Merge "system_dlkm: sepolicy: add system_dlkm_file_type"

This commit is contained in:
Ramji Jiyani 2022-02-11 18:36:04 +00:00 committed by Gerrit Code Review
commit ba8615a186
7 changed files with 24 additions and 3 deletions

View file

@ -58,6 +58,7 @@
snapuserd_proxy_socket snapuserd_proxy_socket
supplemental_process_service supplemental_process_service
sysfs_fs_fuse_bpf sysfs_fs_fuse_bpf
system_dlkm_file
tare_service tare_service
tv_iapp_service tv_iapp_service
untrusted_app_30 untrusted_app_30

View file

@ -19,7 +19,7 @@
# For kernel modules # For kernel modules
/lib(/.*)? u:object_r:rootfs:s0 /lib(/.*)? u:object_r:rootfs:s0
/system_dlkm(/.*)? u:object_r:rootfs:s0 /system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
# Empty directories # Empty directories
/lost\+found u:object_r:rootfs:s0 /lost\+found u:object_r:rootfs:s0

View file

@ -51,6 +51,9 @@ expandattribute app_data_file_type false;
# All types in /system # All types in /system
attribute system_file_type; attribute system_file_type;
# All types in /system_dlkm
attribute system_dlkm_file_type;
# All types in /vendor # All types in /vendor
attribute vendor_file_type; attribute vendor_file_type;

View file

@ -1262,8 +1262,9 @@ neverallow {
# Enforce restrictions on kernel module origin. # Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system, # Do not allow kernel module loading except from system,
# vendor, and boot partitions. # vendor, boot, and system_dlkm partitions.
neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load; # TODO(b/218951883): Remove usage of system and rootfs as origin
neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
# Only allow filesystem caps to be set at build time. Runtime changes # Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted. # to filesystem capabilities are not permitted.

View file

@ -583,6 +583,9 @@ type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
# kernel modules # kernel modules
type vendor_kernel_modules, vendor_file_type, file_type; type vendor_kernel_modules, vendor_file_type, file_type;
# system_dlkm
type system_dlkm_file, system_dlkm_file_type, file_type;
# Allow files to be created in their appropriate filesystems. # Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate; allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate; allow cgroup tmpfs:filesystem associate;

View file

@ -98,6 +98,7 @@ allow init {
mnt_user_file mnt_user_file
system_data_file system_data_file
system_data_root_file system_data_root_file
system_dlkm_file
system_file system_file
vendor_file vendor_file
postinstall_mnt_dir postinstall_mnt_dir
@ -201,6 +202,7 @@ allow init {
-nativetest_data_file -nativetest_data_file
-privapp_data_file -privapp_data_file
-system_app_data_file -system_app_data_file
-system_dlkm_file_type
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
}:dir { create search getattr open read setattr ioctl }; }:dir { create search getattr open read setattr ioctl };
@ -217,6 +219,7 @@ allow init {
-privapp_data_file -privapp_data_file
-shell_data_file -shell_data_file
-system_app_data_file -system_app_data_file
-system_dlkm_file_type
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
-vold_data_file -vold_data_file
@ -237,6 +240,7 @@ allow init {
-runtime_event_log_tags_file -runtime_event_log_tags_file
-shell_data_file -shell_data_file
-system_app_data_file -system_app_data_file
-system_dlkm_file_type
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
-vold_data_file -vold_data_file
@ -258,6 +262,7 @@ allow init {
-privapp_data_file -privapp_data_file
-shell_data_file -shell_data_file
-system_app_data_file -system_app_data_file
-system_dlkm_file_type
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
-vold_data_file -vold_data_file
@ -277,6 +282,7 @@ allow init {
-privapp_data_file -privapp_data_file
-shell_data_file -shell_data_file
-system_app_data_file -system_app_data_file
-system_dlkm_file_type
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
-vold_data_file -vold_data_file
@ -286,6 +292,7 @@ allow init cache_file:lnk_file r_file_perms;
allow init { allow init {
file_type file_type
-system_dlkm_file_type
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
-exec_type -exec_type
@ -590,6 +597,7 @@ allowxperm init { data_file_type unlabeled }:dir ioctl {
allow init misc_block_device:blk_file w_file_perms; allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file) r_dir_file(init, system_file)
r_dir_file(init, system_dlkm_file_type)
r_dir_file(init, vendor_file_type) r_dir_file(init, vendor_file_type)
allow init system_data_file:file { getattr read }; allow init system_data_file:file { getattr read };

View file

@ -50,6 +50,7 @@ allow vendor_init {
file_type file_type
-core_data_file_type -core_data_file_type
-exec_type -exec_type
-system_dlkm_file_type
-system_file_type -system_file_type
-mnt_product_file -mnt_product_file
-password_slot_metadata_file -password_slot_metadata_file
@ -71,6 +72,7 @@ allow vendor_init {
-password_slot_metadata_file -password_slot_metadata_file
-ota_metadata_file -ota_metadata_file
-runtime_event_log_tags_file -runtime_event_log_tags_file
-system_dlkm_file_type
-system_file_type -system_file_type
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
@ -88,6 +90,7 @@ allow vendor_init {
-exec_type -exec_type
-password_slot_metadata_file -password_slot_metadata_file
-ota_metadata_file -ota_metadata_file
-system_dlkm_file_type
-system_file_type -system_file_type
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
@ -104,6 +107,7 @@ allow vendor_init {
-exec_type -exec_type
-password_slot_metadata_file -password_slot_metadata_file
-ota_metadata_file -ota_metadata_file
-system_dlkm_file_type
-system_file_type -system_file_type
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
@ -120,6 +124,7 @@ allow vendor_init {
-mnt_product_file -mnt_product_file
-password_slot_metadata_file -password_slot_metadata_file
-ota_metadata_file -ota_metadata_file
-system_dlkm_file_type
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file