Merge "system_dlkm: sepolicy: add system_dlkm_file_type"
This commit is contained in:
commit
ba8615a186
7 changed files with 24 additions and 3 deletions
|
@ -58,6 +58,7 @@
|
||||||
snapuserd_proxy_socket
|
snapuserd_proxy_socket
|
||||||
supplemental_process_service
|
supplemental_process_service
|
||||||
sysfs_fs_fuse_bpf
|
sysfs_fs_fuse_bpf
|
||||||
|
system_dlkm_file
|
||||||
tare_service
|
tare_service
|
||||||
tv_iapp_service
|
tv_iapp_service
|
||||||
untrusted_app_30
|
untrusted_app_30
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
|
|
||||||
# For kernel modules
|
# For kernel modules
|
||||||
/lib(/.*)? u:object_r:rootfs:s0
|
/lib(/.*)? u:object_r:rootfs:s0
|
||||||
/system_dlkm(/.*)? u:object_r:rootfs:s0
|
/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
|
||||||
|
|
||||||
# Empty directories
|
# Empty directories
|
||||||
/lost\+found u:object_r:rootfs:s0
|
/lost\+found u:object_r:rootfs:s0
|
||||||
|
|
|
@ -51,6 +51,9 @@ expandattribute app_data_file_type false;
|
||||||
# All types in /system
|
# All types in /system
|
||||||
attribute system_file_type;
|
attribute system_file_type;
|
||||||
|
|
||||||
|
# All types in /system_dlkm
|
||||||
|
attribute system_dlkm_file_type;
|
||||||
|
|
||||||
# All types in /vendor
|
# All types in /vendor
|
||||||
attribute vendor_file_type;
|
attribute vendor_file_type;
|
||||||
|
|
||||||
|
|
|
@ -1262,8 +1262,9 @@ neverallow {
|
||||||
|
|
||||||
# Enforce restrictions on kernel module origin.
|
# Enforce restrictions on kernel module origin.
|
||||||
# Do not allow kernel module loading except from system,
|
# Do not allow kernel module loading except from system,
|
||||||
# vendor, and boot partitions.
|
# vendor, boot, and system_dlkm partitions.
|
||||||
neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
|
# TODO(b/218951883): Remove usage of system and rootfs as origin
|
||||||
|
neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
|
||||||
|
|
||||||
# Only allow filesystem caps to be set at build time. Runtime changes
|
# Only allow filesystem caps to be set at build time. Runtime changes
|
||||||
# to filesystem capabilities are not permitted.
|
# to filesystem capabilities are not permitted.
|
||||||
|
|
|
@ -583,6 +583,9 @@ type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
|
||||||
# kernel modules
|
# kernel modules
|
||||||
type vendor_kernel_modules, vendor_file_type, file_type;
|
type vendor_kernel_modules, vendor_file_type, file_type;
|
||||||
|
|
||||||
|
# system_dlkm
|
||||||
|
type system_dlkm_file, system_dlkm_file_type, file_type;
|
||||||
|
|
||||||
# Allow files to be created in their appropriate filesystems.
|
# Allow files to be created in their appropriate filesystems.
|
||||||
allow fs_type self:filesystem associate;
|
allow fs_type self:filesystem associate;
|
||||||
allow cgroup tmpfs:filesystem associate;
|
allow cgroup tmpfs:filesystem associate;
|
||||||
|
|
|
@ -98,6 +98,7 @@ allow init {
|
||||||
mnt_user_file
|
mnt_user_file
|
||||||
system_data_file
|
system_data_file
|
||||||
system_data_root_file
|
system_data_root_file
|
||||||
|
system_dlkm_file
|
||||||
system_file
|
system_file
|
||||||
vendor_file
|
vendor_file
|
||||||
postinstall_mnt_dir
|
postinstall_mnt_dir
|
||||||
|
@ -201,6 +202,7 @@ allow init {
|
||||||
-nativetest_data_file
|
-nativetest_data_file
|
||||||
-privapp_data_file
|
-privapp_data_file
|
||||||
-system_app_data_file
|
-system_app_data_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
}:dir { create search getattr open read setattr ioctl };
|
}:dir { create search getattr open read setattr ioctl };
|
||||||
|
@ -217,6 +219,7 @@ allow init {
|
||||||
-privapp_data_file
|
-privapp_data_file
|
||||||
-shell_data_file
|
-shell_data_file
|
||||||
-system_app_data_file
|
-system_app_data_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_data_file
|
-vold_data_file
|
||||||
|
@ -237,6 +240,7 @@ allow init {
|
||||||
-runtime_event_log_tags_file
|
-runtime_event_log_tags_file
|
||||||
-shell_data_file
|
-shell_data_file
|
||||||
-system_app_data_file
|
-system_app_data_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_data_file
|
-vold_data_file
|
||||||
|
@ -258,6 +262,7 @@ allow init {
|
||||||
-privapp_data_file
|
-privapp_data_file
|
||||||
-shell_data_file
|
-shell_data_file
|
||||||
-system_app_data_file
|
-system_app_data_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_data_file
|
-vold_data_file
|
||||||
|
@ -277,6 +282,7 @@ allow init {
|
||||||
-privapp_data_file
|
-privapp_data_file
|
||||||
-shell_data_file
|
-shell_data_file
|
||||||
-system_app_data_file
|
-system_app_data_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_data_file
|
-vold_data_file
|
||||||
|
@ -286,6 +292,7 @@ allow init cache_file:lnk_file r_file_perms;
|
||||||
|
|
||||||
allow init {
|
allow init {
|
||||||
file_type
|
file_type
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
|
@ -590,6 +597,7 @@ allowxperm init { data_file_type unlabeled }:dir ioctl {
|
||||||
allow init misc_block_device:blk_file w_file_perms;
|
allow init misc_block_device:blk_file w_file_perms;
|
||||||
|
|
||||||
r_dir_file(init, system_file)
|
r_dir_file(init, system_file)
|
||||||
|
r_dir_file(init, system_dlkm_file_type)
|
||||||
r_dir_file(init, vendor_file_type)
|
r_dir_file(init, vendor_file_type)
|
||||||
|
|
||||||
allow init system_data_file:file { getattr read };
|
allow init system_data_file:file { getattr read };
|
||||||
|
|
|
@ -50,6 +50,7 @@ allow vendor_init {
|
||||||
file_type
|
file_type
|
||||||
-core_data_file_type
|
-core_data_file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-mnt_product_file
|
-mnt_product_file
|
||||||
-password_slot_metadata_file
|
-password_slot_metadata_file
|
||||||
|
@ -71,6 +72,7 @@ allow vendor_init {
|
||||||
-password_slot_metadata_file
|
-password_slot_metadata_file
|
||||||
-ota_metadata_file
|
-ota_metadata_file
|
||||||
-runtime_event_log_tags_file
|
-runtime_event_log_tags_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
|
@ -88,6 +90,7 @@ allow vendor_init {
|
||||||
-exec_type
|
-exec_type
|
||||||
-password_slot_metadata_file
|
-password_slot_metadata_file
|
||||||
-ota_metadata_file
|
-ota_metadata_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
|
@ -104,6 +107,7 @@ allow vendor_init {
|
||||||
-exec_type
|
-exec_type
|
||||||
-password_slot_metadata_file
|
-password_slot_metadata_file
|
||||||
-ota_metadata_file
|
-ota_metadata_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
|
@ -120,6 +124,7 @@ allow vendor_init {
|
||||||
-mnt_product_file
|
-mnt_product_file
|
||||||
-password_slot_metadata_file
|
-password_slot_metadata_file
|
||||||
-ota_metadata_file
|
-ota_metadata_file
|
||||||
|
-system_dlkm_file_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
|
|
Loading…
Reference in a new issue