Policy for using Apex sepolicy
Bug: 199914227 Test: aosp/1910032 Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
This commit is contained in:
Jeff Vander Stoep
parent
5ca82c1645
commit
bc0fa66cbe
5 changed files with 49 additions and 0 deletions
|
|
@ -13,3 +13,7 @@ allow sysfs_type sysfs:filesystem associate;
|
|||
allow system_data_file tmpfs:filesystem associate;
|
||||
|
||||
type authfs_fuse, fs_type, contextmount_type;
|
||||
|
||||
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
||||
# property labeled.
|
||||
type sepolicy_test_file, file_type;
|
||||
|
|
|
|||
|
|
@ -81,3 +81,19 @@ allow kernel apexd:fd use;
|
|||
|
||||
#-----------------------------------------
|
||||
allow kernel apkdmverity:fd use;
|
||||
|
||||
# Some contexts are changed before the device is flipped into enforcing mode
|
||||
# during the setup of Apex sepolicy. These denials can be suppressed since
|
||||
# the permissions should not be allowed after the device is flipped into
|
||||
# enforcing mode.
|
||||
dontaudit kernel device:dir { open read relabelto };
|
||||
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
||||
dontaudit kernel {
|
||||
file_contexts_file
|
||||
hwservice_contexts_file
|
||||
mac_perms_file
|
||||
property_contexts_file
|
||||
seapp_contexts_file
|
||||
sepolicy_test_file
|
||||
service_contexts_file
|
||||
}:file relabelto;
|
||||
|
|
|
|||
|
|
@ -77,3 +77,7 @@ type fd_server_exec, system_file_type, exec_type, file_type;
|
|||
|
||||
# /metadata/sepolicy
|
||||
type sepolicy_metadata_file, file_type;
|
||||
|
||||
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
||||
# property labeled.
|
||||
type sepolicy_test_file, file_type;
|
||||
|
|
|
|||
|
|
@ -196,6 +196,15 @@
|
|||
# Linker configuration
|
||||
#
|
||||
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
|
||||
|
||||
# Apex sepoolicy files.
|
||||
/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
|
||||
/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
|
||||
/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
|
||||
/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
|
||||
|
||||
#############################
|
||||
# System files
|
||||
#
|
||||
|
|
|
|||
|
|
@ -31,3 +31,19 @@ allow kernel snapuserd_exec:file relabelto;
|
|||
|
||||
allow kernel kmsg_device:chr_file write;
|
||||
allow kernel gsid:fd use;
|
||||
|
||||
# Some contexts are changed before the device is flipped into enforcing mode
|
||||
# during the setup of Apex sepolicy. These denials can be suppressed since
|
||||
# the permissions should not be allowed after the device is flipped into
|
||||
# enforcing mode.
|
||||
dontaudit kernel device:dir { open read relabelto };
|
||||
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
||||
dontaudit kernel {
|
||||
file_contexts_file
|
||||
hwservice_contexts_file
|
||||
mac_perms_file
|
||||
property_contexts_file
|
||||
seapp_contexts_file
|
||||
sepolicy_test_file
|
||||
service_contexts_file
|
||||
}:file relabelto;
|
||||
|
|
|
|||
Loading…
Reference in a new issue