Merge "system_dlkm: sepolicy: add system_dlkm_file_type"
This commit is contained in:
Ramji Jiyani
Gerrit Code Review
commit
ba8615a186
7 changed files with 24 additions and 3 deletions
|
|
@ -58,6 +58,7 @@
|
|||
snapuserd_proxy_socket
|
||||
supplemental_process_service
|
||||
sysfs_fs_fuse_bpf
|
||||
system_dlkm_file
|
||||
tare_service
|
||||
tv_iapp_service
|
||||
untrusted_app_30
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
|
||||
# For kernel modules
|
||||
/lib(/.*)? u:object_r:rootfs:s0
|
||||
/system_dlkm(/.*)? u:object_r:rootfs:s0
|
||||
/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
|
||||
|
||||
# Empty directories
|
||||
/lost\+found u:object_r:rootfs:s0
|
||||
|
|
|
|||
|
|
@ -51,6 +51,9 @@ expandattribute app_data_file_type false;
|
|||
# All types in /system
|
||||
attribute system_file_type;
|
||||
|
||||
# All types in /system_dlkm
|
||||
attribute system_dlkm_file_type;
|
||||
|
||||
# All types in /vendor
|
||||
attribute vendor_file_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -1262,8 +1262,9 @@ neverallow {
|
|||
|
||||
# Enforce restrictions on kernel module origin.
|
||||
# Do not allow kernel module loading except from system,
|
||||
# vendor, and boot partitions.
|
||||
neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
|
||||
# vendor, boot, and system_dlkm partitions.
|
||||
# TODO(b/218951883): Remove usage of system and rootfs as origin
|
||||
neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
|
||||
|
||||
# Only allow filesystem caps to be set at build time. Runtime changes
|
||||
# to filesystem capabilities are not permitted.
|
||||
|
|
|
|||
|
|
@ -583,6 +583,9 @@ type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
|
|||
# kernel modules
|
||||
type vendor_kernel_modules, vendor_file_type, file_type;
|
||||
|
||||
# system_dlkm
|
||||
type system_dlkm_file, system_dlkm_file_type, file_type;
|
||||
|
||||
# Allow files to be created in their appropriate filesystems.
|
||||
allow fs_type self:filesystem associate;
|
||||
allow cgroup tmpfs:filesystem associate;
|
||||
|
|
|
|||
|
|
@ -98,6 +98,7 @@ allow init {
|
|||
mnt_user_file
|
||||
system_data_file
|
||||
system_data_root_file
|
||||
system_dlkm_file
|
||||
system_file
|
||||
vendor_file
|
||||
postinstall_mnt_dir
|
||||
|
|
@ -201,6 +202,7 @@ allow init {
|
|||
-nativetest_data_file
|
||||
-privapp_data_file
|
||||
-system_app_data_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
}:dir { create search getattr open read setattr ioctl };
|
||||
|
|
@ -217,6 +219,7 @@ allow init {
|
|||
-privapp_data_file
|
||||
-shell_data_file
|
||||
-system_app_data_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_data_file
|
||||
|
|
@ -237,6 +240,7 @@ allow init {
|
|||
-runtime_event_log_tags_file
|
||||
-shell_data_file
|
||||
-system_app_data_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_data_file
|
||||
|
|
@ -258,6 +262,7 @@ allow init {
|
|||
-privapp_data_file
|
||||
-shell_data_file
|
||||
-system_app_data_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_data_file
|
||||
|
|
@ -277,6 +282,7 @@ allow init {
|
|||
-privapp_data_file
|
||||
-shell_data_file
|
||||
-system_app_data_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_data_file
|
||||
|
|
@ -286,6 +292,7 @@ allow init cache_file:lnk_file r_file_perms;
|
|||
|
||||
allow init {
|
||||
file_type
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
-exec_type
|
||||
|
|
@ -590,6 +597,7 @@ allowxperm init { data_file_type unlabeled }:dir ioctl {
|
|||
allow init misc_block_device:blk_file w_file_perms;
|
||||
|
||||
r_dir_file(init, system_file)
|
||||
r_dir_file(init, system_dlkm_file_type)
|
||||
r_dir_file(init, vendor_file_type)
|
||||
|
||||
allow init system_data_file:file { getattr read };
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ allow vendor_init {
|
|||
file_type
|
||||
-core_data_file_type
|
||||
-exec_type
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-mnt_product_file
|
||||
-password_slot_metadata_file
|
||||
|
|
@ -71,6 +72,7 @@ allow vendor_init {
|
|||
-password_slot_metadata_file
|
||||
-ota_metadata_file
|
||||
-runtime_event_log_tags_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
|
|
@ -88,6 +90,7 @@ allow vendor_init {
|
|||
-exec_type
|
||||
-password_slot_metadata_file
|
||||
-ota_metadata_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
|
|
@ -104,6 +107,7 @@ allow vendor_init {
|
|||
-exec_type
|
||||
-password_slot_metadata_file
|
||||
-ota_metadata_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-unlabeled
|
||||
-vendor_file_type
|
||||
|
|
@ -120,6 +124,7 @@ allow vendor_init {
|
|||
-mnt_product_file
|
||||
-password_slot_metadata_file
|
||||
-ota_metadata_file
|
||||
-system_dlkm_file_type
|
||||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
|
|
|
|||
Loading…
Reference in a new issue