inode2filename apex_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename apex_data_file:file { getattr };
|
||||
allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
|
||||
allow iorap_inode2filename apex_mnt_dir:file { getattr };
|
||||
allow iorap_inode2filename apk_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename apk_data_file:file { getattr };
|
||||
allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
|
||||
allow iorap_inode2filename app_data_file_type:file { getattr };
|
||||
allow iorap_inode2filename backup_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename backup_data_file:file { getattr };
|
||||
allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename bootchart_data_file:file { getattr };
|
||||
allow iorap_inode2filename metadata_file:dir { getattr open read search search };
|
||||
allow iorap_inode2filename metadata_file:file { getattr };
|
||||
allow iorap_inode2filename packages_list_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename packages_list_file:file { getattr };
|
||||
allow iorap_inode2filename property_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename property_data_file:file { getattr };
|
||||
allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename resourcecache_data_file:file { getattr };
|
||||
allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename ringtone_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename ringtone_file:file { getattr };
|
||||
allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename same_process_hal_file:file { getattr };
|
||||
allow iorap_inode2filename sepolicy_file:file { getattr };
|
||||
allow iorap_inode2filename staging_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename staging_data_file:file { getattr };
|
||||
allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
|
||||
allow iorap_inode2filename system_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename system_data_file:file { getattr };
|
||||
allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
|
||||
allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename textclassifier_data_file:file { getattr };
|
||||
allow iorap_inode2filename toolbox_exec:file getattr;
|
||||
allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename user_profile_data_file:file { getattr };
|
||||
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename unlabeled:file { getattr };
|
||||
allow iorap_inode2filename vendor_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename vendor_file:file { getattr };
|
||||
allow iorap_inode2filename vendor_overlay_file:file { getattr };
|
||||
allow iorap_inode2filename zygote_exec:file { getattr };
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
|
||||
neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
# volume manager
|
||||
type iorap_prefetcherd, domain;
|
||||
type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
|
||||
type iorap_prefetcherd_tmpfs, file_type;
|
||||
|
||||
r_dir_file(iorap_prefetcherd, rootfs)
|
||||
|
||||
# Allow read/write /proc/sys/vm/drop/caches
|
||||
allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
|
||||
|
||||
# iorap_prefetcherd temporarily changes its priority when running benchmarks
|
||||
allow iorap_prefetcherd self:global_capability_class_set sys_nice;
|
||||
|
||||
# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
|
||||
allow iorap_prefetcherd iorapd:fd use;
|
||||
allow iorap_prefetcherd iorapd:fifo_file { read write };
|
||||
|
||||
# Allow reading most files under / ignoring usual access controls.
|
||||
allow iorap_prefetcherd self:capability dac_read_search;
|
||||
|
||||
typeattribute iorap_prefetcherd mlstrustedsubject;
|
||||
|
||||
# Grant logcat access
|
||||
allow iorap_prefetcherd logcat_exec:file { open read };
|
||||
|
||||
# Grant access to open most of the files under /
|
||||
allow iorap_prefetcherd apk_data_file:dir { open read search };
|
||||
allow iorap_prefetcherd apk_data_file:file { open read };
|
||||
allow iorap_prefetcherd app_data_file:dir { open read search };
|
||||
allow iorap_prefetcherd app_data_file:file { open read };
|
||||
allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
|
||||
allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
|
||||
allow iorap_prefetcherd packages_list_file:dir { open read search };
|
||||
allow iorap_prefetcherd packages_list_file:file { open read };
|
||||
allow iorap_prefetcherd privapp_data_file:dir { open read search };
|
||||
allow iorap_prefetcherd privapp_data_file:file { open read };
|
||||
allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
|
||||
allow iorap_prefetcherd same_process_hal_file:file { open read };
|
||||
allow iorap_prefetcherd system_data_file:dir { open read search };
|
||||
allow iorap_prefetcherd system_data_file:file { open read };
|
||||
allow iorap_prefetcherd system_data_file:lnk_file { open read };
|
||||
allow iorap_prefetcherd user_profile_root_file:dir { open read search };
|
||||
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
|
||||
allow iorap_prefetcherd user_profile_data_file:file { open read };
|
||||
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
|
||||
allow iorap_prefetcherd vendor_overlay_file:file { open read };
|
||||
# Note: Do not add any /vendor labels because they can be customized
|
||||
# by the vendor and we won't know about them beforehand.
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
|
||||
neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
# volume manager
|
||||
type iorapd, domain;
|
||||
type iorapd_exec, exec_type, file_type, system_file_type;
|
||||
type iorapd_tmpfs, file_type;
|
||||
|
||||
r_dir_file(iorapd, rootfs)
|
||||
|
||||
# Allow read/write /proc/sys/vm/drop/caches
|
||||
allow iorapd proc_drop_caches:file rw_file_perms;
|
||||
|
||||
# Give iorapd a place where only iorapd can store files; everyone else is off limits
|
||||
allow iorapd iorapd_data_file:dir create_dir_perms;
|
||||
allow iorapd iorapd_data_file:file create_file_perms;
|
||||
|
||||
# Allow iorapd to publish a binder service and make binder calls.
|
||||
binder_use(iorapd)
|
||||
add_service(iorapd, iorapd_service)
|
||||
|
||||
# Allow iorapd to call into the system server so it can check permissions.
|
||||
binder_call(iorapd, system_server)
|
||||
allow iorapd permission_service:service_manager find;
|
||||
# IUserManager
|
||||
allow iorapd user_service:service_manager find;
|
||||
# IPackageManagerNative
|
||||
allow iorapd package_native_service:service_manager find;
|
||||
# Allow dumpstate (bugreport) to call into iorapd.
|
||||
allow iorapd dumpstate:fd use;
|
||||
allow iorapd dumpstate:fifo_file write;
|
||||
|
||||
# TODO: does each of the service_manager allow finds above need the binder_call?
|
||||
|
||||
# iorapd temporarily changes its priority when running benchmarks
|
||||
allow iorapd self:global_capability_class_set sys_nice;
|
||||
|
||||
# Allow to access Perfetto traced's privileged consumer socket to start/stop
|
||||
# tracing sessions and read trace data.
|
||||
unix_socket_connect(iorapd, traced_consumer, traced)
|
||||
|
||||
# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
|
||||
allow iorapd system_file:file rx_file_perms;
|
||||
|
||||
# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
|
||||
allow iorapd iorap_inode2filename:process signull;
|
||||
allow iorapd iorap_prefetcherd:process signull;
|
||||
|
||||
# Allowing system_server to check for the existence and size of files under iorapd
|
||||
# dir without collecting any sensitive app data.
|
||||
# This is used to predict if iorapd is doing prefetching or not.
|
||||
allow system_server iorapd_data_file:dir { getattr open read search };
|
||||
allow system_server iorapd_data_file:file getattr;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-iorapd
|
||||
} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-iorapd
|
||||
-system_server
|
||||
} iorapd_data_file:dir *;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-kernel
|
||||
-iorapd
|
||||
} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-kernel
|
||||
-vendor_init
|
||||
-iorapd
|
||||
-system_server
|
||||
} { iorapd_data_file }:notdevfile_class_set *;
|
||||
|
||||
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
||||
neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
|
||||
neverallow iorapd {
|
||||
domain
|
||||
-servicemanager
|
||||
-system_server
|
||||
userdebug_or_eng(`-su')
|
||||
}:binder call;
|
||||
|
||||
neverallow { domain -init } iorapd:process { transition dyntransition };
|
||||
neverallow iorapd domain:{ udp_socket rawip_socket } *;
|
||||
neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
|
||||
|
|
@ -19,7 +19,6 @@ type fwk_automotive_display_service, service_manager_type;
|
|||
type gatekeeper_service, app_api_service, service_manager_type;
|
||||
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
|
||||
type idmap_service, service_manager_type;
|
||||
type iorapd_service, service_manager_type;
|
||||
type incident_service, service_manager_type;
|
||||
type installd_service, service_manager_type;
|
||||
type credstore_service, app_api_service, service_manager_type;
|
||||
|
|
|
|||
|
|
@ -84,7 +84,6 @@ allow shell {
|
|||
-gatekeeper_service
|
||||
-incident_service
|
||||
-installd_service
|
||||
-iorapd_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
-system_suspend_control_internal_service
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
type traced, domain, coredomain, mlstrustedsubject;
|
||||
type traced_tmpfs, file_type;
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ allow traceur_app {
|
|||
-gatekeeper_service
|
||||
-incident_service
|
||||
-installd_service
|
||||
-iorapd_service
|
||||
-lpdump_service
|
||||
-mdns_service
|
||||
-netd_service
|
||||
|
|
|
|||
|
|
@ -334,7 +334,6 @@ neverallow vold {
|
|||
-system_suspend_server
|
||||
-hal_bootctl_server
|
||||
-hwservicemanager
|
||||
-iorapd_service
|
||||
-keystore
|
||||
-servicemanager
|
||||
-system_server
|
||||
|
|
|
|||
Loading…
Reference in a new issue